From owner-freebsd-security Sun Jul 2 5:11: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from outblaze12.outblaze.com (209.249.164.196.outblaze.com [209.249.164.196]) by hub.freebsd.org (Postfix) with SMTP id 8DCA737BBB1 for ; Sun, 2 Jul 2000 05:10:58 -0700 (PDT) (envelope-from openzero@bsdmail.com) Received: (qmail 61752 invoked by uid 1001); 2 Jul 2000 12:10:57 -0000 Message-ID: <20000702121057.61751.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) From: openzero@bsdmail.com To: security@freebsd.org Date: Sun, 02 Jul 2000 13:10:57 +0100 Subject: Firewall and FTPD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HI! Well, After configuring FreeBSD-2.2.8-RELEASE + KAME-20000425-STABLE, i set up my firewall! There is only one port for people from the outside world! Port 21 for my ProFTPD1.2.0(pre10) server. Am, after setting up my firewall, I tested the configuration, but noboy can access my server! Where's the problem! (Im using a dynamic dial-up 56-kbit connection... ipdívert - >active, natd->active!); --- CUT HERE --- fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add divert natd all from any to any via tun0 $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via rl0 $fwcmd add allow tcp from any to any out xmit tun0 setup $fwcmd add allow tcp from any to any via tun0 established #$fwcmd add 65435 allow tcp from any to any 80 setup #$fwcmd add 65435 allow tcp from any to any 25 setup $fwcmd add 65435 allow tcp from any to any 21 setup $fwcmd add reset log tcp from any to any 113 in recv tun0 $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 $fwcmd add 65435 allow log icmp from any to any $fwcmd add 65435 deny log ip from any to any -- CUT HERE --- That's my configuration! It's stored as: /etc/firewall.OpenZERO !!! thanx.... Daniel Ridder /Germany) -- Get your free email from http://www.bsdmail.com Powered by OutBlaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 2 9:36:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from relay2.inwind.it (relay2.inwind.it [212.141.53.73]) by hub.freebsd.org (Postfix) with ESMTP id 5973337B743 for ; Sun, 2 Jul 2000 09:36:39 -0700 (PDT) (envelope-from bartequi@inwind.it) Received: from bartequi.ottodomain.org (212.141.78.213) by relay2.inwind.it; 2 Jul 2000 18:36:29 +0200 From: Salvo Bartolotta Date: Sun, 02 Jul 2000 17:38:42 GMT Message-ID: <20000702.17384200@bartequi.ottodomain.org> Subject: Re: Firewall and FTPD To: openzero@bsdmail.com Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20000702121057.61751.qmail@bsdmail.com> References: <20000702121057.61751.qmail@bsdmail.com> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 7/2/00, 1:10:57 PM, openzero@bsdmail.com wrote regarding Firewall=20 and FTPD: > HI! > Well, After configuring FreeBSD-2.2.8-RELEASE > + KAME-20000425-STABLE, i set up my firewall! If you *really* need FreeBSD 2.2.8, I would suggest upgrading to=20 -STABLE ASAP. AFAIR, it is one of the most stable branches ever written.= =20 > There is only one port for people from the outside world! > Port 21 for my ProFTPD1.2.0(pre10) server. > Am, after setting up my firewall, I tested the > configuration, but noboy can access my > server! > Where's the problem! > (Im using a dynamic dial-up 56-kbit connection... > ipd=EDvert - >active, natd->active!); > --- CUT HERE --- > fwcmd=3D"/sbin/ipfw" > $fwcmd -f flush > $fwcmd add divert natd all from any to any via tun0 > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via rl0 > $fwcmd add allow tcp from any to any out xmit tun0 setup > $fwcmd add allow tcp from any to any via tun0 established Here you seem to allow yourself to surf the 'Net.=20 Hmm, these rules might allow spoofed tcp packets (with *forged*=20 tcpflags) to pass, might they not ? I am not sure what you can do under 2.2.8 to improve your firewall; I=20 would look for something with stateful rules at a bare minimum. =20 > #$fwcmd add 65435 allow tcp from any to any 80 setup > #$fwcmd add 65435 allow tcp from any to any 25 setup > $fwcmd add 65435 allow tcp from any to any 21 setup Here you (also) allow, as it were, the incoming "requests" for=20 connections; you seem to wish to also provide services *other* than=20 ftp. Are you sure this is exactly what you want to permit ? > $fwcmd add reset log tcp from any to any 113 in recv tun0 > $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 These might allow spoofed DNS replies, might they not ? > $fwcmd add 65435 allow log icmp from any to any Hmm, I may be still sleepy (yaaaaaawn, quite possible), but I can't=20 see any rule allowing established connections to tcp port 21. =20 You are using a "closed" packet filter, ie the axiom "that which is=20 not (explicitly/expressly) allowed is forbidden" holds. =20 > $fwcmd add 65435 deny log ip from any to any > -- CUT HERE --- > That's my configuration! > It's stored as: /etc/firewall.OpenZERO !!! > thanx.... > Daniel Ridder > /Germany) HTH just a bit, Salvo (still ... yawning and desperately trying to wake up :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 2 11:57: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id F10A437B990 for ; Sun, 2 Jul 2000 11:57:00 -0700 (PDT) (envelope-from 961BE653994@stud.alakhawayn.ma) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id SAA16362 for ; Sun, 2 Jul 2000 18:54:25 GMT Date: Sun, 2 Jul 2000 18:54:25 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: freebsd-security@FreeBSD.ORG Subject: SSLtelnet In-Reply-To: <20000702.17384200@bartequi.ottodomain.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everybody, I am trying to install SSLtelnet but I get compliation probelms I work under Freebsd 3.3 and I am trying to install SSLtelent 0.8. Is there anyone who can tell me about the steps that i should take in order to reach my goal. NB: The compliation probelm is: when i make SSLtelnet 0.8 I have this error: getpass.c: In function 'getpass': getpass.c 30 : 'TCGETS' undeclared (first use this function) etc .... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 2 12:29: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id D1D0C37BE47 for ; Sun, 2 Jul 2000 12:29:02 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0639.cvx20-bradley.dialup.earthlink.net [209.179.252.129]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id MAA20906; Sun, 2 Jul 2000 12:28:45 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id MAA03940; Sun, 2 Jul 2000 12:26:21 -0700 (PDT) Date: Sun, 2 Jul 2000 12:26:01 -0700 From: "Crist J. Clark" To: openzero@bsdmail.com Cc: security@FreeBSD.ORG Subject: Re: Firewall and FTPD Message-ID: <20000702122601.A3842@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <20000702121057.61751.qmail@bsdmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i In-Reply-To: <20000702121057.61751.qmail@bsdmail.com>; from openzero@bsdmail.com on Sun, Jul 02, 2000 at 01:10:57PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 02, 2000 at 01:10:57PM +0100, openzero@bsdmail.com wrote: > Well, After configuring FreeBSD-2.2.8-RELEASE > + KAME-20000425-STABLE, i set up my firewall! > > There is only one port for people from the outside world! > Port 21 for my ProFTPD1.2.0(pre10) server. > Am, after setting up my firewall, I tested the > configuration, but noboy can access my > server! > Where's the problem! I see one for sure, one maybe. > (Im using a dynamic dial-up 56-kbit connection... > ipdívert - >active, natd->active!); > > --- CUT HERE --- > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > $fwcmd add divert natd all from any to any via tun0 > $fwcmd add allow ip from any to any via lo0 > $fwcmd add allow ip from any to any via rl0 > > $fwcmd add allow tcp from any to any out xmit tun0 setup > $fwcmd add allow tcp from any to any via tun0 established > > #$fwcmd add 65435 allow tcp from any to any 80 setup > #$fwcmd add 65435 allow tcp from any to any 25 setup > $fwcmd add 65435 allow tcp from any to any 21 setup > > $fwcmd add reset log tcp from any to any 113 in recv tun0 > > $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 > > $fwcmd add 65435 allow log icmp from any to any > > $fwcmd add 65435 deny log ip from any to any > -- CUT HERE --- First, the for sure problem. You never open up 20. The person connecting better not use passive ftp. Second, what does your numbering end up looking like. You have some strange fondness for rule 65435 and I wonder if the rules do not end up in the order you want them to be in. What does, # ipfw show Say after the above has been loaded? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 2 14:22:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from outblaze12.outblaze.com (209.249.164.196.outblaze.com [209.249.164.196]) by hub.freebsd.org (Postfix) with SMTP id 0B29E37B52E for ; Sun, 2 Jul 2000 14:22:37 -0700 (PDT) (envelope-from openzero@bsdmail.com) Received: (qmail 64360 invoked by uid 1001); 2 Jul 2000 21:22:35 -0000 Message-ID: <20000702212235.64359.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) From: openzero@bsdmail.com To: security@freebsd.org Date: Sun, 02 Jul 2000 22:22:35 +0100 Subject: Re: Firewall and FTPD Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well! Thanks for the massive response, but the problem still exist! Hm, I'm downloaded the 3.4-install.iso, so I will updgrade to FreeBSD-3.4-RELEASES, download the SecureBSDV1.0 and patch with kame-20000425-stable..... (need IPv6!) Hm! I changed my firewall, but nothing happends! Here are the outputs... /etc/firewall.OpenZERO --- CUT HERE --- fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add divert natd all from any to any via tun0 $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via rl0 $fwcmd add allow tcp from any to any out xmit tun0 setup $fwcmd add allow tcp from any to any via tun0 established #$fwcmd add 65435 allow tcp from any to any 80 setup #$fwcmd add 65435 allow tcp from any to any 25 setup $fwcmd add 1000 allow log tcp from any to any 21 setup $fwcmd add 1100 allow log tcp from any to any 20 setup $fwcmd add reset log tcp from any to any 113 in recv tun0 $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 $fwcmd add 65000 allow log icmp from any to any $fwcmd add 65100 deny log ip from any to any --- CUT HERE --- And here is the output via : # ipfw show --- CUT HERE --- 00100 943 357224 divert 8668 ip from any to any via tun0 00200 0 0 allow ip from any to any via lo0 00300 0 0 allow ip from any to any via rl0 00400 45 3060 allow tcp from any to any out xmit tun0 setup 00500 869 350770 allow tcp from any to any via tun0 established 01000 1 68 allow log tcp from any to any 21 setup 01100 0 0 allow log tcp from any to any 20 setup 01200 1 68 reset log tcp from any to any 113 in recv tun0 01300 10 642 allow udp from any to 194.25.2.129 53 out xmit tun0 01400 10 2172 allow udp from 194.25.2.129 53 to any in recv tun0 65000 1 56 allow log icmp from any to any 65100 6 388 deny log ip from any to any 65535 18811 13686295 allow ip from any to any --- CUT HERE--- Please help me with the problem! If you see something other (may be security related), please contact me........ -- Get your free email from http://www.bsdmail.com Powered by OutBlaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 2 23:30:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from small-1.inet.it (small-1.inet.it [194.20.8.3]) by hub.freebsd.org (Postfix) with ESMTP id 911E437BA7C for ; Sun, 2 Jul 2000 23:30:26 -0700 (PDT) (envelope-from sonoro@inet.it) Received: (from trusted@localhost) by small-1.inet.it (AIX4.3/8.9.3/8.9.3) id IAA90522; Mon, 3 Jul 2000 08:30:16 +0200 Received: from sonoro.inet.it(194.185.73.48) by small-1.inet.it via I-SMTP id queue/s-194.185.73.48-uI39aa; Mon Jul 3 08:30:16 2000 Message-ID: <39603335.11094B6D@inet.it> Date: Mon, 03 Jul 2000 08:31:17 +0200 From: Manfredi Blasucci X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: it, en MIME-Version: 1.0 To: openzero@bsdmail.com Cc: security@freebsd.org Subject: Re: Firewall and FTPD References: <20000702212235.64359.qmail@bsdmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, in your firewall rules you wrote: > $fwcmd add 1100 allow log tcp from any to any 20 setup instead try with: $fwcmd add 1100 allow log tcp from any to any 20 in this way the users can access to your ftp server. Bye To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 1:53:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 449BE37B80A for ; Mon, 3 Jul 2000 01:53:40 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 425 invoked by uid 666); 3 Jul 2000 08:53:21 -0000 Date: Mon, 3 Jul 2000 11:53:21 +0300 From: Alex Popa To: freebsd-security@freebsd.org Subject: securing the boot process (again?!?) Message-ID: <20000703115320.A341@ldc.ro> Reply-To: razor-bsd-security@ldc.ro Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have been trying to secure (a bit) the boot process of a 4.0-STABLE machine that is located in a public place. I need to use the floppy disk, but if I disable it from the BIOS I get no access to it under FreeBSD. So I set the boot sequence to "C only" but if I press space while the initial hyphen is displayed i get a prompt with no password being requested. (Note I have set a password in /boot/loader.conf, and set the console to "insecure" in /etc/ttys) The problem is I can boot any kernel or loader, including a kernel off the floppy drive [just type fd(0,a)/evilkernel at the prompt]. From there to a setuid(12345) that yields uid=0 (patched kernel, remember?) is just a small step. Any ideas for further improvement of the boot process security? Note: I have used the "Dangerously dedicated" option when installing. Thanks alot, Alex. ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 2: 5:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 7D56037BE8D for ; Mon, 3 Jul 2000 02:05:48 -0700 (PDT) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.13 #1) id 1392A0-0001F4-00; Mon, 03 Jul 2000 11:05:00 +0200 From: Sheldon Hearn To: razor-bsd-security@ldc.ro Cc: freebsd-security@FreeBSD.ORG Subject: Re: securing the boot process (again?!?) In-reply-to: Your message of "Mon, 03 Jul 2000 11:53:21 +0300." <20000703115320.A341@ldc.ro> Date: Mon, 03 Jul 2000 11:04:59 +0200 Message-ID: <4777.962615099@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 03 Jul 2000 11:53:21 +0300, Alex Popa wrote: > I need to use the floppy disk, but if I disable it from the BIOS I get > no access to it under FreeBSD. So I set the boot sequence to "C only" > but if I press space while the initial hyphen is displayed i get a > prompt with no password being requested. (Note I have set a password > in /boot/loader.conf, and set the console to "insecure" in /etc/ttys) Would autoboot_delay="0" in /boot/loader.conf help? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 2:44:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 32B0A37B891 for ; Mon, 3 Jul 2000 02:44:33 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 850 invoked by uid 666); 3 Jul 2000 09:44:25 -0000 Date: Mon, 3 Jul 2000 12:44:25 +0300 From: Alex Popa To: Sheldon Hearn Cc: freebsd-security@freebsd.org Subject: Re: securing the boot process (again?!?) Message-ID: <20000703124425.A823@ldc.ro> References: <20000703115320.A341@ldc.ro> <4777.962615099@axl.ops.uunet.co.za> <20000703124141.A759@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000703124141.A759@ldc.ro>; from razor on Mon, Jul 03, 2000 at 12:41:41PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 03, 2000 at 12:41:41PM +0300, Alex Popa wrote: > On Mon, Jul 03, 2000 at 11:04:59AM +0200, Sheldon Hearn wrote: > > > > Would autoboot_delay="0" in /boot/loader.conf help? > > I do not think so, because if you press space in the stage where there > is only one hyphen as a prompt, /boot/loader does not have a chance of > being loaded (I get something like "default: ad(0,a)/boot/loader"), so > this loader boots /boot/loader, which in turn fires up the kernel. > And anyway, there would be a password I guess, since I have set one in > /boot/loader.conf > > I got the idea I could do this after remembering that some development > version of Debian 2.2 (in January I think) installed by default a MBR > that would allow you to boot off a floppy, and I think this is what > the FreeBSD MBR does too. (please correct me if it is not the MBR, > remember I installed "dangerously dedicated"). > > > Ciao, > > Sheldon. > Have Fun! > Alex > > ------------+------------------------------------------ > Alex Popa, |There never was a good war or a bad peace > razor@ldc.ro| -- B. Franklin > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 10:11: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from chippie.cgu.nl (chippie.cgu.nl [145.101.220.7]) by hub.freebsd.org (Postfix) with ESMTP id 03D9A37BB4D for ; Mon, 3 Jul 2000 10:11:01 -0700 (PDT) (envelope-from psd@cgu.nl) Received: from localhost (psd@localhost) by chippie.cgu.nl (8.9.3/8.9.3/psd) with SMTP id TAA02598 for ; Mon, 3 Jul 2000 19:11:00 +0200 (CEST) Date: Mon, 3 Jul 2000 19:11:00 +0200 (CEST) From: Paul Dekkers X-Sender: psd@chippie.cgu To: freebsd-security@freebsd.org Subject: jail with 2 ip's? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Is it possible to define 2 ip's to a jail? I normally assign at least 2 ip's to one host, one internal ip, and one external ip. And besides, it would be nice if the web-server could use more than one IP too. (And I can't start a new jail for every ip; e.g. I don't know how squid behaves when there are two processes that access the cache-directory and write the log files...) Thank you, Paul -- Paul Dekkers E-Mail: To err is human, to moo bovine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 10:30:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 6C1DB37BEFC for ; Mon, 3 Jul 2000 10:30:38 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id TAA07445; Mon, 3 Jul 2000 19:30:34 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Paul Dekkers Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail with 2 ip's? In-reply-to: Your message of "Mon, 03 Jul 2000 19:11:00 +0200." Date: Mon, 03 Jul 2000 19:30:33 +0200 Message-ID: <7443.962645433@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Paul Dekkers writes: >Hi > >Is it possible to define 2 ip's to a jail? I normally assign at least 2 >ip's to one host, one internal ip, and one external ip. Currently no. It would take some work to get it to work. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 14: 5:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from server.baldwin.cx (server.geekhouse.net [64.81.6.52]) by hub.freebsd.org (Postfix) with ESMTP id BADE237B84A for ; Mon, 3 Jul 2000 14:05:49 -0700 (PDT) (envelope-from john@baldwin.cx) Received: from john.baldwin.cx (root@john.baldwin.cx [192.168.1.18]) by server.baldwin.cx (8.9.3/8.9.3) with ESMTP id OAA29702; Mon, 3 Jul 2000 14:05:48 -0700 (PDT) (envelope-from john@baldwin.cx) Received: (from john@localhost) by john.baldwin.cx (8.9.3/8.9.3) id OAA36912; Mon, 3 Jul 2000 14:06:49 -0700 (PDT) (envelope-from john) Message-Id: <200007032106.OAA36912@john.baldwin.cx> X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000703115320.A341@ldc.ro> Date: Mon, 03 Jul 2000 14:06:48 -0700 (PDT) From: John Baldwin To: Alex Popa Subject: RE: securing the boot process (again?!?) Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 03-Jul-00 Alex Popa wrote: > I have been trying to secure (a bit) the boot process of a 4.0-STABLE > machine that is located in a public place. > > I need to use the floppy disk, but if I disable it from the BIOS I get > no access to it under FreeBSD. So I set the boot sequence to "C only" > but if I press space while the initial hyphen is displayed i get a > prompt with no password being requested. (Note I have set a password > in /boot/loader.conf, and set the console to "insecure" in /etc/ttys) > > The problem is I can boot any kernel or loader, including a kernel off > the floppy drive [just type fd(0,a)/evilkernel at the prompt]. From > there to a setuid(12345) that yields uid=0 (patched kernel, remember?) > is just a small step. Any ideas for further improvement of the boot > process security? Umm, well. You can try hacking boot2 to require a password, but usually if someone has physical access to the machine, it's close to being all over to begin with. You could also hack boot2 to just always load /boot/loader and never allow for a prompt if you wish. > Note: I have used the "Dangerously dedicated" option when installing. Ugh, well, you can't ever use boot0 or any other boot managers. :P > Thanks alot, > Alex. -- John Baldwin -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 15:26:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdhome.dyndns.org (rdu162-228-096.nc.rr.com [24.162.228.96]) by hub.freebsd.org (Postfix) with ESMTP id 34CA337B5FC for ; Mon, 3 Jul 2000 15:26:14 -0700 (PDT) (envelope-from bsd@bsdhome.com) Received: from vger.bsdhome.com (vger [192.168.220.2]) by bsdhome.dyndns.org (8.9.3/8.9.3) with ESMTP id SAA42827 for ; Mon, 3 Jul 2000 18:26:13 -0400 (EDT) (envelope-from bsd@bsdhome.com) Received: from localhost (bsd@localhost) by vger.bsdhome.com (8.9.3/8.9.3) with ESMTP id SAA22039; Mon, 3 Jul 2000 18:26:07 -0400 (EDT) (envelope-from bsd@vger.bsdhome.com) Date: Mon, 3 Jul 2000 18:26:07 -0400 (EDT) From: Brian Dean To: freebsd-security@freebsd.org Subject: rshd patch (security) - please comment (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Someone brought to my attention that this patch should get wider review, -security was suggested and seems appropriate. My apologies for not sending it here in the first place. Comments welcome! Thanks, -Brian ---------- Forwarded message ---------- Date: Mon, 3 Jul 2000 15:16:33 -0400 (EDT) From: Brian Dean To: committers@freebsd.org Subject: rshd patch (security) - please comment Hi, Currently, in rshd, if the target user account does not contain a password, access is granted, regardless of what .rhosts says. I think this is a bug and should be removed (please see the included patch). Consider the case of the root account, where network ttys are marked insecure, and thus, root access should be denied on that basis. This mis-feature allows root from any remote system to gain network access, which would otherwise be denied. For example, one can: rsh foo 'export DISPLAY=bar:0; /usr/X11R6/bin/xterm' Where machine 'foo' does not have a root password (but the console may otherwise be secure). You may say to just put on a root password and be done with it. While that is true, the logic of 'rshd' is such that it breaks the expectation that root can only gain login access via the console. Surely this is not the intended behaviour. Any comments from our security and RFC experts? If there are no objections, I will commit this in a few days. While this patch won't help if someone installs a .rhosts file for root (they do this knowingly and can shoot off their own feet if they so choose), it will at least not bypass the check for a .rhosts file simply because no password is present, which some may have felt was secure as long as their console was secure. Thanks, -Brian -- Brian Dean bsd@FreeBSD.org Index: rshd.c =================================================================== RCS file: /home/ncvs/src/libexec/rshd/rshd.c,v retrieving revision 1.31 diff -u -r1.31 rshd.c --- rshd.c 2000/04/29 12:02:00 1.31 +++ rshd.c 2000/07/03 17:53:47 @@ -399,9 +399,8 @@ if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || - (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && - iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, - remuser, locuser) < 0)) { + iruserok_sa(fromp, fromp->su_len, pwd->pw_uid == 0, + remuser, locuser) < 0) { if (__rcmd_errstr) syslog(LOG_INFO|LOG_AUTH, "%s@%s as %s: permission denied (%s). cmd='%.80s'", To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 15:54:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id 0B3B937B72D for ; Mon, 3 Jul 2000 15:54:24 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id PAA38477; Mon, 3 Jul 2000 15:54:07 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Message-ID: <017c01bfe541$98611f40$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: , Subject: Re: securing the boot process (again?!?) Date: Mon, 3 Jul 2000 15:54:07 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I have been trying to secure (a bit) the boot process of a 4.0-STABLE >machine that is located in a public place. > >I need to use the floppy disk, but if I disable it from the BIOS I get >no access to it under FreeBSD. So I set the boot sequence to "C only" >but if I press space while the initial hyphen is displayed i get a >prompt with no password being requested. (Note I have set a password >in /boot/loader.conf, and set the console to "insecure" in /etc/ttys) > >The problem is I can boot any kernel or loader, including a kernel off >the floppy drive [just type fd(0,a)/evilkernel at the prompt]. From >there to a setuid(12345) that yields uid=0 (patched kernel, remember?) >is just a small step. Any ideas for further improvement of the boot >process security? Doesn't your computer have a BIOS password? These are typically invoked *before* the BIOS tries to boot off any disk... --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 3 22:11:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 6CA6037BB0D for ; Mon, 3 Jul 2000 22:11:19 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e645BFO14206; Mon, 3 Jul 2000 22:11:15 -0700 (PDT) Date: Mon, 3 Jul 2000 22:11:15 -0700 From: Alfred Perlstein To: Brian Dean Cc: freebsd-security@FreeBSD.ORG Subject: Re: rshd patch (security) - please comment (fwd) Message-ID: <20000703221115.A25571@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from bsd@bsdhome.com on Mon, Jul 03, 2000 at 06:26:07PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Brian Dean [000703 15:28] wrote: > Hi, > > Someone brought to my attention that this patch should get wider > review, -security was suggested and seems appropriate. My apologies > for not sending it here in the first place. [snip denying rsh allow for password-less acounts] I agree, there's nothing wrong with bolting down security further, and I'd like to see this happen. -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 3:25:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id E939A37B574 for ; Tue, 4 Jul 2000 03:25:46 -0700 (PDT) (envelope-from abc@nns.ru) Received: from falcon.nns.ru (daemon@falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id OAA23065 for ; Tue, 4 Jul 2000 14:25:44 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (abc@localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id OAA29424 for ; Tue, 4 Jul 2000 14:25:44 +0400 (MSD) (envelope-from abc@nns.ru) Date: Tue, 4 Jul 2000 14:25:43 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: freebsd-security@FreeBSD.ORG Subject: Forward to next hop in ipf Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! How to forward a packet matched by a rule to the desired next hop with IPFILTER compilled as the part of the kernel FreeDSD-4.0? I know how to do it with ipfw. Thanks. Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 3:29:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id A12D037B715 for ; Tue, 4 Jul 2000 03:27:31 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 13311 invoked by uid 666); 4 Jul 2000 10:27:21 -0000 Date: Tue, 4 Jul 2000 13:27:21 +0300 From: Alex Popa To: Dan O'Connor Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: securing the boot process (again?!?) Message-ID: <20000704132721.A13263@ldc.ro> References: <0d8b01bfe56a$0c01c580$0200000a@danco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <0d8b01bfe56a$0c01c580$0200000a@danco>; from dan@mostgraveconcern.com on Mon, Jul 03, 2000 at 08:43:38PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote: > >> Doesn't your computer have a BIOS password? These are typically invoked > >> *before* the BIOS tries to boot off any disk... > > > >Unfortunately BIOS passwords can be disabled on the motherboard in a matter > >of minutes (for most motherboards that I know of). Even Dell laptops > (don't > >know about their desktops/servers) have a master password that Dell will > give > >you if you call them, provided you give them some details first. > > Looks like there's not really much you can do if you can't physically secure > the machine. > > Even all the other tricks, boot only from hard drive, setting the delay to > '0', are pointless if someone can get inside the hardware case, change > jumpers, get into the BIOS and turn on boot from floppy and then boot from a > floppy. On the other hand, if someone has the opportunity to do all that, > they might as well just steal the whole box... > > Moral of the story: either secure the machine in a location where malicious > users can't get to it or take the consequences. > Okay, my mistake: by "public access machine" I meant users have access to the fromt panel of the PC (so they can use the floppy drive) and a keyboard and monitor, but *NOT* the inside of the case (the case is sort of buried in a wall). And the problem I had was (apart from booting an evil kernel installed on /tmp) that by setting the floppy drive to "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after booting. I do have a BIOS password, and of what I've heard there is no other way of bypassing it except for the jumpers on the motherboard (impossible, see above). ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 3:48:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from frigga.circle.net (morrigu.circle.net [209.95.64.11]) by hub.freebsd.org (Postfix) with ESMTP id 0948037B540; Tue, 4 Jul 2000 03:48:26 -0700 (PDT) (envelope-from tcobb@staff.circle.net) Received: by FRIGGA with Internet Mail Service (5.5.2650.21) id <31V1XCK8>; Tue, 4 Jul 2000 06:48:12 -0400 Message-ID: From: Troy Arie Cobb To: 'Alex Popa' , Dan O'Connor Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: RE: securing the boot process (again?!?) Date: Tue, 4 Jul 2000 06:48:12 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There are small locks you can buy which fit into a floppy drive and secure it with a key. If your users don't need to put floppies in on a regular basis (but perhaps YOU do occasionally), then this can be a good choice to avoid booting the evil-floppy-kernel. -Troy Cobb Circle Net, Inc. http://www.circle.net 1-800-321-2237 x308 > -----Original Message----- > From: Alex Popa [mailto:razor@ldc.ro] > Sent: Tuesday, July 04, 2000 6:27 AM > To: Dan O'Connor > Cc: freebsd-security@freebsd.org; freebsd-stable@freebsd.org > Subject: Re: securing the boot process (again?!?) > > > On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote: > > >> Doesn't your computer have a BIOS password? These are > typically invoked > > >> *before* the BIOS tries to boot off any disk... > > > > > >Unfortunately BIOS passwords can be disabled on the > motherboard in a matter > > >of minutes (for most motherboards that I know of). Even > Dell laptops > > (don't > > >know about their desktops/servers) have a master > password that Dell will > > give > > >you if you call them, provided you give them some details first. > > > > Looks like there's not really much you can do if you > can't physically secure > > the machine. > > > > Even all the other tricks, boot only from hard drive, > setting the delay to > > '0', are pointless if someone can get inside the hardware > case, change > > jumpers, get into the BIOS and turn on boot from floppy > and then boot from a > > floppy. On the other hand, if someone has the opportunity > to do all that, > > they might as well just steal the whole box... > > > > Moral of the story: either secure the machine in a > location where malicious > > users can't get to it or take the consequences. > > > Okay, my mistake: by "public access machine" I meant users > have access > to the fromt panel of the PC (so they can use the floppy > drive) and a > keyboard and monitor, but *NOT* the inside of the case (the case is > sort of buried in a wall). And the problem I had was > (apart from booting > an evil kernel installed on /tmp) that by setting the > floppy drive to > "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after > booting. > > I do have a BIOS password, and of what I've heard there is no other > way of bypassing it except for the jumpers on the motherboard > (impossible, see above). > > ------------+------------------------------------------ > Alex Popa, |There never was a good war or a bad peace > razor@ldc.ro| -- B. Franklin > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 5: 3:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 2AAD437B64F for ; Tue, 4 Jul 2000 05:03:04 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA13069; Tue, 4 Jul 2000 09:01:23 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200007041201.JAA13069@ns1.via-net-works.net.ar> Subject: Re: Forward to next hop in ipf In-Reply-To: from "Andrey V. Sokolov" at "Jul 4, 0 02:25:43 pm" To: abc@nns.ru (Andrey V. Sokolov) Date: Tue, 4 Jul 2000 09:01:23 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Andrey V. Sokolov escribió: > Hi! > How to forward a packet matched by a rule to the desired next hop with > IPFILTER compilled as the part of the kernel FreeDSD-4.0? > I know how to do it with ipfw. > Thanks. Andrey. Take a look at man 5 ipf, fastroute option. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 7: 5:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id C4A3437B935 for ; Tue, 4 Jul 2000 07:05:25 -0700 (PDT) (envelope-from abc@nns.ru) Received: from falcon.nns.ru (daemon@falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id SAA26987 for ; Tue, 4 Jul 2000 18:05:14 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (abc@localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id SAA29870 for ; Tue, 4 Jul 2000 18:05:14 +0400 (MSD) (envelope-from abc@nns.ru) Date: Tue, 4 Jul 2000 18:05:13 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: freebsd-security@FreeBSD.ORG Subject: Re: Forward to next hop in ipf In-Reply-To: <200007041201.JAA13069@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=koi8-r Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IMHO "fastroute" is option for make a stealth forwarding without a ttl decrementing. I have tested "to" option default gateway is 192.168.0.1 The config string is: pass out log quick on ed0 to 192.168.0.2 from 192.168.0.2/32 to any where 192.168.0.2 is my new gateway, but it didn't works! The packets went to the default gateway, but not via the new gateway! But I'm not sure that "to" option works correctly with IP-address of the next-hop. As written in the man of ipf "to" option requires a interface-name. --- Andrey Sokolov On Tue, 4 Jul 2000, Fernando Schapachnik wrote: > En un mensaje anterior, Andrey V. Sokolov escribió: > > Hi! > > How to forward a packet matched by a rule to the desired next hop with > > IPFILTER compilled as the part of the kernel FreeDSD-4.0? > > I know how to do it with ipfw. > > Thanks. Andrey. > > Take a look at man 5 ipf, fastroute option. > > Regards. > > > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 7:43:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 7692337B5A2 for ; Tue, 4 Jul 2000 07:43:40 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id LAA02739; Tue, 4 Jul 2000 11:41:34 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200007041441.LAA02739@ns1.via-net-works.net.ar> Subject: Re: Forward to next hop in ipf In-Reply-To: from "Andrey V. Sokolov" at "Jul 4, 0 06:05:13 pm" To: abc@nns.ru (Andrey V. Sokolov) Date: Tue, 4 Jul 2000 11:41:34 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Andrey V. Sokolov escribió: [Charset koi8-r unsupported, filtering to ASCII...] > IMHO "fastroute" is option for make a stealth forwarding without a ttl > decrementing. You are right. > I have tested "to" option > default gateway is 192.168.0.1 > The config string is: > pass out log quick on ed0 to 192.168.0.2 from 192.168.0.2/32 to any > where 192.168.0.2 is my new gateway, but it didn't works! From the ipf how-to: you would be better off with something like: block out log quick on ed0 to from /32 to any You will be blocking the normal packet and deviating the original one to . Besides, I can't see the point of "to 192.168.0.2 from 192.168.0.2". Good luck! Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 8: 2:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id 4E54537B7D7 for ; Tue, 4 Jul 2000 08:02:26 -0700 (PDT) (envelope-from abc@nns.ru) Received: from falcon.nns.ru (daemon@falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id TAA28088 for ; Tue, 4 Jul 2000 19:02:20 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (abc@localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id TAA30025 for ; Tue, 4 Jul 2000 19:02:20 +0400 (MSD) (envelope-from abc@nns.ru) Date: Tue, 4 Jul 2000 19:02:20 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: freebsd-security@FreeBSD.ORG Subject: Re: Forward to next hop in ipf In-Reply-To: <200007041441.LAA02739@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=koi8-r Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 4 Jul 2000, Fernando Schapachnik wrote: > > I have tested "to" option > > default gateway is 192.168.0.1 > > The config string is: > > pass out log quick on ed0 to 192.168.0.2 from 192.168.0.2/32 to any > > where 192.168.0.2 is my new gateway, but it didn't works! Excuse me! I make a mistake in the previous letter! ;-) The config string is: pass out log quick on ed0 to 192.168.0.2 from 192.168.0.3/32 to any where 192.168.0.2 is my new gateway and 192.168.0.3/32 is ip-address of the my host! > > >From the ipf how-to: you would be better off with something like: > > block out log quick on ed0 to from /32 to any > > You will be blocking the normal packet and deviating the original one > to . Besides, I can't see the point of "to 192.168.0.2 from > 192.168.0.2". > > Good luck! > > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 4 8:33:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id 22DE037B9C2 for ; Tue, 4 Jul 2000 08:33:28 -0700 (PDT) (envelope-from abc@nns.ru) Received: from falcon.nns.ru (daemon@falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id TAA28603; Tue, 4 Jul 2000 19:33:25 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (abc@localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id TAA30124; Tue, 4 Jul 2000 19:33:25 +0400 (MSD) (envelope-from abc@nns.ru) Date: Tue, 4 Jul 2000 19:33:25 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: Fernando Schapachnik Cc: freebsd-security@FreeBSD.ORG Subject: Re: Forward to next hop in ipf In-Reply-To: <200007041441.LAA02739@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=koi8-r Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, yes, yes! It worked! I little modify the my config string: pass out log quick on ed0 to ed0:192.168.0.2 from 192.168.0.3/32 to any And the all packets went to new gateway!:-) And also, I have tested it with: route delete 0.0.0.0 route add 0.0.0.0 192.168.0.7 where 192.168.0.7 is a nonexistent host! And it worked too! Thanks! --- Andrey Sokolov On Tue, 4 Jul 2000, Fernando Schapachnik wrote: > > IMHO "fastroute" is option for make a stealth forwarding without a ttl > > decrementing. > > You are right. > > > I have tested "to" option > > default gateway is 192.168.0.1 > > The config string is: > > pass out log quick on ed0 to 192.168.0.2 from 192.168.0.2/32 to any > > where 192.168.0.2 is my new gateway, but it didn't works! > > >From the ipf how-to: you would be better off with something like: > > block out log quick on ed0 to from /32 to any > > You will be blocking the normal packet and deviating the original one > to . Besides, I can't see the point of "to 192.168.0.2 from > 192.168.0.2". > > Good luck! > > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 11:20:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from javalina.csf.edu (javalina.csf.edu [207.66.108.10]) by hub.freebsd.org (Postfix) with ESMTP id D591C37C045 for ; Wed, 5 Jul 2000 11:20:10 -0700 (PDT) (envelope-from logos@csf.edu) Received: from odietamo.csf.edu (odietamo.lib.csf.edu [207.66.108.82]) by javalina.csf.edu (8.9.3/8.9.1) with ESMTP id MAA54005 for ; Wed, 5 Jul 2000 12:11:39 -0600 (MDT) Message-Id: <4.3.2.20000705122423.00bd6ca0@javalina.csf.edu> X-Sender: logos@javalina.csf.edu X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Wed, 05 Jul 2000 12:28:41 -0600 To: freebsd-security@FreeBSD.ORG From: Mark Cohen Subject: Password Policy beyond mixed case Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I already sent this query to freebsd-questions and received no response. I am hoping someone on this list may help. Is there a setting for login.conf or elsewhere to demand a password policy stronger than mixed case, such as non-alphanumeric? If not, can you suggest good ways/programs to enforce such password policies. Thanks for any and all assistance. Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 11:39:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id CA99F37B63A for ; Wed, 5 Jul 2000 11:39:20 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.15 #1) id 139u4L-0009qh-00; Wed, 05 Jul 2000 19:38:45 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.15 #1) id 139u4L-0009oh-00; Wed, 05 Jul 2000 19:38:45 +0100 Date: Wed, 5 Jul 2000 19:38:45 +0100 From: Ben Smithurst To: Mark Cohen Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password Policy beyond mixed case Message-ID: <20000705193845.N13714@strontium.scientia.demon.co.uk> References: <4.3.2.20000705122423.00bd6ca0@javalina.csf.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GOzekVbrLdOLv44p" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <4.3.2.20000705122423.00bd6ca0@javalina.csf.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --GOzekVbrLdOLv44p Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mark Cohen wrote: > I already sent this query to freebsd-questions and received no response. = I=20 > am hoping someone on this list may help. >=20 > Is there a setting for login.conf or elsewhere to demand a password polic= y=20 > stronger than mixed case, such as non-alphanumeric? If not, can you=20 > suggest good ways/programs to enforce such password policies. You might look at npasswd. I've never used it myself, but I've seen it suggested before... http://www.utexas.edu/cc/unix/software/npasswd/ --=20 Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D --GOzekVbrLdOLv44p Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: 1QhQ7jIg2X0ERo6FFvdQXDVn7Hna+31z iQCVAwUBOWOAtCsPVtiZOS99AQENVAP/bi3dmCZ3zEAnzt8qf1jwA8bbJZFm1NgK w/3Q4NQCvP3R0vikX0UWI7kdwzTtV2SlCF6T2x01WYlinAC5qVLE2JOaEoyK5YoQ ZCwHn4nBZbqp07MbcUNQO1uNi4t5V0xyOR7yA7pa7o/YU+oOn+kiU7bnV7k1TfPo as2S1dcpKEY= =6KWO -----END PGP SIGNATURE----- --GOzekVbrLdOLv44p-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 11:42:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.markit.net (mail2.markit.net [12.4.191.23]) by hub.freebsd.org (Postfix) with SMTP id 1A8E937B63A for ; Wed, 5 Jul 2000 11:42:18 -0700 (PDT) (envelope-from mb3006@mindspring.com) Received: (qmail 11317 invoked from network); 5 Jul 2000 19:03:39 -0000 Received: from unknown (HELO mindspring.com) (192.168.1.5) by mail2.markit.net with SMTP; 5 Jul 2000 19:03:39 -0000 Message-ID: <3963837B.9F6EA129@mindspring.com> Date: Wed, 05 Jul 2000 14:50:35 -0400 From: Mark Bitting X-Mailer: Mozilla 4.7 [en] (Win95; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: SA00-23 question References: <4.3.2.20000705122423.00bd6ca0@javalina.csf.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD4.0 from an early CD running on a PentiumMMX. When I recompiled the kernel with the patches, I got this: ip_input.c 611: warning: assignment from incompatible pointer type Is this a problem, or should I ignore it and type make install and reboot? Thanks, Mark Bitting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 13:29:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from outblaze12.outblaze.com (209.249.164.196.outblaze.com [209.249.164.196]) by hub.freebsd.org (Postfix) with SMTP id 8B7C737B5E5 for ; Wed, 5 Jul 2000 13:29:41 -0700 (PDT) (envelope-from openzero@bsdmail.com) Received: (qmail 64114 invoked by uid 1001); 5 Jul 2000 20:29:37 -0000 Message-ID: <20000705202937.64113.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) From: openzero@bsdmail.com To: freebsd-security@freebsd.org Date: Wed, 05 Jul 2000 21:29:37 +0100 Subject: Firewalls and the endless story! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hm! After posting, for some help with my sucky fireball I upgraded from FreeBSD-2.2.8-RELEASE to FreeBSD-3.4-RELEASE + SecureBSD1.0, in hope it will work now. But nothing happends! The firewall doesn't work and FreeBSD-3.4 (and 4.0) is a boring unstable system! So, I downloaded via cvsup the FreeBSD-2.2.8-STABLE! It really rulez! But the firewall problem still exists, and with this configuration I can't surf the web too! ;) Hm! Please I need help! It's very important! For you, who wants to help me. Here are some information on what the firewall has to do! 1. I'm running an anonyous ftp- Server 2. I need to browse the web 3. Sendmail could be enabled (not needed!) Here is my actual configration, which still suckz! At the momemt, I can only browse via: # ipfw -f flush! --- CUT HERE --- fwcmd="/sbin/ipfw" $fwcmd -f flush $fwcmd add allow ip from any to any via lo0 $fwcmd add deny log ip from any to 127.0.0.1/8 $fwcmd add allow ip from any to any via rl0 $fwcmd add divert 8668 all from any to any via tun0 $fwcmd add allow tcp from any to any out xmit tun0 setup $fwcmd add allow tcp from any to any via tun0 established $fwcmd add allow log tcp from any to any 21 setup $fwcmd add allow log tcp from any 20 to any setup # really needed ????? $fwcmd add reset log tcp from any to any 113 in recv tun0 $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 $fwcmd add deny log icmp from any to any $fwcmd add deny log ip from any to any -- CUT HERE --- My kernel: DEFAULT_TO_ACCEPT VERBOSE_LIMIT=10 rc.conf: natd_enable="YES" natd_device="tun0" natd_flags="-dynamic" Please, need help! Thanx.... Daniel Ridder (It's an SOS! I need this wall much fast I can get! For later times, is there a book to get most out of BSD firewalls????) -- Get your free email from http://www.bsdmail.com Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 13:56:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from web3202.mail.yahoo.com (web3202.mail.yahoo.com [204.71.202.199]) by hub.freebsd.org (Postfix) with SMTP id 3EDBB37B76D for ; Wed, 5 Jul 2000 13:56:25 -0700 (PDT) (envelope-from chancedj@yahoo.com) Message-ID: <20000705205623.29293.qmail@web3202.mail.yahoo.com> Received: from [140.175.112.105] by web3202.mail.yahoo.com; Wed, 05 Jul 2000 13:56:23 PDT Date: Wed, 5 Jul 2000 13:56:23 -0700 (PDT) From: Daryl Chance Reply-To: chancedj@intertek.net Subject: Re: Firewalls and the endless story! To: openzero@bsdmail.com, freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org i THINK you need to add (sorry not on my box at home) something like: # allow for DNS lookups both ways # is your nameserver $fwcmd add allow upd from any to 53 out xmit tun0 $fwcmd add allow upd from 53 to any in recv tun0 --- openzero@bsdmail.com wrote: > Hm! > After posting, for some help with my sucky fireball > I upgraded from FreeBSD-2.2.8-RELEASE to > FreeBSD-3.4-RELEASE > + SecureBSD1.0, in hope it will work now. > > But nothing happends! The firewall doesn't work > and FreeBSD-3.4 (and 4.0) is a boring unstable > system! > > So, I downloaded via cvsup the FreeBSD-2.2.8-STABLE! > It really rulez! > > But the firewall problem still exists, and with this > configuration I can't surf the web too! ;) > > Hm! Please I need help! It's very important! > > For you, who wants to help me. Here are some > information > on what the firewall has to do! > > 1. I'm running an anonyous ftp- Server > 2. I need to browse the web > 3. Sendmail could be enabled (not needed!) > > Here is my actual configration, which still suckz! > At the momemt, I can only browse via: > # ipfw -f flush! > > --- CUT HERE --- > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny log ip from any to 127.0.0.1/8 > $fwcmd add allow ip from any to any via rl0 > > $fwcmd add divert 8668 all from any to any via tun0 > > $fwcmd add allow tcp from any to any out xmit tun0 > setup > $fwcmd add allow tcp from any to any via tun0 > established > > $fwcmd add allow log tcp from any to any 21 setup > $fwcmd add allow log tcp from any 20 to any setup # > really needed ????? > > $fwcmd add reset log tcp from any to any 113 in recv > tun0 > > $fwcmd add allow udp from any to 194.25.2.129 53 > out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in > recv tun0 > > $fwcmd add deny log icmp from any to any > > $fwcmd add deny log ip from any to any > -- CUT HERE --- > > My kernel: > DEFAULT_TO_ACCEPT > VERBOSE_LIMIT=10 > > rc.conf: > natd_enable="YES" > natd_device="tun0" > natd_flags="-dynamic" > > > Please, need help! > > > > Thanx.... Daniel Ridder > > (It's an SOS! I need this wall much fast I can get! > For later times, is there a book to get most out > of BSD firewalls????) > -- > Get your free email from http://www.bsdmail.com > > Powered by Outblaze > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message > > ===== <--------------------------------------------------------------->
<- Daryl Chance  - A programmer is someone who solves a    ->
<- Programmer      - problem you didn't know you had in a ->
<- ----------------- - way you don't understand.       ->
<- Belial of -E-     -                - ?????       ->
<---------------------------------------------------------------> __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 13:57:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id 0EB2337B76D for ; Wed, 5 Jul 2000 13:57:27 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id PAA16796; Wed, 5 Jul 2000 15:57:23 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Wed, 5 Jul 2000 15:57:22 -0500 (CDT) From: Chris Dillon To: openzero@bsdmail.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewalls and the endless story! In-Reply-To: <20000705202937.64113.qmail@bsdmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 Jul 2000 openzero@bsdmail.com wrote: > Hm! > After posting, for some help with my sucky fireball > I upgraded from FreeBSD-2.2.8-RELEASE to FreeBSD-3.4-RELEASE > + SecureBSD1.0, in hope it will work now. > > But nothing happends! The firewall doesn't work > and FreeBSD-3.4 (and 4.0) is a boring unstable > system! Hardly. I have no problems using FreeBSD 3.x or 4.x in any of the many systems I use them in, including a large firewall. > So, I downloaded via cvsup the FreeBSD-2.2.8-STABLE! > It really rulez! > > But the firewall problem still exists, and with this > configuration I can't surf the web too! ;) > > Hm! Please I need help! It's very important! > > For you, who wants to help me. Here are some information > on what the firewall has to do! > > 1. I'm running an anonyous ftp- Server > 2. I need to browse the web > 3. Sendmail could be enabled (not needed!) > > Here is my actual configration, which still suckz! > At the momemt, I can only browse via: > # ipfw -f flush! > > --- CUT HERE --- > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny log ip from any to 127.0.0.1/8 > $fwcmd add allow ip from any to any via rl0 > > $fwcmd add divert 8668 all from any to any via tun0 > > $fwcmd add allow tcp from any to any out xmit tun0 setup > $fwcmd add allow tcp from any to any via tun0 established > > $fwcmd add allow log tcp from any to any 21 setup > $fwcmd add allow log tcp from any 20 to any setup # really needed ????? > > $fwcmd add reset log tcp from any to any 113 in recv tun0 > > $fwcmd add allow udp from any to 194.25.2.129 53 out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in recv tun0 > > $fwcmd add deny log icmp from any to any > > $fwcmd add deny log ip from any to any You have a lot of rules here that are redundant or won't work at all. You would be better off using the canned "open" ruleset and not try to make up your own until you're entirely sure about what you are doing. For one thing, all packets need to be diverted to natd, not just ones from tun0. But that doesn't matter since you need to remove natd from the picture anyway. > rc.conf: > natd_enable="YES" > natd_device="tun0" > natd_flags="-dynamic" You do not need to do this to get NAT to work when using the userland ppp program. Use ppp -alias instead. This and the incorrect ruleset regarding NAT is one reason why you can't do anything with your current setup. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and Alpha architectures. ( http://www.freebsd.org ) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 13:58:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from web3201.mail.yahoo.com (web3201.mail.yahoo.com [204.71.202.198]) by hub.freebsd.org (Postfix) with SMTP id 71D9037B5F0 for ; Wed, 5 Jul 2000 13:58:41 -0700 (PDT) (envelope-from chancedj@yahoo.com) Message-ID: <20000705205840.10936.qmail@web3201.mail.yahoo.com> Received: from [140.175.112.105] by web3201.mail.yahoo.com; Wed, 05 Jul 2000 13:58:40 PDT Date: Wed, 5 Jul 2000 13:58:40 -0700 (PDT) From: Daryl Chance Reply-To: chancedj@intertek.net Subject: Re: Firewalls and the endless story! To: openzero@bsdmail.com, freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org *DOH* sorry....totally missed the part where you already had the firewall rules. my bad. I found this, it might help out. http://www.freebsd.org/tutorials/dialup-firewall/index.html --- openzero@bsdmail.com wrote: > Hm! > After posting, for some help with my sucky fireball > I upgraded from FreeBSD-2.2.8-RELEASE to > FreeBSD-3.4-RELEASE > + SecureBSD1.0, in hope it will work now. > > But nothing happends! The firewall doesn't work > and FreeBSD-3.4 (and 4.0) is a boring unstable > system! > > So, I downloaded via cvsup the FreeBSD-2.2.8-STABLE! > It really rulez! > > But the firewall problem still exists, and with this > configuration I can't surf the web too! ;) > > Hm! Please I need help! It's very important! > > For you, who wants to help me. Here are some > information > on what the firewall has to do! > > 1. I'm running an anonyous ftp- Server > 2. I need to browse the web > 3. Sendmail could be enabled (not needed!) > > Here is my actual configration, which still suckz! > At the momemt, I can only browse via: > # ipfw -f flush! > > --- CUT HERE --- > fwcmd="/sbin/ipfw" > > $fwcmd -f flush > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny log ip from any to 127.0.0.1/8 > $fwcmd add allow ip from any to any via rl0 > > $fwcmd add divert 8668 all from any to any via tun0 > > $fwcmd add allow tcp from any to any out xmit tun0 > setup > $fwcmd add allow tcp from any to any via tun0 > established > > $fwcmd add allow log tcp from any to any 21 setup > $fwcmd add allow log tcp from any 20 to any setup # > really needed ????? > > $fwcmd add reset log tcp from any to any 113 in recv > tun0 > > $fwcmd add allow udp from any to 194.25.2.129 53 > out xmit tun0 > $fwcmd add allow udp from 194.25.2.129 53 to any in > recv tun0 > > $fwcmd add deny log icmp from any to any > > $fwcmd add deny log ip from any to any > -- CUT HERE --- > > My kernel: > DEFAULT_TO_ACCEPT > VERBOSE_LIMIT=10 > > rc.conf: > natd_enable="YES" > natd_device="tun0" > natd_flags="-dynamic" > > > Please, need help! > > > > Thanx.... Daniel Ridder > > (It's an SOS! I need this wall much fast I can get! > For later times, is there a book to get most out > of BSD firewalls????) > -- > Get your free email from http://www.bsdmail.com > > Powered by Outblaze > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message > > ===== <--------------------------------------------------------------->
<- Daryl Chance  - A programmer is someone who solves a    ->
<- Programmer      - problem you didn't know you had in a ->
<- ----------------- - way you don't understand.       ->
<- Belial of -E-     -                - ?????       ->
<---------------------------------------------------------------> __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 14: 9:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id C705C37C163 for ; Wed, 5 Jul 2000 14:09:53 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id A0EFB1C64; Wed, 5 Jul 2000 17:09:52 -0400 (EDT) Date: Wed, 5 Jul 2000 17:09:52 -0400 From: Bill Fumerola To: Chris Dillon Cc: openzero@bsdmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Firewalls and the endless story! Message-ID: <20000705170952.O4034@jade.chc-chimes.com> References: <20000705202937.64113.qmail@bsdmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from cdillon@wolves.k12.mo.us on Wed, Jul 05, 2000 at 03:57:22PM -0500 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 05, 2000 at 03:57:22PM -0500, Chris Dillon wrote: > > After posting, for some help with my sucky fireball > > I upgraded from FreeBSD-2.2.8-RELEASE to FreeBSD-3.4-RELEASE > > + SecureBSD1.0, in hope it will work now. > > > > But nothing happends! The firewall doesn't work > > and FreeBSD-3.4 (and 4.0) is a boring unstable > > system! > > Hardly. I have no problems using FreeBSD 3.x or 4.x in any of the > many systems I use them in, including a large firewall. Yes, and the original poster demonstrated even further stupidity by adding a proprietary product (SecureBSD 1.0) into the mix and then expect that we support it. "Works for me." -- Bill Fumerola - Network Architect / Computer Horizons Corp - CHIMES e-mail: billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 14:16:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 784B737B53E; Wed, 5 Jul 2000 14:16:23 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA79983; Wed, 5 Jul 2000 14:16:23 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 5 Jul 2000 14:16:23 -0700 (PDT) From: Kris Kennaway To: Mark Bitting Cc: freebsd-security@FreeBSD.ORG Subject: Re: SA00-23 question In-Reply-To: <3963837B.9F6EA129@mindspring.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 Jul 2000, Mark Bitting wrote: > FreeBSD4.0 from an early CD running on a PentiumMMX. When I recompiled > the kernel with the patches, I got this: > > ip_input.c 611: warning: assignment from incompatible pointer type > > Is this a problem, or should I ignore it and type make install and > reboot? You probably also noticed a lot of other warnings when compiling the kernel. Just ignore them, they're basically intended for the developers to tidy up the code. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 15: 2:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from voltage.net (voltage.net [208.189.4.3]) by hub.freebsd.org (Postfix) with ESMTP id 7ED6E37B6E2 for ; Wed, 5 Jul 2000 15:02:31 -0700 (PDT) (envelope-from sward@voltage.net) Received: from amavis by voltage.net with scanned-ok (Exim 3.14 #4) id 139xFX-0004ax-00 for freebsd-security@freebsd.org; Wed, 05 Jul 2000 17:02:31 -0500 Received: from basketcase.voltage.net ([208.189.4.20]) by voltage.net with esmtp (Exim 3.14 #4) id 139xFV-0004Z7-00 for freebsd-security@FreeBSD.ORG; Wed, 05 Jul 2000 17:02:29 -0500 Message-Id: <4.3.1.2.20000705165602.00da1ee0@mail.voltage.net> X-Sender: sward@mail.voltage.net X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Wed, 05 Jul 2000 16:57:35 -0500 To: freebsd-security@FreeBSD.ORG From: Susie Ward Subject: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <20000705170952.O4034@jade.chc-chimes.com> References: <20000705202937.64113.qmail@bsdmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-AntiVirus: This email was scanned for known viruses (http://www.voltage.net/virusalert.html) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:09 PM 7/5/00 -0400, Bill Fumerola wrote: >Yes, and the original poster demonstrated even further stupidity >by adding a proprietary product (SecureBSD 1.0) into the mix and >then expect that we support it. Speaking of SecureBSD, does anyone have any opinions on the usefulness of SecureBSD? I've thought about testing it out, but I don't have any servers at the moment to be playing with so I've been putting it off. Susie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 15:12:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from alpha.pit.adelphia.net (alpha.pit.adelphia.net [24.48.44.2]) by hub.freebsd.org (Postfix) with ESMTP id 95BDF37B6AF for ; Wed, 5 Jul 2000 15:12:23 -0700 (PDT) (envelope-from dwilhelm@adelphia.net) Received: from adelphia.net (IDENT:danw@pa-bethelpark3a-91.pit.adelphia.net [24.48.233.91]) by alpha.pit.adelphia.net (8.9.2/8.9.2) with ESMTP id SAA21801; Wed, 5 Jul 2000 18:12:37 -0400 (EDT) Message-ID: <3963B2B0.60A1F963@adelphia.net> Date: Wed, 05 Jul 2000 18:12:00 -0400 From: Dan Wilhelm X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.12-20 i686) X-Accept-Language: en MIME-Version: 1.0 To: Ben Smithurst Cc: Mark Cohen , freebsd-security@FreeBSD.ORG Subject: Re: Password Policy beyond mixed case References: <4.3.2.20000705122423.00bd6ca0@javalina.csf.edu> <20000705193845.N13714@strontium.scientia.demon.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ben Smithurst wrote: > Mark Cohen wrote: > > > I already sent this query to freebsd-questions and received no response. I > > am hoping someone on this list may help. > > > > Is there a setting for login.conf or elsewhere to demand a password policy > > stronger than mixed case, such as non-alphanumeric? If not, can you > > suggest good ways/programs to enforce such password policies. > > You might look at npasswd. I've never used it myself, but I've seen it > suggested before... I agree, npasswd is highly configurable, works well, and also allows you to keep history so users cannot reuse old passwords. > > > http://www.utexas.edu/cc/unix/software/npasswd/ > > -- > Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 15:51:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 7FC7A37B8B6 for ; Wed, 5 Jul 2000 15:51:13 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 73338 invoked by uid 1000); 5 Jul 2000 22:51:12 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Jul 2000 22:51:12 -0000 Date: Wed, 5 Jul 2000 17:51:12 -0500 (CDT) From: Mike Silbersack To: security@freebsd.org Subject: proftp advisory (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Heh, I guess the BSD ftpd *is* the only way to go. Mike "Silby" Silbersack ---------- Forwarded message ---------- Date: Mon, 3 Jul 2000 12:40:54 CEST From: lamagra To: BUGTRAQ@SECURITYFOCUS.COM Subject: proftp advisory ___________________________________________________ http://lamagra.seKure.de: advisory #1 Advisory: misc. bugs Programname: proftpd Versions: 1.2.0 <= pre10 Vendor: proftpd.net Severity: high (root shell) and low Contact: lamagra@digibel.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16: 2:56 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8E2CF37B8B6; Wed, 5 Jul 2000 16:02:39 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705230239.8E2CF37B8B6@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:02:39 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:24 Security Advisory FreeBSD, Inc. Topic: libedit reads config file from current directory Category: core Module: libedit Announced: 2000-07-05 Affects: All versions of FreeBSD prior to the correction date Credits: Tim Vanderhoek Vendor status: Notified Corrected: 2000-05-22 FreeBSD only: NO I. Background libedit is a library of routines for providing command editing and history retrieval for interactive command-oriented programs. II. Problem Description libedit incorrectly reads an ".editrc" file in the current directory if it exists, in order to specify configurable program behaviour. However it does not check for ownership of the file, so an attacker can cause a libedit application to execute arbitrary key rebindings and exercise terminal capabilities by creating an .editrc file in a directory from which another user executes a libedit binary (e.g. root running ftp(1) from /tmp). This can be used to fool the user into unknowingly executing program commands which may compromise system security. For example, ftp(1) includes the ability to escape to a shell and execute a command, which can be done under libedit control. The supplied patch removes this behaviour and causes libedit to only search for its configuration file in the home directory of the user, if it exists and the binary is not running with increased privileges (i.e. setuid or setgid). FreeBSD 3.5-RELEASE is not affected by this vulnerability, although 4.0-RELEASE is affected since the problem was discovered after it was released. III. Impact An attacker can cause a user to execute arbitrary commands within a program which is run from a directory to which the attacker has write access, potentially leading to system compromise if run as a privileged user (such as root). IV. Workaround Do not interactively run utilities which link against libedit from directories which can be written to by other users. To identify utilities which link dynamically against libedit, download the libfind tool and detached PGP signature as follows: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc Verify the detached signature using your PGP utility. Run the libfind.sh tool as root, as follows: # sh libfind.sh libedit / Note that it is not feasible to locate utilities which link statically against libedit since there are no common strings embedded in such binaries. However the following is believed to be a complete list of statically and dynamically linked FreeBSD system utilities which link against the library: /bin/sh /sbin/fsdb /usr/bin/ftp /usr/sbin/cdcontrol /usr/sbin/lpc /usr/sbin/nslookup /usr/sbin/pppctl Because libedit is not a portable library in common use there are unlikely to be many FreeBSD ports which link statically against it: no such ports are known at this time. V. Solution One of the following: 1) Upgrade your vulnerable system to a version dated after the correction date. 2) Save the advisory into a file or download the patch and detached PGP signature: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc Verify the detached PGP signature using your PGP utility. Apply the patch and rebuild as follows: # cd /usr/src/lib/libedit # patch -p < /path/to/patch/or/advisory and rebuild your system as described in http://www.freebsd.org/handbook/makeworld.html --- el.c 1999/08/20 01:17:12 1.6 +++ el.c 2000/05/22 05:55:22 1.7 @@ -290,13 +294,10 @@ char *ptr, path[MAXPATHLEN]; if (fname == NULL) { - fname = &elpath[1]; - if ((fp = fopen(fname, "r")) == NULL) { - if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL) - return -1; - (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath); - fname = path; - } + if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL) + return -1; + (void) snprintf(path, sizeof(path), "%s%s", ptr, elpath); + fname = path; } if ((fp = fopen(fname, "r")) == NULL) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGmz1UuHi5z0oilAQF1rwP/QhuVAAmc1873YHkhTS8kMTPR63HoIlkc 8VRgf0PU6Z3AObVq6fjt3ZikCUXf7d8NhiTqRdL1Cb/Koai56yP+E5Fqbt2U5JCC cNbWIlI8NYKxAybgOsx+9EJGSnGfrjjjvxG6MguwcyJ+W1DS3M41mDzv8C1hdpqw /QAi9qToH+Q= =TlZc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16: 4:24 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3BA5A37BCFB; Wed, 5 Jul 2000 16:04:15 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:26.popper Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705230415.3BA5A37BCFB@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:04:15 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:26 Security Advisory FreeBSD, Inc. Topic: popper port contains remote vulnerability Category: ports Module: popper Announced: 2000-07-05 Credits: Prizm Affects: Ports collection. Corrected: 2000-05-25 Vendor status: Notified FreeBSD only: NO I. Background QPopper is a popular POP3 mail server. II. Problem Description The popper port, version 2.53 and earlier, incorrectly parses string formatting operators included in part of the email message header. A remote attacker can send a malicious email message to a local user which can cause arbitrary code to be executed on the server when a POP client retrieves the message using the UIDL command. The code is executed as the user who is retrieving mail: thus if root reads email via POP3 this can lead to a root compromise. The popper port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release, but it was fixed in time for FreeBSD 3.5. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can cause arbitrary code to be executed as the retrieving user when a POP client retrieves email. If you have not chosen to install the popper port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the popper port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the popper port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/popper-2.53.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/popper-2.53.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/popper-2.53.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/popper-2.53.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/popper-2.53.tar.gz 3) download a new port skeleton for the popper port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGoqFUuHi5z0oilAQGhvAP/adBX2Q7H4quBw3rY6fPNNGJtwkxsNRem 11hCXzkEHDkX5bARzNwnWzS/BNz9PFxdw524ukOtEevR/lLfI1kyhXepA5G4gtPr aujSw/eHi5ts7++gPhybT3abva1dLwbnaFjYaSjxFGjkMH8vk+/ZheqnIKX7fC50 kEr7c1JoaUA= =0y6/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16: 7:33 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 2E6CB37BCFB; Wed, 5 Jul 2000 16:07:21 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:27.XFree86-4 Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705230721.2E6CB37BCFB@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:07:21 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:27 Security Advisory FreeBSD, Inc. Topic: XFree86-4.0 port contains local root overflow Category: ports Module: Xfree86-4 Announced: 2000-07-05 Credits: Michal Zalewski Affects: Ports collection. Corrected: 2000-06-09 Vendor status: Vendor eventually released patch FreeBSD only: NO I. Background XFree86 4.0 is a development version of the popular XFree86 X Windows system. II. Problem Description XFree86 4.0 contains a local root vulnerability in the XFree86 server binary, due to incorrect bounds checking of command-line arguments. The server binary is setuid root, in contrast to previous versions which had a small setuid wrapper which performed (among other things) argument sanitizing. The XFree86-4 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release, but it was fixed in time for FreeBSD 3.5. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can obtain root access. If you have not chosen to install the XFree86-4 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the XFree86-4 port/package, if you you have installed it, or limit the execution file permissions on the /usr/X11R6/bin/XFree86 binary so that only members of a trusted group may run the binary. V. Solution At this time, we do not recommend using XFree86 4.0 on multi-user systems with untrusted users, because of the lack of security in the server binary. The current "stable" version, XFree86 3.3.6, is also available in FreeBSD ports. One of the following: 1) Upgrade your entire ports collection and rebuild the XFree86-4 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.tar.gz An updated version of XFree86, version 4.0.1, has just been released, which is believed to also fix the problems detailed in this advisory, however the X server is still installed setuid root and so the above warning against installation on multi-user machines still applies. The packages will be available at the following locations in the next few days: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.1.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.1.tar.gz 3) download a new port skeleton for the XFree86-4 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGrplUuHi5z0oilAQFDjgP9E3l6VG7ic+F0HMDsSDGbsYrIFM3hvBDJ hu22Vu/F18PyeOVrgZY4ljE/BvdSy4bJMJSDJsrP4jYicse7ArwvSLEJOjoIuPoK ErUCz34UgNAWs+zszFD0V5xAuWH3Oyii4qamqDnSaurYl6oKp5tPNx2vSrA3UDxM moK703Mpfak= =nu3f -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16: 8:32 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B2E6837BAD9; Wed, 5 Jul 2000 16:08:22 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:28.majordomo Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705230822.B2E6837BAD9@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:08:22 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:28 Security Advisory FreeBSD, Inc. Topic: majordomo is not safe to run on multi-user machines Category: ports Module: majordomo Announced: 2000-07-05 Affects: Ports collection. Corrected: See below Vendor status: Problem documented FreeBSD only: NO I. Background Majordomo is a popular mailing-list manager. II. Problem Description Majordomo contains a number of perl scripts which are executed by a setuid wrapper for providing mailing-list management functionality. However there are numerous weaknesses in these scripts which allow unprivileged users to run arbitrary commands as the majordomo user, as well as obtaining read and write access to the mailing list data. The majordomo port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users can run commands as the 'majordomo' user, including accessing and modifying mailing-list subscription data. If you have not chosen to install the majordomo port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the majordomo port/package, if you you have installed it, or limit the permissions of the majordomo/ directory and/or its contents appropriately (see below). V. Solution Since the vendor has chosen not to fix the various security holes in the default installation of majordomo, there is no simple solution. It may be possible to adequately secure the majordomo installation while retaining required functionality, by tightening the permissions on the /usr/local/majordomo directory and/or its contents, but these actions are not taken by the FreeBSD port and are beyond the scope of this advisory. Instead we recommend that majordomo not be used on a system which contains untrusted users, or an alternative mailing-list manager be used. There are several such utilities in the FreeBSD ports collection. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGsGFUuHi5z0oilAQFUtgP9Gwb/h0AFJB8RH9LkE3zlmaTfePGGnIgk /SBux8RBiwPnEw4M25mZt26eV6Bd/MIdN8Gnb7q551TD8nrZu0N6//vi5w8uM5/l itRXtnE4FfqERWOTOt25b8N0kCtqESqGMPMyA1m1x+7wFHpq1B69gsQl8MbohUr5 NlLkkEu6AQI= =EkWc -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16: 9:49 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id CF9F237BB66; Wed, 5 Jul 2000 16:09:39 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:29.wu-ftpd Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705230939.CF9F237BB66@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:09:39 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:29 Security Advisory FreeBSD, Inc. Topic: wu-ftpd port contains remote root compromise Category: ports Module: wu-ftpd Announced: 2000-07-05 Credits: tf8 Affects: Ports collection. Corrected: 2000-06-24 Vendor status: Contacted FreeBSD only: NO I. Background wu-ftpd is a popular FTP server. II. Problem Description The wu-ftpd port, versions 2.6.0 and below, contains a vulnerability which allows remote anonymous FTP users to execute arbitrary code as root on the local machine, by inserting string-formatting operators into command input, which are incorrectly parsed by the FTP server. The wu-ftpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5 and 4.0 contains this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote anonymous FTP users can cause arbitrary commands to be executed as root on the local machine. If you have not chosen to install the wu-ftpd port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the wu-ftpd port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the wu-ftpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/wu-ftpd-2.6.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/wu-ftpd-2.6.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.0.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/wu-ftpd-2.6.0.tar.gz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the wu-ftpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGstVUuHi5z0oilAQHmLgP/cbSnHp4N1J9b+260wAWEB0NxcdD3eDQ+ tIh7va3PV7rdGyiBV+JL87YR9XEo8kmsVa8GzuQJ2Pp0sMatDAA7d/wZjP2XSsXL pjRCgGBTxuYhPX3HgkfI+MVKw4opUgmRs7DJpMTGrUxammwA3oUGtnfCCMLJyclH nmd9Kt5xAVE= =bkqh -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16:12:50 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 8B9D237BCFB; Wed, 5 Jul 2000 16:12:36 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:30.openssh Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705231236.8B9D237BCFB@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:12:36 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:30 Security Advisory FreeBSD, Inc. Topic: OpenSSH UseLogin directive permits remote root access Category: core Module: openssh Announced: 2000-07-05 Credits: Markus Friedl Affects: FreeBSD 4.0-RELEASE, FreeBSD 4.0-STABLE and 5.0-CURRENT prior to the correction date Corrected: 2000-06-11 Vendor status: Disclosed vulnerability. FreeBSD only: NO I. Background OpenSSH is an implementation of the SSH1 (and SSH2 in later versions) secure shell protocols for providing encrypted and authenticated network access, which is available free for unrestricted use. II. Problem Description The sshd server is typically invoked as root so it can manage general user logins. OpenSSH has a configuration option, not enabled by default ("UseLogin") which specifies that user logins should be done via the /usr/bin/login command instead of handled internally. OpenSSH also has a facility to enable remote users to execute commands on the server non-interactively. In this case, the UseLogin directive fails to correctly drop root privileges before executing the command, meaning that remote users without root access can execute commands on the local system as root. Note that with the default configuration, OpenSSH is not vulnerable to this problem, and this option is not needed for the vast majority of systems. OpenSSH is installed if you chose to install the 'crypto' distribution at install-time or when compiling from source, and you either have the international RSA libraries or installed the RSAREF port. III. Impact If your sshd configuration was modified to enable the 'UseLogin' directive then remote users with SSH access to the local machine can execute arbitrary commands as root. IV. Workaround Set 'UseLogin No' in your /etc/ssh/sshd_config file and restart the SSH server by issuing the following command as root: # kill -HUP `cat /var/run/sshd.pid` This will cause the parent process to respawn and reread its configuration file, and should not interfere with existing SSH sessions. Note that a bug in sshd (discovered during preparation of this advisory, fixed in FreeBSD 5.0-CURRENT and 4.0-STABLE as of 2000-07-03) means that it will fail to restart correctly unless it was originally invoked with an absolute path (i.e. "/usr/sbin/sshd" instead of "sshd"). Therefore you should verify that the server is still running after you deliver the HUP signal: # ps -p `cat /var/run/sshd.pid` PID TT STAT TIME COMMAND 2110 ?? Ss 0:00.97 /usr/sbin/sshd If the server is no longer running, restart it by issuing the following command as root: # /usr/sbin/sshd V. Solution One of the following: 1) Upgrade to FreeBSD 4.0-STABLE or 5.0-CURRENT after the correction date. Note that these versions of FreeBSD contain a newer version of OpenSSH than was in 4.0-RELEASE, version 2.1, which provides enhanced functionality including support for the SSH2 protocol and DSA keys. 2) Save this advisory as a file and extract the relevant patch for your version of FreeBSD, or download the relevant patch and detached PGP signature from the following location: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:30/sshd.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src/crypto/openssh # patch -p < /path/to/patch/or/advisory # cd /usr/src/secure/lib/libssh # make all # cd /usr/src/secure/usr.sbin/sshd # make all install # kill -HUP `cat /var/run/sshd.pid` See the note in the "Workarounds" section about verifying that the sshd server is still running. VI. Patch Index: sshd.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/sshd.c,v retrieving revision 1.6 diff -u -r1.6 sshd.c --- sshd.c 2000/03/09 14:52:31 1.6 +++ sshd.c 2000/07/04 03:40:46 @@ -2564,7 +2564,13 @@ char *argv[10]; #ifdef LOGIN_CAP login_cap_t *lc; +#endif + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + +#ifdef LOGIN_CAP lc = login_getpwclass(pw); if (lc == NULL) lc = login_getclassbyname(NULL, pw); -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWPAn1UuHi5z0oilAQEt8QP+KlhsdMVqBjI6mhO/opnpIr+vFo5zxu4R rhPwSfyXf/ufRPcJbiQFjBlHwQWaOnt2N3w6MJYI4qNySPHmqIa1Cnxv8Em0K/ke wdFr8sXOZiqgBbu1aJRSsB+5Vc/TQFdHcY/QGwpUIUGYkDvEYcp46iDpQgiS41BW 9hRgZIgcigo= =nEJ0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16:13:53 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 999CA37BAA6; Wed, 5 Jul 2000 16:13:41 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:31.canna Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705231341.999CA37BAA6@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:13:41 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:31 Security Advisory FreeBSD, Inc. Topic: Canna port contains remote vulnerability Category: ports Module: Canna Announced: 2000-07-05 Affects: Ports collection. Corrected: 2000-06-29 Credits: Shadow Penguin Security Vendor status: Contacted FreeBSD only: NO I. Background Canna is a Kana-Kanji conversion server. II. Problem Description The Canna server contains an overflowable buffer which may be exploited by a remote user to execute arbitrary code on the local system as user 'bin'. The Canna port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 3.5 contains this vulnerability since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users can run arbitrary code as user 'bin' on the local system. Depending on the local system configuration, the attacker may be able to upgrade privileges further by exploiting local vulnerabilities. If you have not chosen to install the Canna port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the Canna port/package, if you you have installed it. 2) Consider limiting remote access to the Canna server using ipfw(8) or ipf(8). V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the Canna port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/Canna-3.2.2.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/Canna-3.2.2.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/Canna-3.2.2.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/Canna-3.2.2.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/japanese/Canna-3.2.2.tar.gz Note: it may be several days before updated packages are available. 3) download a new port skeleton for the Canna port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGuplUuHi5z0oilAQGcMQP/fYz0XD3LOIgI+ruamllnS7/OIlX0HNUj TewcALZQ+bb8MDKFfpxGRcj3kISskPVmrNmBl79TmL+sWej4wf6DlkuuzOmF/B1P lEoDP6W2NxRPGV5XHCP5x8iVMDi05KNObilCwre2wEYu0y0votn8u8VNO3QO7wUC D1tZJJSMr68= =i/6q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16:14:52 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 2469737BCB2; Wed, 5 Jul 2000 16:14:42 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:32.bitchx Reply-To: security-advisories@freebsd.org From: FreeBSD Security Advisories Message-Id: <20000705231442.2469737BCB2@hub.freebsd.org> Date: Wed, 5 Jul 2000 16:14:42 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:32 Security Advisory FreeBSD, Inc. Topic: bitchx port contains client-side vulnerability Category: ports Module: bitchx Announced: 2000-07-05 Affects: Ports collection. Corrected: 2000-07-03 Vendor status: Patch released FreeBSD only: NO I. Background BitchX is a popular IRC client. II. Problem Description The bitchx client incorrectly parses string-formatting operators included as part of channel invitation messages sent by remote IRC users. This can cause the local client to crash, and may possibly present the ability to execute arbitrary code as the local user. The bitchx port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 4.0 and 3.5 contain this problem since it was discovered after the release. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote IRC users can cause the local client to crash, and possibly execute code as the local user. If you have not chosen to install the bitchx port/package, then your system is not vulnerable to this problem. IV. Workaround Issue the following bitchx command (e.g. as part of a startup script): /ignore * invites which will disable processing of channel invitation messages. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the bitchx port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/irc/bitchx-1.0c16.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/irc/bitchx-1.0c16.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/irc/bitchx-1.0c16.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/bitchx-1.0c16.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/irc/bitchx-1.0c16.tar.gz NOTE: It may be several days before updated packages are available. Be sure to check the file creation date on the package, because the version number of the software has not changed. 3) download a new port skeleton for the bitchx port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOWGvPlUuHi5z0oilAQGEQAP+MbpDIPmejoZUcpVCpIBFP+2LwmR/ouwu LMuDVgY5l3kaWNIypTNAbMVPDZFx1l3+LEUJfurBLydpH8PnB17C7tE+uPXpNDzA ph3jjHXazN8DvvdYCD6EcEXccgGIWREz+OUPsH4VZtqC0g84Lt7tpZwBFZ+Fh2Py gjxO4c2fPE8= =B4nR -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 16:24:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C8AD337BC56; Wed, 5 Jul 2000 16:24:40 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id QAA99994; Wed, 5 Jul 2000 16:24:40 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 5 Jul 2000 16:24:40 -0700 (PDT) From: Kris Kennaway To: Susie Ward Cc: freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <4.3.1.2.20000705165602.00da1ee0@mail.voltage.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 Jul 2000, Susie Ward wrote: > At 05:09 PM 7/5/00 -0400, Bill Fumerola wrote: > >Yes, and the original poster demonstrated even further stupidity > >by adding a proprietary product (SecureBSD 1.0) into the mix and > >then expect that we support it. > > Speaking of SecureBSD, does anyone have any opinions on the usefulness of > SecureBSD? I've thought about testing it out, but I don't have any servers > at the moment to be playing with so I've been putting it off. A lot of the features it provides aren't likely to be that useful in the real world (limiting the ability to perform common syscalls to members of a particular group, etc). The ability to only execute binaries with a signature preloaded into the kernel, or to only execute binaries owned by root may be of some use given enough work to tighten your system down, but on the other hand you'd better not have any scripting languages installed on your system (/bin/sh, anyone?) ;-) I haven't looked at it beyond reading the (minimal) supplied documentation because I'm scared of the license terms and what the securebsd people might do to me if they catch up with me after I've read the code, but as an end user by all means take a look and see if you think it's useful for you. My opinion so far is that it probably doesn't do enough to present more than an annoyance to a determined intruder unless you really spend a lot of time to tighten down your system (and severely limit its functionality). Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 19:16:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by hub.freebsd.org (Postfix) with ESMTP id 4359237B763 for ; Wed, 5 Jul 2000 19:16:11 -0700 (PDT) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [127.0.0.1]) by onion.ish.org (8.9.3/3.7Wpl2-2000/05/28) with ESMTP id LAA38057 for ; Thu, 6 Jul 2000 11:16:05 +0900 (JST) To: freebsd-security@FreeBSD.ORG Subject: Where can I find FreeBSD-SA-00:25 X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000706111605A.ishizuka@onion.ish.org> Date: Thu, 06 Jul 2000 11:16:05 +0900 From: Masachika ISHIZUKA X-Dispatcher: imput version 20000414(IM141) Lines: 9 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, this is ishizuka@ish.org. I received FreeBSD-SA-00:24 and FReeBSD-SA-00:26 throught FreeBSD-SA-00:32 via freebsd-security ML today. But FreeBSD-SA-00:25 is missing. Where can I find FreeBSD-SA-00:25 ? And are anyone upgrade http://www.freebsd.org/security/ to be found them ? -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 20:42:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 19B5037B85C; Wed, 5 Jul 2000 20:42:51 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA40668; Wed, 5 Jul 2000 20:42:50 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 5 Jul 2000 20:42:50 -0700 (PDT) From: Kris Kennaway To: Masachika ISHIZUKA Cc: freebsd-security@FreeBSD.ORG Subject: Re: Where can I find FreeBSD-SA-00:25 In-Reply-To: <20000706111605A.ishizuka@onion.ish.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Masachika ISHIZUKA wrote: > Hi, this is ishizuka@ish.org. > I received FreeBSD-SA-00:24 and FReeBSD-SA-00:26 throught > FreeBSD-SA-00:32 via freebsd-security ML today. But FreeBSD-SA-00:25 > is missing. Where can I find FreeBSD-SA-00:25 ? > And are anyone upgrade http://www.freebsd.org/security/ to > be found them ? It was released a week or two ago (out of order, because others were in the queue but this one was ready sooner). I'll update the webpage now - thanks for reminding me. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:27:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 84AE137C044 for ; Wed, 5 Jul 2000 21:27:55 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 24139 invoked by uid 1000); 6 Jul 2000 04:27:50 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Jul 2000 04:27:50 -0000 Date: Thu, 6 Jul 2000 00:27:48 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit In-Reply-To: <20000705230239.8E2CF37B8B6@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 5 Jul 2000, FreeBSD Security Advisories wrote: ... : Apply the patch and rebuild as follows: : : # cd /usr/src/lib/libedit : # patch -p < /path/to/patch/or/advisory : : and rebuild your system as described in : : http://www.freebsd.org/handbook/makeworld.html ... Given the nature of this patch, and the ease of rebuilding the library without making world, is it really needed to do a complete make world? * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5ZArFdMMtMcA1U5ARAr3mAJ9keij+D5oigSnIqNSTqxUqPgg7yQCfeaOp UBnbJ71igkTw1FYWDQJ3MfI= =0b15 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:29: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 3E5B537C171 for ; Wed, 5 Jul 2000 21:28:57 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 24154 invoked by uid 1000); 6 Jul 2000 04:28:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Jul 2000 04:28:55 -0000 Date: Thu, 6 Jul 2000 00:28:52 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Jul 2000, Matt Heckaman wrote: ... : Given the nature of this patch, and the ease of rebuilding the library : without making world, is it really needed to do a complete make world? Assuming I manually recompiled the binaries that were statically linked :) * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5ZAsHdMMtMcA1U5ARAuSIAKDbEVKn+wXQZiav8G1Y0vB2H/QJ1wCg7AIp 2SDPLrcKMDn2yVS0cJKehu0= =WSci -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:34: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by hub.freebsd.org (Postfix) with ESMTP id 1F48137C10F; Wed, 5 Jul 2000 21:33:57 -0700 (PDT) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [127.0.0.1]) by onion.ish.org (8.9.3/3.7Wpl2-2000/05/28) with ESMTP id NAA44262; Thu, 6 Jul 2000 13:33:55 +0900 (JST) To: kris@FreeBSD.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Where can I find FreeBSD-SA-00:25 In-Reply-To: References: <20000706111605A.ishizuka@onion.ish.org> X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000706133355S.ishizuka@onion.ish.org> Date: Thu, 06 Jul 2000 13:33:55 +0900 From: Masachika ISHIZUKA X-Dispatcher: imput version 20000414(IM141) Lines: 19 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I received FreeBSD-SA-00:24 and FReeBSD-SA-00:26 throught >> FreeBSD-SA-00:32 via freebsd-security ML today. But FreeBSD-SA-00:25 >> is missing. Where can I find FreeBSD-SA-00:25 ? >> And are anyone upgrade http://www.freebsd.org/security/ to >> be found them ? > > It was released a week or two ago (out of order, because others were > in the queue but this one was ready sooner). Hello, Kris-san. Thank you for your mail. I found FreeBSD-SA-00:25 in my mailbox receiver at Jun 12, and it is for FreeBSD/Alpha platform. > I'll update the webpage now - thanks for reminding me. Thank you very much. -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:50:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 07EA037B567; Wed, 5 Jul 2000 21:50:32 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0362.cvx21-bradley.dialup.earthlink.net [209.179.193.107]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id VAA05877; Wed, 5 Jul 2000 21:50:25 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id VAA00738; Wed, 5 Jul 2000 21:48:49 -0700 (PDT) Date: Wed, 5 Jul 2000 21:48:48 -0700 From: "Crist J. Clark" To: Kris Kennaway Cc: Susie Ward , freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) Message-ID: <20000705214847.B631@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <4.3.1.2.20000705165602.00da1ee0@mail.voltage.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from kris@FreeBSD.ORG on Wed, Jul 05, 2000 at 04:24:40PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 05, 2000 at 04:24:40PM -0700, Kris Kennaway wrote: > On Wed, 5 Jul 2000, Susie Ward wrote: > > Speaking of SecureBSD, does anyone have any opinions on the usefulness of > > SecureBSD? I've thought about testing it out, but I don't have any servers > > at the moment to be playing with so I've been putting it off. [snip] > I haven't looked at it beyond reading the (minimal) supplied documentation > because I'm scared of the license terms and what the securebsd people > might do to me if they catch up with me after I've read the code, but as > an end user by all means take a look and see if you think it's useful for > you. I don't see why you can't read the code. To my knowledge, none of the methods or algorithms have been patented by the SecureBSD people. Nothing to stop one from writing their own implementation of the same processes. Or have they gone for some patents? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:53: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 61CDE37B567; Wed, 5 Jul 2000 21:53:06 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id VAA54601; Wed, 5 Jul 2000 21:53:06 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 5 Jul 2000 21:53:05 -0700 (PDT) From: Kris Kennaway To: cjclark@alum.mit.edu Cc: Susie Ward , freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <20000705214847.B631@dialin-client.earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 Jul 2000, Crist J. Clark wrote: > I don't see why you can't read the code. To my knowledge, none of the > methods or algorithms have been patented by the SecureBSD > people. Nothing to stop one from writing their own implementation of > the same processes. Or have they gone for some patents? If I read the code, and then inadvertently use some concepts in my own code they can try and claim it as a derived work and do nasty things to me. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:56:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id EF96937B5CA for ; Wed, 5 Jul 2000 21:56:30 -0700 (PDT) (envelope-from mike@sentex.net) Received: from chimp (chimp [192.168.0.2]) by cage.simianscience.com (8.9.3/8.9.3) with ESMTP id AAA07304 for ; Thu, 6 Jul 2000 00:56:27 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20000706005032.067461c8@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 06 Jul 2000 00:51:51 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit In-Reply-To: <20000705230239.8E2CF37B8B6@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Are the patched mirrored anywhere ? ftp.freebsd.org seems to be down... for ftp anyways. ---Mike ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 21:59:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 4785237B5CA for ; Wed, 5 Jul 2000 21:59:23 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id AAA31435; Thu, 6 Jul 2000 00:59:12 -0400 (EDT) (envelope-from wollman) Date: Thu, 6 Jul 2000 00:59:12 -0400 (EDT) From: Garrett Wollman Message-Id: <200007060459.AAA31435@khavrinen.lcs.mit.edu> To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit In-Reply-To: <4.2.2.20000706005032.067461c8@mail.sentex.net> References: <20000705230239.8E2CF37B8B6@hub.freebsd.org> <4.2.2.20000706005032.067461c8@mail.sentex.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Are the patched mirrored anywhere ? ftp.freebsd.org seems to be down... for > ftp anyways. Everything that's on ftp.freebsd.org should be on ftp5.freebsd.org. (As in, if you find something that's missing, please tell me.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 22: 2:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 0159837B6D9; Wed, 5 Jul 2000 22:02:42 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.1) id PAA03242; Thu, 6 Jul 2000 15:02:37 +1000 (EST) From: Darren Reed Message-Id: <200007060502.PAA03242@caligula.anu.edu.au> Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) To: kris@FreeBSD.ORG (Kris Kennaway) Date: Thu, 6 Jul 2000 15:02:37 +1000 (Australia/ACT) Cc: cjclark@alum.mit.edu, sward@voltage.net (Susie Ward), freebsd-security@FreeBSD.ORG In-Reply-To: from "Kris Kennaway" at Jul 05, 2000 09:53:05 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Kris Kennaway, sie said: > > On Wed, 5 Jul 2000, Crist J. Clark wrote: > > > I don't see why you can't read the code. To my knowledge, none of the > > methods or algorithms have been patented by the SecureBSD > > people. Nothing to stop one from writing their own implementation of > > the same processes. Or have they gone for some patents? > > If I read the code, and then inadvertently use some concepts in my own > code they can try and claim it as a derived work and do nasty things to > me. There is a person working on an independant implementation for NetBSD of the "trusted binary" `problem'. AFAIK it has nothing to do with SecureBSD (unless they're using his code). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 23: 3:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 55C0F37B5BD; Wed, 5 Jul 2000 23:03:22 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0545.cvx21-bradley.dialup.earthlink.net [209.179.194.35]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id XAA09054; Wed, 5 Jul 2000 23:03:17 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id XAA01042; Wed, 5 Jul 2000 23:01:42 -0700 (PDT) Date: Wed, 5 Jul 2000 23:01:11 -0700 From: "Crist J. Clark" To: Kris Kennaway Cc: cjclark@alum.mit.edu, Susie Ward , freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) Message-ID: <20000705230111.D795@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu References: <20000705214847.B631@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from kris@FreeBSD.ORG on Wed, Jul 05, 2000 at 09:53:05PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 05, 2000 at 09:53:05PM -0700, Kris Kennaway wrote: > On Wed, 5 Jul 2000, Crist J. Clark wrote: > > > I don't see why you can't read the code. To my knowledge, none of the > > methods or algorithms have been patented by the SecureBSD > > people. Nothing to stop one from writing their own implementation of > > the same processes. Or have they gone for some patents? > > If I read the code, and then inadvertently use some concepts in my own > code they can try and claim it as a derived work and do nasty things to > me. You can't copyright a concept. So I ask, did they get some patents? I did not see specific mention in the license of any new patents. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 5 23:55:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a13c249.neo.rr.com [204.210.212.249]) by hub.freebsd.org (Postfix) with ESMTP id 080DD37B5ED for ; Wed, 5 Jul 2000 23:55:28 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e666rnH22708; Thu, 6 Jul 2000 02:53:49 -0400 Date: Thu, 6 Jul 2000 02:53:49 -0400 (EDT) From: Mike Nowlin To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <20000705230111.D795@dialin-client.earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > If I read the code, and then inadvertently use some concepts in my own > > code they can try and claim it as a derived work and do nasty things to > > me. > > You can't copyright a concept. So I ask, did they get some patents? I > did not see specific mention in the license of any new patents. Gotta love the GPL... Take this section, for example: 2.b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. With the previous sections in the license, it is saying that chunks of code from a GPL'd program, even if they're thrown in a blender and liquified first and then put into a non-GPL program, requires that the resulting work has to be GPL'd... Of course, what happens when I look at a GPL program, then a couple hours later, I put the following line into a program I release non-GPL: printf("%d %s\n", errno, strerror(errno)); ??????? Oops - that line was in the GPL program - I'm breaking the license terms of gnu-quake53 with my latest network monitoring program... This whole idea needs to be considered on a per-case basis. Sure, they (the FSF) can claim "derived works", but at the same time, you can come back and say "How can the FSF claim copyleft on code written from the RFC's?" (or whatever...) As far as I'm concerned, the GPL is a good concept (pun intended), but people get WAY too anal about the implementation of it at times. I love my Linux box, but I still do a lot of "sorry, no source code available" programming for clients on my other machines..... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 3:12:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 3315537C250; Thu, 6 Jul 2000 03:12:50 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA00949; Thu, 6 Jul 2000 03:12:50 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 6 Jul 2000 03:12:49 -0700 (PDT) From: Kris Kennaway To: Matt Heckaman Cc: FreeBSD-SECURITY Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Matt Heckaman wrote: > On Thu, 6 Jul 2000, Matt Heckaman wrote: > ... > : Given the nature of this patch, and the ease of rebuilding the library > : without making world, is it really needed to do a complete make world? > > Assuming I manually recompiled the binaries that were statically linked :) That would be fine. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 3:13:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C469037B85D; Thu, 6 Jul 2000 03:13:44 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id DAA01024; Thu, 6 Jul 2000 03:13:44 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 6 Jul 2000 03:13:42 -0700 (PDT) From: Kris Kennaway To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit In-Reply-To: <4.2.2.20000706005032.067461c8@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Mike Tancsa wrote: > Are the patched mirrored anywhere ? ftp.freebsd.org seems to be down... for > ftp anyways. Just use the patch in the advisory: patch(1) is smart enough to extract it automatically, no need to trim off the extra text by hand. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 4:26:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from outblaze12.outblaze.com (209.249.164.196.outblaze.com [209.249.164.196]) by hub.freebsd.org (Postfix) with SMTP id BBBA037B9A9 for ; Thu, 6 Jul 2000 04:26:24 -0700 (PDT) (envelope-from openzero@bsdmail.com) Received: (qmail 69973 invoked by uid 1001); 6 Jul 2000 11:26:24 -0000 Message-ID: <20000706112624.69972.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) From: openzero@bsdmail.com To: freebsd-security@freebsd.org Date: Thu, 06 Jul 2000 12:26:24 +0100 Subject: Re: Firewalls and the endless story! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Wed, Jul 05, 2000 at 03:57:22PM -0500, Chris Dillon wrote: > > > Yes, and the original poster demonstrated even further stupidity > by adding a proprietary product (SecureBSD 1.0) into the mix and > then expect that we support it. > > "Works for me." > Yeah! Thanks for the wonderful word "stupidity", but hey! I think, after using FreeBSD-2.2.8, FreeBSD-3.4, FreeBSD-4.0, that FreeBSD-2.2.8-STABLE is the best for MYSELF! What you do, is not by business! You are an architect! Are these the only words you can use? I know, that SecureBSD isn't supported by FreeBSD.org, coz it's not a product of FreeBSD.org and it's only a preview! (German: Als Architekt hätte ich schon mal gerne eine gehobenere Ausdrucksweise erwartet und keine Kindergartenbegründungen wie: das ist doof! Um unwiederständlich klarzumachen: Ich stehe unter großem Zeitdruck und bisher konnte mir noch kein Mensch einen wirklich guten Tip geben! Das stellt mich unter Spannung, was solche Ausdrucksweisen natürlich noch mehr aggressiv macht!) ... mfg Daniel Ridder -- Get your free email from http://www.bsdmail.com Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 4:55:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id C50F737B787; Thu, 6 Jul 2000 04:55:21 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id HAA46974; Thu, 6 Jul 2000 07:54:59 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 6 Jul 2000 07:54:58 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: cjclark@alum.mit.edu Cc: Kris Kennaway , Susie Ward , freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <20000705230111.D795@dialin-client.earthlink.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 5 Jul 2000, Crist J. Clark wrote: > You can't copyright a concept. So I ask, did they get some patents? I > did not see specific mention in the license of any new patents. 2.3 Ownership. Except for the FreeBSD software, versions 3.4 and 4.0, included in the Program, if any, 2 Cactus will retain all rights, title and interest in and to the patent, copyright, trademark, trade secret and any other intellectual property rights in the Program and any derivative works thereof, subject only to the limited licenses set forth in this Agreement. Customer does not acquire any rights, express or implied, in the Program other than those rights expressly granted under this Agreement. Due to the vaguarities of patent law in the US, the authors of SecureBSD may publish their patentable ideas, and file for patents within one year of the publication date. This was the case, for example, with the RSA patent, and usually does not hold for international patents. That said, a patent in the USA has in the past proven sufficient to restrict the distribution of software implementing the patented invention. This license specifically allows for that eventuality, claiming ownership of any intellectual property (copyrights, patents, ...) currently or in the future covering the body of work. Personally, I do not want to risk the TrustedBSD work by agreeing to a license such as this. You are welcome to agree to the license, and I am not in any way criticizing the usefulness of the SecureBSD work: it sounds like a number of the features described to me (syscall masking, improved logging, immutable processes of some sort) are very useful, and in fact will be covered by the TrustedBSD project in some form or another (least privilege, auditing, integrity protection). The license merely leaves me in a position where I'm unwilling to inspect the software, or recommend it since I cannot inspect it. It also leaves me in a position where I cannot feel qualified to answer questions about it or derived works in standard BSD forums, including freebsd-security. :-) Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 5:56:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.polytechnic.edu.na (mail.polytechnic.edu.na [196.31.225.2]) by hub.freebsd.org (Postfix) with ESMTP id 2318837B6EF; Thu, 6 Jul 2000 05:56:03 -0700 (PDT) (envelope-from tim@polytechnic.edu.na) Received: from ns1.horizon.na ([196.31.225.199] helo=polytechnic.edu.na) by mail.polytechnic.edu.na with esmtp (Exim 3.02 #2) id 13AD53-0004rb-00; Thu, 06 Jul 2000 12:56:45 -0200 Message-ID: <39648214.A63C423B@polytechnic.edu.na> Date: Thu, 06 Jul 2000 13:56:52 +0100 From: Tim Priebe Reply-To: tim@iafrica.com.na X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: cjclark@alum.mit.edu, Kris Kennaway , Susie Ward , freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If they get a patent, you are in the same boat if you looked at the code or not. As I understand to be in violation of patents, you do not even have to know anything about the holder of a patent, their products (if any) or that they ever had such an idea. This is not to suggest you should look at their product. It seems to me that many of these ideas were discused on this list. Tim. Robert Watson wrote: > > On Wed, 5 Jul 2000, Crist J. Clark wrote: > > > You can't copyright a concept. So I ask, did they get some patents? I > > did not see specific mention in the license of any new patents. > > 2.3 Ownership. Except for the FreeBSD software, versions 3.4 and 4.0, > included in the Program, if any, 2 Cactus will retain all rights, title > and interest in and to the patent, copyright, trademark, trade secret > and any other intellectual property rights in the Program and any > derivative works thereof, subject only to the limited licenses set forth > in this Agreement. Customer does not acquire any rights, express or > implied, in the Program other than those rights expressly granted under > this Agreement. > > Due to the vaguarities of patent law in the US, the authors of SecureBSD > may publish their patentable ideas, and file for patents within one year > of the publication date. This was the case, for example, with the RSA > patent, and usually does not hold for international patents. That said, a > patent in the USA has in the past proven sufficient to restrict the > distribution of software implementing the patented invention. This > license specifically allows for that eventuality, claiming ownership of > any intellectual property (copyrights, patents, ...) currently or in the > future covering the body of work. Personally, I do not want to risk the > TrustedBSD work by agreeing to a license such as this. > > You are welcome to agree to the license, and I am not in any way > criticizing the usefulness of the SecureBSD work: it sounds like a number > of the features described to me (syscall masking, improved logging, > immutable processes of some sort) are very useful, and in fact will be > covered by the TrustedBSD project in some form or another (least > privilege, auditing, integrity protection). The license merely leaves me > in a position where I'm unwilling to inspect the software, or recommend it > since I cannot inspect it. It also leaves me in a position where I cannot > feel qualified to answer questions about it or derived works in standard > BSD forums, including freebsd-security. :-) > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 8:32:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 7E8E437BA6C for ; Thu, 6 Jul 2000 08:32:36 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 26945 invoked by uid 1000); 6 Jul 2000 15:32:34 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Jul 2000 15:32:34 -0000 Date: Thu, 6 Jul 2000 11:32:31 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: FreeBSD-SECURITY Subject: libfind.sh Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The libfind.sh script on: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh Is broken. This is due to a bunch of ^M's - it needs a run through dos2unix I would think :) * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5ZKaSdMMtMcA1U5ARAhh9AJwOkKSQ6uqPIy5sR7Uio8t40EUqXACfaf+X BOF2GjjO1Xp6vvV8mrfIU+s= =GoPy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 8:43:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (Postfix) with ESMTP id CD02537BC44 for ; Thu, 6 Jul 2000 08:43:51 -0700 (PDT) (envelope-from akm@mail.theinternet.com.au) Received: (from akm@localhost) by mail.theinternet.com.au (8.9.3/8.9.3) id BAA26696; Fri, 7 Jul 2000 01:41:47 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <200007061541.BAA26696@mail.theinternet.com.au> Subject: Re: libfind.sh In-Reply-To: from Matt Heckaman at "Jul 6, 2000 11:32:31 am" To: Matt Heckaman Date: Fri, 7 Jul 2000 01:41:47 +1000 (EST) Cc: FreeBSD-SECURITY X-Mailer: ELM [version 2.4ME+ PL68 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ Matt Heckaman ]--------------------------------------------- | | Hi, | | The libfind.sh script on: | ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh | | Is broken. This is due to a bunch of ^M's - it needs a run through | dos2unix I would think :) Or ftp it in ASCII mode... -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 9: 5:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from gera.nns.ru (gera.nns.ru [195.230.79.10]) by hub.freebsd.org (Postfix) with ESMTP id 4758837BAB6 for ; Thu, 6 Jul 2000 09:05:15 -0700 (PDT) (envelope-from abc@nns.ru) Received: from falcon.nns.ru (falcon.nns.ru [195.230.79.70]) by gera.nns.ru (8.9.3/8.9.3) with ESMTP id UAA04885 for ; Thu, 6 Jul 2000 20:05:08 +0400 (MSD) (envelope-from abc@nns.ru) Received: from localhost (abc@localhost [127.0.0.1]) by falcon.nns.ru (8.9.3/8.9.3) with ESMTP id UAA00402 for ; Thu, 6 Jul 2000 20:04:39 +0400 (MSD) (envelope-from abc@nns.ru) Date: Thu, 6 Jul 2000 20:04:38 +0400 (MSD) From: "Andrey V. Sokolov" X-Sender: abc@localhost To: freebsd-security@FreeBSD.ORG Subject: How to run ipmon as daemon? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! How to run ipmon as daemon in FreeBSD-4.0? "This tool can either be run in the foreground, or as a daemon which logs to syslog or a file." - in the ip-howto written, but "how" not written! Nothing written about a daemon-mode in the man ipmon! Thanks! Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 10:10:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from lamest.domix.de (dial-194-8-209-131.netcologne.de [194.8.209.131]) by hub.freebsd.org (Postfix) with ESMTP id AF57537C443 for ; Thu, 6 Jul 2000 10:10:14 -0700 (PDT) (envelope-from dr@astra.domix.de) Received: from astra.domix.de (astra.local [192.168.1.23]) by lamest.domix.de (8.9.3/8.9.3) with ESMTP id TAA00801; Thu, 6 Jul 2000 19:17:07 +0200 (CEST) (envelope-from dr@astra.domix.de) Received: (from dr@localhost) by astra.domix.de (8.9.3/8.9.3) id TAA01763; Thu, 6 Jul 2000 19:11:19 +0200 Date: Thu, 6 Jul 2000 19:11:19 +0200 From: Dominik Rothert To: "Andrey V. Sokolov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to run ipmon as daemon? Message-ID: <20000706191119.A1760@astra> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-URL: http://www.domix.de X-GPG-Fingerprint: 8FAC 7952 7249 35AC 7928 4C32 A5F7 6953 BB3F 515C Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > How to run ipmon as daemon in FreeBSD-4.0? Start ipmon like /sbin/ipmon -sn & from /etc/rc.local. Regards, Dominik. -- /* Dominik Rothert (DR2917-RIPE) | Dr. LANG Astorit * * E-Mail: dr@domix.de | E-Mail: dr@astorit.de * * WWW: http://www.domix.de | WWW: http://www.astorit.de */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 10:43:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BAF4737C3CE; Thu, 6 Jul 2000 10:43:15 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA52590; Thu, 6 Jul 2000 13:42:23 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 6 Jul 2000 13:42:23 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: tim@iafrica.com.na Cc: cjclark@alum.mit.edu, Kris Kennaway , Susie Ward , freebsd-security@FreeBSD.ORG Subject: Re: SecureBSD (Was: Re: Firewalls and the endless story!) In-Reply-To: <39648214.A63C423B@polytechnic.edu.na> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Tim Priebe wrote: > If they get a patent, you are in the same boat if you looked at the code > or not. As I understand to be in violation of patents, you do not even > have to know anything about the holder of a patent, their products (if > any) or that they ever had such an idea. > This is not to suggest you should look at their product. It seems to me > that many of these ideas were discused on this list. Yes -- I was unclear in my email. I attempted to address two points, and mixed them up. First, whether or not any patents were associated with the SecureBSD work, and second, whether or not looking at the SecureBSD source code would influence our ability to develop security-related code. My answer to the first was: they may or may not hold or be applying for patents, but just because they haven't announced any doesn't mean they can't. With regards to the second -- depending on the definitions applied, inspecting SecureBSD source code and subsequently developing related code on FreeBSD sounds like a potential problem -- one that I'd like to avoid :-). If someone would like to agree to the license and post a detailed description (subject to restrictions in the license, if any) of the feature set, that would no doubt be appreciated. The only documentation available to those who have not agreed to the license is the mention of a kernel-based tripwire-like mechanism, which is clearly not the total sum of features in SecureBSD. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 10:49:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3252837B9F2 for ; Thu, 6 Jul 2000 10:49:18 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA26610 for ; Thu, 6 Jul 2000 11:49:13 -0600 (MDT) Message-Id: <4.3.2.7.2.20000706113724.04789470@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 06 Jul 2000 11:49:06 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: ftpd and setproctitle() In-Reply-To: <200007060905.e6695iF29634@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:05 AM 7/6/2000, Theo de Raadt wrote [on Bugtraq]: >Well, while everyone is talking about setproctitle affecting wuftpd, >I should probably note that it even affects the OpenBSD ftpd. In fact, >looking around, it looks like it might affect everyone's ftpd. > >Our patch is at > > http://www.openbsd.org/errata.html#ftpd > >We're currently going through our tree looking for *printf(), err*(), >warn*(), syslog(), setproctitle(), and even curses *print*() functions >that might have issues like this. We did this before for the *printf >family, perhaps 3 years ago, but even now we are discovering a few that >we have missed. > >It's scary, and quite a bit of work to check every such call. They >happen a lot.. FreeBSD-current's ftpd already seems to have the correct arguments for setproctitle. But do earlier versions require patching? (Alas, the sources for earlier versions do not appear to be on any of Walnut Creek's servers, so I can't tell.) Could folks who have sources for 2.2.8, 3.4, 3.5, and 4.0 handy check this? (I usually do not install full sources, and so am missing some of these.) Since the 2.x and 3.x sources are now offline, and most users do not install full source, it may be difficult to close the hole on many users' systems if it exists in older versions of FreeBSD. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 11: 7:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id E07FA37BC22 for ; Thu, 6 Jul 2000 11:07:03 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id PAA15093; Thu, 6 Jul 2000 15:06:10 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200007061806.PAA15093@ns1.via-net-works.net.ar> Subject: Re: ftpd and setproctitle() In-Reply-To: <4.3.2.7.2.20000706113724.04789470@localhost> from Brett Glass at "Jul 6, 0 11:49:06 am" To: brett@lariat.org (Brett Glass) Date: Thu, 6 Jul 2000 15:06:10 -0300 (GMT) Cc: security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Brett Glass escribió: > FreeBSD-current's ftpd already seems to have the correct arguments for > setproctitle. But do earlier versions require patching? (Alas, the > sources for earlier versions do not appear to be on any of Walnut > Creek's servers, so I can't tell.) Could folks who have sources for > 2.2.8, 3.4, 3.5, and 4.0 handy check this? (I usually do not > install full sources, and so am missing some of these.) 3.5-RELEASE: % grep -n proctitle * extern.h:61:void setproctitle __P((const char *, ...)); ftpcmd.y:88:extern char proctitle[]; ftpcmd.y:964: setproctitle("%s: %s", proctitle, cbuf); ftpd.c:204:char proctitle[LINE_MAX]; /* initial part of title */ ftpd.c:280: * Save start and extent of argv for setproctitle. ftpd.c:1090: snprintf(proctitle, sizeof(proctitle), ftpd.c:1092: sizeof(proctitle) - sizeof(remotehost) - ftpd.c:1096: snprintf(proctitle, sizeof(proctitle), ftpd.c:1098: sizeof(proctitle) - sizeof(remotehost) - ftpd.c:1100: setproctitle("%s", proctitle); ftpd.c:1113: snprintf(proctitle, sizeof(proctitle), ftpd.c:1115: setproctitle("%s", proctitle); ftpd.c:1906: snprintf(proctitle, sizeof(proctitle), "%s: connected (to %s)", ftpd.c:1910: snprintf(proctitle, sizeof(proctitle), "%s: connected", ftpd.c:1912: setproctitle("%s", proctitle); ftpd.c:2247:setproctitle(const char *fmt, ...) ftpd.c:2249:setproctitle(fmt, va_alist) Seems safe from this bug. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 11:23:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 21DB437B557 for ; Thu, 6 Jul 2000 11:23:24 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 28485 invoked by uid 1000); 6 Jul 2000 18:23:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Jul 2000 18:23:22 -0000 Date: Thu, 6 Jul 2000 14:23:20 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() In-Reply-To: <4.3.2.7.2.20000706113724.04789470@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Jul 2000, Brett Glass wrote: ... : Since the 2.x and 3.x sources are now offline, and most users do not : install full source, it may be difficult to close the hole on many : users' systems if it exists in older versions of FreeBSD. - From 3.4-stable as of Feb 14 2000: matt[alpha]:/usr/src/libexec/ftpd> grep setproctitle ftpd.c * Save start and extent of argv for setproctitle. setproctitle("%s", proctitle); setproctitle("%s", proctitle); setproctitle("%s", proctitle); setproctitle(const char *fmt, ...) setproctitle(fmt, va_alist) : --Brett * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5ZM6ZdMMtMcA1U5ARAnzVAJ99cwUKz9RETchPZuwHoNSyo0gBOACfVnmF tE4KosDOZGprTGWPhgpNCnk= =Sbo1 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 11:53:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id AD98D37B86B for ; Thu, 6 Jul 2000 11:53:39 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 6 Jul 2000 12:53:38 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma019859; Thu, 6 Jul 00 12:53:32 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id MAA29641; Thu, 6 Jul 2000 12:53:32 -0600 (MDT) Date: Thu, 6 Jul 2000 12:53:32 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() In-Reply-To: <4.3.2.7.2.20000706113724.04789470@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Brett Glass wrote: > Since the 2.x and 3.x sources are now offline, and most users do not > install full source, it may be difficult to close the hole on many > users' systems if it exists in older versions of FreeBSD. Why not try browsing the CVS repository on the FreeBSD web site? The specific hole (which appears to have been in both NetBSD and OpenBSD up until just a day or two ago) is due to using: setproctitle(title); instead of: setproctitle("%s", title); The FreeBSD usage of setproctitle() in ftpd seems to have been fixed quite some time ago (in 1995), between versions 1.13 and 1.14 of ftpd.c: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14 I'd say FreeBSD has been safe since 1995. :-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 12: 1: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 32C6937BBF8 for ; Thu, 6 Jul 2000 12:00:55 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id QAA14814; Thu, 6 Jul 2000 16:00:08 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200007061900.QAA14814@ns1.via-net-works.net.ar> Subject: Re: ftpd and setproctitle() In-Reply-To: from Paul Hart at "Jul 6, 0 12:53:32 pm" To: hart@iserver.com (Paul Hart) Date: Thu, 6 Jul 2000 16:00:08 -0300 (GMT) Cc: brett@lariat.org, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Paul Hart escribió: > The FreeBSD usage of setproctitle() in ftpd seems to have been fixed quite > some time ago (in 1995), between versions 1.13 and 1.14 of ftpd.c: > > http://www.FreeBSD.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14 > > I'd say FreeBSD has been safe since 1995. :-) Wouldn't be nice to see this as an official statement on bugtraq? :) Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 12:16:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 938F037B872 for ; Thu, 6 Jul 2000 12:16:34 -0700 (PDT) (envelope-from matt@ARPA.MAIL.NET) Received: (qmail 29020 invoked by uid 1000); 6 Jul 2000 19:16:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Jul 2000 19:16:33 -0000 Date: Thu, 6 Jul 2000 15:16:30 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Fernando Schapachnik Cc: Paul Hart , FreeBSD-SECURITY Subject: Re: ftpd and setproctitle() In-Reply-To: <200007061900.QAA14814@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 6 Jul 2000, Fernando Schapachnik wrote: =2E.. : Wouldn't be nice to see this as an official statement on bugtraq? :) It would be -very- nice, opportunities are everywhere :) : Regards. :=20 :=20 :=20 : Fernando P. Schapachnik : Administraci=F3n de la red : VIA NET.WORKS ARGENTINA S.A. : fernando@via-net-works.net.ar : (54-11) 4323-3333 * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE5ZNsQdMMtMcA1U5ARAiZ1AJ0TcoxbnhkFevEgnJAlZJSE84bP5gCdHnie 8ovWxTwgio6fX1JoHBkSa9o=3D =3D04Kf -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 12:28:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D47C837B576 for ; Thu, 6 Jul 2000 12:28:51 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA27659; Thu, 6 Jul 2000 13:28:44 -0600 (MDT) Message-Id: <4.3.2.7.2.20000706132133.04a94ad0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 06 Jul 2000 13:28:33 -0600 To: Matt Heckaman From: Brett Glass Subject: Re: ftpd and setproctitle() Cc: security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000706113724.04789470@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thank you! I've checked 3.1, and it's OK too. Theo just wrote to say that he thinks the bug originated in BSD 4.4-Lite. (And, I guess, has been around since that time due to the wonderful error-encouraging nature of the C language -- Sigh.) I'm hoping that the bug was nailed prior to 2.2.8, which a number of sites with an "if it ain't broke, don't fix it" policy are still running. Anyone have a 2.2.8 CD handy? Mine's long gone. --Brett At 12:23 PM 7/6/2000, Matt Heckaman wrote: >matt[alpha]:/usr/src/libexec/ftpd> grep setproctitle ftpd.c > * Save start and extent of argv for setproctitle. > setproctitle("%s", proctitle); > setproctitle("%s", proctitle); > setproctitle("%s", proctitle); >setproctitle(const char *fmt, ...) >setproctitle(fmt, va_alist) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 12:36:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 7F5E437B91F for ; Thu, 6 Jul 2000 12:36:36 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id PAA43416; Thu, 6 Jul 2000 15:36:18 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id PAA22435; Thu, 6 Jul 2000 15:36:18 -0400 (EDT) Message-Id: <4.3.2.7.0.20000706152923.02a77ed0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 06 Jul 2000 15:32:25 -0400 To: Brett Glass From: Mike Tancsa Subject: Re: ftpd and setproctitle() Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20000706132133.04a94ad0@localhost> References: <4.3.2.7.2.20000706113724.04789470@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:28 PM 7/6/00 -0600, Brett Glass wrote: >Thank you! I've checked 3.1, and it's OK too. Theo just wrote >to say that he thinks the bug originated in BSD 4.4-Lite. (And, >I guess, has been around since that time due to the wonderful >error-encouraging nature of the C language -- Sigh.) > >I'm hoping that the bug was nailed prior to 2.2.8, which a number >of sites with an "if it ain't broke, don't fix it" policy are still >running. From a couple of internal machines, FreeBSD 2.2.8-STABLE #0: Thu Aug 5 11:47:38 EDT 1999 * Save start and extent of argv for setproctitle. setproctitle("%s", proctitle); setproctitle("%s", proctitle); setproctitle("%s", proctitle); setproctitle(const char *fmt, ...) setproctitle(fmt, va_alist) 2.2.7-STABLE #0: Mon Aug 10 09:53:43 EDT 1998 * Save start and extent of argv for setproctitle. setproctitle("%s", proctitle); setproctitle("%s", proctitle); setproctitle("%s", proctitle); setproctitle(const char *fmt, ...) setproctitle(fmt, va_alist) ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Sentex Communications mike@sentex.net Cambridge, Ontario Canada www.sentex.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 12:42:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from pawn.primelocation.net (pawn.primelocation.net [205.161.238.235]) by hub.freebsd.org (Postfix) with ESMTP id 9A50A37B8EA for ; Thu, 6 Jul 2000 12:42:46 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by pawn.primelocation.net (Postfix, from userid 1016) id 1D23C9B1C; Thu, 6 Jul 2000 15:42:41 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by pawn.primelocation.net (Postfix) with ESMTP id 10684BA11; Thu, 6 Jul 2000 15:42:41 -0400 (EDT) Date: Thu, 6 Jul 2000 15:42:40 -0400 (EDT) From: "Chris D. Faulhaber" X-Sender: cdf.lists@pawn.primelocation.net To: Brett Glass Cc: Matt Heckaman , security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() In-Reply-To: <4.3.2.7.2.20000706132133.04a94ad0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Brett Glass wrote: > Thank you! I've checked 3.1, and it's OK too. Theo just wrote > to say that he thinks the bug originated in BSD 4.4-Lite. (And, > I guess, has been around since that time due to the wonderful > error-encouraging nature of the C language -- Sigh.) > > I'm hoping that the bug was nailed prior to 2.2.8, which a number > of sites with an "if it ain't broke, don't fix it" policy are still > running. > > Anyone have a 2.2.8 CD handy? Mine's long gone. > If you have a webbrowser, please see: http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14 revision 1.14 date: 1996/01/01 08:35:11; author: peter; state: Exp; lines: +11 -8 Make ftpd use setproctitle() from libutil I've left the old code in there under #ifdef OLD_SETPROCTITLE in case somebody wants to try to compile out ftpd on some other machine. In addition to using setprotitle from libutil, peter fixed all the setproctitle() calls. This was done before RELENG_2_2 branch point (well before 2.2.8). ----- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 12:44:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20]) by hub.freebsd.org (Postfix) with ESMTP id A229937B61A for ; Thu, 6 Jul 2000 12:44:10 -0700 (PDT) (envelope-from brdavis@orion.ac.hmc.edu) Received: (from brdavis@localhost) by orion.ac.hmc.edu (8.8.8/8.8.8) id MAA02365; Thu, 6 Jul 2000 12:44:01 -0700 (PDT) Date: Thu, 6 Jul 2000 12:44:01 -0700 From: Brooks Davis To: Brett Glass Cc: Matt Heckaman , security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() Message-ID: <20000706124401.A1224@orion.ac.hmc.edu> References: <4.3.2.7.2.20000706113724.04789470@localhost> <4.3.2.7.2.20000706132133.04a94ad0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: <4.3.2.7.2.20000706132133.04a94ad0@localhost>; from brett@lariat.org on Thu, Jul 06, 2000 at 01:28:33PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 06, 2000 at 01:28:33PM -0600, Brett Glass wrote: > Thank you! I've checked 3.1, and it's OK too. Theo just wrote > to say that he thinks the bug originated in BSD 4.4-Lite. (And, > I guess, has been around since that time due to the wonderful > error-encouraging nature of the C language -- Sigh.) > > I'm hoping that the bug was nailed prior to 2.2.8, which a number > of sites with an "if it ain't broke, don't fix it" policy are still > running. > > Anyone have a 2.2.8 CD handy? Mine's long gone. Who needs a CD? CVS is your friend. The bug is fixed in 2.2.0. It was fixed somewhere between 2.2.0 and 2.1.0. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 13:15:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4838037B945 for ; Thu, 6 Jul 2000 13:15:24 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA28204; Thu, 6 Jul 2000 14:15:08 -0600 (MDT) Message-Id: <4.3.2.7.2.20000706135700.043ea100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 06 Jul 2000 14:08:21 -0600 To: "Chris D. Faulhaber" From: Brett Glass Subject: Re: ftpd and setproctitle() Cc: Matt Heckaman , security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000706132133.04a94ad0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:42 PM 7/6/2000, Chris D. Faulhaber wrote: >http://www.freebsd.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14 Y'know, there's a VERY interesting comment in there: >/* > * Clobber argv so ps will show what we're doing. (Stolen from sendmail.) > * Which explains how it got into ftpd in the first place. I checked the Sendmail sources, and apparently they wrap setproctitle() in a routine called sm_setproctitle(). They're safe, but the folks who copied were not. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 13:21:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id CC1CC37BFA0 for ; Thu, 6 Jul 2000 13:21:27 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 3BD5F1C65; Thu, 6 Jul 2000 16:21:26 -0400 (EDT) Date: Thu, 6 Jul 2000 16:21:26 -0400 From: Bill Fumerola To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() Message-ID: <20000706162126.S4034@jade.chc-chimes.com> References: <200007060905.e6695iF29634@cvs.openbsd.org> <4.3.2.7.2.20000706113724.04789470@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <4.3.2.7.2.20000706113724.04789470@localhost>; from brett@lariat.org on Thu, Jul 06, 2000 at 11:49:06AM -0600 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 06, 2000 at 11:49:06AM -0600, Brett Glass wrote: > FreeBSD-current's ftpd already seems to have the correct arguments for > setproctitle. But do earlier versions require patching? (Alas, the > sources for earlier versions do not appear to be on any of Walnut > Creek's servers, so I can't tell.) Could folks who have sources for > 2.2.8, 3.4, 3.5, and 4.0 handy check this? (I usually do not > install full sources, and so am missing some of these.) Learning how to use CVS would be to your advantage. With the less then a gig repository we have all those releases (and more..) -- Bill Fumerola - Network Architect / Computer Horizons Corp - CHIMES e-mail: billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 14:33:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id D42F837B7FA; Thu, 6 Jul 2000 14:33:39 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA76500; Thu, 6 Jul 2000 14:33:39 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 6 Jul 2000 14:33:39 -0700 (PDT) From: Kris Kennaway To: Matt Heckaman Cc: FreeBSD-SECURITY Subject: Re: libfind.sh In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Matt Heckaman wrote: > The libfind.sh script on: > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh Should be already fixed. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 14:45:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from delivery.insweb.com (delivery.insweb.com [12.16.212.64]) by hub.freebsd.org (Postfix) with ESMTP id E242837B7D8 for ; Thu, 6 Jul 2000 14:45:09 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from ursine.com (dhcp4-202.secure.insweb.com [192.168.4.202]) by delivery.insweb.com (8.9.2/8.9.3) with ESMTP id OAA35645 for ; Thu, 6 Jul 2000 14:44:58 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Message-ID: <3964FDD1.5BE5E5D3@ursine.com> Date: Thu, 06 Jul 2000 14:44:49 -0700 From: Michael Bryan X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD-SECURITY Subject: Re: libfind.sh References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So what's up with all these ^M problems lately? The recent ip_options patch had a similar problem. Is somebody doing FreeBSD development on a Windows system? ;-) Kris Kennaway wrote: > > On Thu, 6 Jul 2000, Matt Heckaman wrote: > > > The libfind.sh script on: > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh > > Should be already fixed. > > Kris > > -- > In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 6 15:13:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 45F6E37B58A for ; Thu, 6 Jul 2000 15:13:17 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA29469; Thu, 6 Jul 2000 16:12:58 -0600 (MDT) Message-Id: <4.3.2.7.2.20000706155949.044fb840@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 06 Jul 2000 16:12:46 -0600 To: Bill Fumerola From: Brett Glass Subject: Re: ftpd and setproctitle() Cc: security@FreeBSD.ORG In-Reply-To: <20000706162126.S4034@jade.chc-chimes.com> References: <4.3.2.7.2.20000706113724.04789470@localhost> <200007060905.e6695iF29634@cvs.openbsd.org> <4.3.2.7.2.20000706113724.04789470@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:21 PM 7/6/2000, Bill Fumerola wrote: >Learning how to use CVS would be to your advantage. With the less >then a gig repository we have all those releases (and more..) I've used CVS, though I don't use it to track FreeBSD right now. (I like my machines to have consistent, tested versions of everything.) I'm glad to see that the Web interface to CVS is working, though. Last time I tried it (admittedly awhile ago -- sometime last fall), it did not work. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 7 13:55: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from foobar.franken.de (foobar.franken.de [194.94.249.81]) by hub.freebsd.org (Postfix) with ESMTP id 76A9C37BE61 for ; Fri, 7 Jul 2000 13:54:42 -0700 (PDT) (envelope-from logix@foobar.franken.de) Received: (from logix@localhost) by foobar.franken.de (8.8.8/8.8.5) id WAA25921; Fri, 7 Jul 2000 22:55:20 +0200 (CEST) Message-ID: <20000707225520.B25629@foobar.franken.de> Date: Fri, 7 Jul 2000 22:55:20 +0200 From: Harold Gutch To: openzero@bsdmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Firewalls and the endless story! References: <20000706112624.69972.qmail@bsdmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.93.2i In-Reply-To: <20000706112624.69972.qmail@bsdmail.com>; from openzero@bsdmail.com on Thu, Jul 06, 2000 at 12:26:24PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 06, 2000 at 12:26:24PM +0100, openzero@bsdmail.com wrote: > > On Wed, Jul 05, 2000 at 03:57:22PM -0500, Chris Dillon wrote: > > > > > > Yes, and the original poster demonstrated even further stupidity > > by adding a proprietary product (SecureBSD 1.0) into the mix and > > then expect that we support it. > > > > "Works for me." > > > > Yeah! > Thanks for the wonderful word "stupidity", but hey! > I think, after using FreeBSD-2.2.8, FreeBSD-3.4, > FreeBSD-4.0, that FreeBSD-2.2.8-STABLE is the best > for MYSELF! What you do, is not by business! > You are an architect! Are these the only words > you can use? I know, that SecureBSD isn't supported > by FreeBSD.org, coz it's not a product of > FreeBSD.org and it's only a preview! > > (German: Als Architekt hätte ich schon mal gerne > eine gehobenere Ausdrucksweise erwartet und > keine Kindergartenbegründungen wie: das ist doof! > Um unwiederständlich klarzumachen: Ich stehe unter > großem Zeitdruck und bisher konnte mir noch kein > Mensch einen wirklich guten Tip geben! Das stellt mich > unter Spannung, was solche Ausdrucksweisen natürlich noch mehr aggressiv macht!) Perhaps your spelling ("coz", "rulez" etc.) is the reason for people being "ignorant" towards you. For me that - and the lack of a realname in your mail's headers - were two reasons (among others like lack of time and interest) to never even consider replying to your mails. Anyway (see below), somebody already gave you a correct answer in the last thread you started. If the problem still persisted after that, you could/should have stated so. Show maturity in your mails and people will answer maturely. From your IPFW-configuration: > $fwcmd add allow log tcp from any to any 21 setup > $fwcmd add allow log tcp from any 20 to any setup # really needed ????? The last rule above won't get you any closer to anonymous FTP on your machine. What you'd need, is something like: $fwcmd add allow log tcp from any to $MYIP 20 $fwcmd add allow log tcp from $MYIP 20 to any where the first one lets "passive" FTP-packets pass and the second one "active" FTP-packets. As Manfredi Blasucci already replied to your last mail, the "setup" keyword was the problem. In fact, I guess you might even be able to limit the remote port-ranges to a few thousand ports somewhere in the range of port 44000 (that should be mentioned in the ftpd manpage). bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 7 14: 6:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from qmail.accesscomm.ca (qmail.accesscomm.ca [204.83.142.82]) by hub.freebsd.org (Postfix) with SMTP id D7E1537B781 for ; Fri, 7 Jul 2000 14:06:10 -0700 (PDT) (envelope-from srogers@cableregina.com) Received: (qmail 22778 invoked from network); 7 Jul 2000 21:05:53 -0000 Received: from static24-72-20-35.reverse.accesscomm.ca (HELO MyHost.cableregina.com) (24.72.20.35) by qmail.accesscomm.ca with SMTP; 7 Jul 2000 21:05:53 -0000 Message-ID: <000501bfe857$aa912160$23144818@cableregina.com> From: "Stuart Rogers" To: Subject: Firewall help Date: Fri, 7 Jul 2000 15:09:40 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes hello. I'm a newer BSD user and have freebsd 3.3 powerpak. I run a small intranet and have my systems hooked up to a cable modem. I want to make an old 486 box into a basic firewall. I'm not running any servers off the cable modem I just want to protect against people getting into my system. Does anyone know of the best way to go about this. All sugestions and comments would be apreciated. Stuart Rogers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 7 14:28: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from outblaze12.outblaze.com (209.249.164.196.outblaze.com [209.249.164.196]) by hub.freebsd.org (Postfix) with SMTP id 3CCBE37B781 for ; Fri, 7 Jul 2000 14:27:57 -0700 (PDT) (envelope-from openzero@bsdmail.com) Received: (qmail 82892 invoked by uid 1001); 7 Jul 2000 21:27:54 -0000 Message-ID: <20000707212754.82891.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 4.104 (Entity 4.117) From: openzero@bsdmail.com To: freebsd-security@freebsd.org Date: Fri, 07 Jul 2000 22:27:54 +0100 Subject: Re: Firewalls and the endless story! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Perhaps your spelling ("coz", "rulez" etc.) is the reason for > people being "ignorant" towards you. For me that - and the lack > of a realname in your mail's headers - were two reasons (among > others like lack of time and interest) to never even consider > replying to your mails. > Anyway (see below), somebody already gave you a correct answer in > the last thread you started. If the problem still persisted > after that, you could/should have stated so. > > Show maturity in your mails and people will answer maturely. Hm, I don't want to blame anybody but if there is anybody, who don't like my short style, or my questions, mustn't answer to this articels! Ok! I'm happy of each post!!!! Befor I forget it: at the bottom of each mail, I sign with my real name and the country, where I'm from (I do this, coz I'm sorry of my broken outspoken....) > $fwcmd add allow log tcp from any to $MYIP 20 > $fwcmd add allow log tcp from $MYIP 20 to any "setup" keyword was the problem. >...... Well thanx for this help! I think I have to be sorry to all of you, who wants to help me with my problem. But this mail, ("setup") must be deleted by myself (bescause of too many other mails....!). > > bye, > Harold > > -- > Someone should do a study to find out how many human life spans have > been lost waiting for NT to reboot. > Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc > thank you all........ ;) mfg Daniel Ridder (Germany) -- Get your free email from http://www.bsdmail.com Powered by Outblaze To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 7 15:19:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 2615737B756 for ; Fri, 7 Jul 2000 15:19:05 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id RAA03781; Fri, 7 Jul 2000 17:18:58 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-71.max1.wa.cyberlynk.net(207.227.118.71) by peak.mountin.net via smap (V1.3) id sma003779; Fri Jul 7 17:18:45 2000 Message-Id: <4.3.2.20000707171558.00ad9340@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Fri, 07 Jul 2000 17:18:17 -0500 To: Paul Hart , Brett Glass From: "Jeffrey J. Mountin" Subject: Re: ftpd and setproctitle() Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20000706113724.04789470@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:53 PM 7/6/00 -0600, Paul Hart wrote: >The FreeBSD usage of setproctitle() in ftpd seems to have been fixed quite >some time ago (in 1995), between versions 1.13 and 1.14 of ftpd.c: > > >http://www.FreeBSD.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14 > >I'd say FreeBSD has been safe since 1995. :-) From CERT advisory CA-2000-13 [With respect to setproctitle()] it turns out that FreeBSD fixed this bug in the system ftpd back in 1996, so it is not present in all versions of FreeBSD since 2.2.0. Someone mention this as some PR on Bugtraq and here this certainly is conformation. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 7 17: 5:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id D84D437BD1E for ; Fri, 7 Jul 2000 17:05:18 -0700 (PDT) (envelope-from 961BE653994@stud.alakhawayn.ma) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id XAA08404; Fri, 7 Jul 2000 23:57:44 GMT Date: Fri, 7 Jul 2000 23:57:44 +0000 (GMT) From: Ali Alaoui El Hassani <961BE653994@stud.alakhawayn.ma> To: Harold Gutch Cc: openzero@bsdmail.com, freebsd-security@FreeBSD.ORG Subject: Re: Firewalls and the endless story! In-Reply-To: <20000707225520.B25629@foobar.franken.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey Hey,=20 I like FreeBSD, I do not allow anybody to say anything bad about it ok=20 You Better Watch out=20 with FreeBSD okAY On Fri, 7 Jul 2000, Harold Gutch wrote: > On Thu, Jul 06, 2000 at 12:26:24PM +0100, openzero@bsdmail.com wrote: > > > On Wed, Jul 05, 2000 at 03:57:22PM -0500, Chris Dillon wrote: > > >=20 > > >=20 > > > Yes, and the original poster demonstrated even further stupidity > > > by adding a proprietary product (SecureBSD 1.0) into the mix and > > > then expect that we support it. > > >=20 > > > "Works for me." > > >=20 > >=20 > > Yeah! > > Thanks for the wonderful word "stupidity", but hey! > > I think, after using FreeBSD-2.2.8, FreeBSD-3.4, > > FreeBSD-4.0, that FreeBSD-2.2.8-STABLE is the best > > for MYSELF! What you do, is not by business! > > You are an architect! Are these the only words > > you can use? I know, that SecureBSD isn't supported > > by FreeBSD.org, coz it's not a product of > > FreeBSD.org and it's only a preview! > >=20 > > (German: Als Architekt h=E4tte ich schon mal gerne > > eine gehobenere Ausdrucksweise erwartet und > > keine Kindergartenbegr=FCndungen wie: das ist doof! > > Um unwiederst=E4ndlich klarzumachen: Ich stehe unter > > gro=DFem Zeitdruck und bisher konnte mir noch kein > > Mensch einen wirklich guten Tip geben! Das stellt mich > > unter Spannung, was solche Ausdrucksweisen nat=FCrlich noch mehr aggres= siv macht!) >=20 > Perhaps your spelling ("coz", "rulez" etc.) is the reason for > people being "ignorant" towards you. For me that - and the lack > of a realname in your mail's headers - were two reasons (among > others like lack of time and interest) to never even consider > replying to your mails. > Anyway (see below), somebody already gave you a correct answer in > the last thread you started. If the problem still persisted > after that, you could/should have stated so. >=20 > Show maturity in your mails and people will answer maturely. >=20 >=20 > >From your IPFW-configuration: >=20 > > $fwcmd add allow log tcp from any to any 21 setup > > $fwcmd add allow log tcp from any 20 to any setup # really needed ????? >=20 > The last rule above won't get you any closer to anonymous FTP on > your machine. What you'd need, is something like: >=20 > $fwcmd add allow log tcp from any to $MYIP 20 > $fwcmd add allow log tcp from $MYIP 20 to any >=20 > where the first one lets "passive" FTP-packets pass and the second > one "active" FTP-packets. > As Manfredi Blasucci already replied to your last mail, the > "setup" keyword was the problem. >=20 > In fact, I guess you might even be able to limit the remote > port-ranges to a few thousand ports somewhere in the range of > port 44000 (that should be mentioned in the ftpd manpage). >=20 >=20 > bye, > Harold >=20 > --=20 > Someone should do a study to find out how many human life spans have > been lost waiting for NT to reboot. > Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 7 18:50: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from web213.mail.yahoo.com (web213.mail.yahoo.com [128.11.68.113]) by hub.freebsd.org (Postfix) with SMTP id 8488F37B574 for ; Fri, 7 Jul 2000 18:50:02 -0700 (PDT) (envelope-from hho321@yahoo.com) Received: (qmail 5602 invoked by uid 60001); 8 Jul 2000 01:50:02 -0000 Message-ID: <20000708015002.5601.qmail@web213.mail.yahoo.com> Received: from [209.122.238.94] by web213.mail.yahoo.com; Fri, 07 Jul 2000 18:50:02 PDT Date: Fri, 7 Jul 2000 18:50:02 -0700 (PDT) From: Hugh Ho Subject: Re: Firewall help To: Stuart Rogers Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't have a cable modem so I'm not sure exactly how it works, but the FreeBSD site has 2 topics that might interest you: http://www.freebsd.org/handbook/firewalls.html http://www.freebsd.org/tutorials/dialup-firewall/index.html Hope it helps. -Hugh --- Stuart Rogers wrote: > Yes hello. I'm a newer BSD user and have freebsd 3.3 powerpak. I run a > small intranet and have my systems hooked up to a cable modem. I want to > make an old 486 box into a basic firewall. I'm not running any servers off > the cable modem I just want to protect against people getting into my > system. Does anyone know of the best way to go about this. All sugestions > and comments would be apreciated. > > Stuart > Rogers > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Get Yahoo! Mail – Free email you can access from anywhere! http://mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 9: 4:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-037.npt-sdsl.stargate.net [208.223.229.37]) by hub.freebsd.org (Postfix) with ESMTP id 671EA37B7CD for ; Sat, 8 Jul 2000 09:04:28 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id QAA52568 for ; Sat, 8 Jul 2000 16:04:26 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <39675126.D3CDCEAE@w2xo.pgh.pa.us> Date: Sat, 08 Jul 2000 12:04:54 -0400 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: openssh and PAM Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Since this applies to a system in another galaxy far far away, I'll ask this here! I was building openssh-2.1.1p2 with openssl-0.95a on a 3.3-RELEASE box. (Yes, I know it's upgrade time, but it's a production system and I'm replacing it soon). The sshd daemon would not authenticate using the PAM stuff. I *did* install the stuff from the contrib directory in the openssh sources in /etc/pam.conf. It was suggested by a posting elsewhere that it would work by configging it with --without-pam. You then get a link error, which you can fix with -lcrypt in the Makefile. What sort of security compromise have I caused here? Thanks... -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 11:52:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id BDF6F37BA2B for ; Sat, 8 Jul 2000 11:52:40 -0700 (PDT) (envelope-from webbie@everyday.cx) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.everyday.cx (Postfix) with ESMTP id D781349A2; Sat, 8 Jul 2000 14:52:37 -0400 (EDT) Date: Sat, 8 Jul 2000 14:52:37 -0400 From: Webbie X-Mailer: The Bat! (v1.44) Personal Reply-To: Webbie X-Priority: 3 (Normal) Message-ID: <14651280467.20000708145237@everyday.cx> To: Jim Durham Cc: freebsd-security@freebsd.org Subject: Re: openssh and PAM In-reply-To: <39675126.D3CDCEAE@w2xo.pgh.pa.us> References: <39675126.D3CDCEAE@w2xo.pgh.pa.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Jim, I have the same experience as you do. PAM is only a method to specify how you want to verify the password. What you/me have done was to tell sshd not to bother with pam auth and just use the default freebsd password auth method, either MD5 or DES. So, I don't see a security problem here. Saturday, July 08, 2000, 12:04:54 PM, you wrote: JD> Since this applies to a system in another galaxy far far away, I'll JD> ask this here! JD> I was building openssh-2.1.1p2 with openssl-0.95a on a 3.3-RELEASE JD> box. (Yes, I know it's upgrade time, but it's a production system JD> and I'm replacing it soon). JD> The sshd daemon would not authenticate using the PAM stuff. I *did* JD> install the stuff from the contrib directory in the openssh sources JD> in /etc/pam.conf. JD> It was suggested by a posting elsewhere that it would work by configging JD> it with --without-pam. You then get a link error, which you can fix JD> with -lcrypt in the Makefile. JD> What sort of security compromise have I caused here? JD> Thanks... -- Webbie \\|// (o o) +-------------------------oOOo-(_)-oOOo-----------------------------+ EMail : mailto:webbie(at)everyday(dot)cx PGP Key : http://www.everyday.cx/pgpkey.txt PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C +-------------------------------------------------------------------+ Dodge: Dead Or Dying Garbage Emitter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 14:27:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-037.npt-sdsl.stargate.net [208.223.229.37]) by hub.freebsd.org (Postfix) with ESMTP id 879C937B84A for ; Sat, 8 Jul 2000 14:27:28 -0700 (PDT) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id VAA53345; Sat, 8 Jul 2000 21:27:24 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <39679CD8.ECF9A7D0@w2xo.pgh.pa.us> Date: Sat, 08 Jul 2000 17:27:52 -0400 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Stuart Rogers Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall help References: <000501bfe857$aa912160$23144818@cableregina.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stuart Rogers wrote: > > Yes hello. I'm a newer BSD user and have freebsd 3.3 powerpak. I run a > small intranet and have my systems hooked up to a cable modem. I want to > make an old 486 box into a basic firewall. I'm not running any servers off > the cable modem I just want to protect against people getting into my > system. Does anyone know of the best way to go about this. All sugestions > and comments would be apreciated. > > Stuart > Rogers I do something of the same sort here. I am on DSL, not cable, but the input/output of my DSL modem is ethernet, as are cable modems. You need an old '486 with two ethernet cards. I'll probably miss something, but here is the gist of setting it up: Let's say your two cards are "ed0" and "ed1" and that you want to use the 10. network on your LAN. Lets say the cable company assigned you the IP address YOUR_IP and the gateway YOUR_GATEWAY and the netmask YOUR-NETMASK Let's say the cable modem plugs into ed0 and the LAN hub is on ed1. In /etc/rc.conf: ifconfig_ed0="inet YOUR_IP netmask YOUR_NETMASK" defaultrouter="YOUR_ROUTER" ifconfig_ed1="10.0.0.1 netmask 255.255.255.0" named_enable="YES" firewall_enable="YES" firewall_type="simple" firewall_quiet="NO" natd_enable="YES" natd_interface="ed0" network_interfaces="lo0 ed0 ed1" In /etc/rc.firewall, section "simple": oif="ed0" onet="YOUR_IP with "O" as last octet" omask="YOUR_NETMASK" oip=YOUR_IP iif="ed1" inet="10.0.0.0" imask="255.255.255.0" iip"10.0.0.1" Compile a new kernel. add options "IP_DIVERT" and "IP_FIREWALL" Assign IPs of 10.0.0.2 and up to your LAN computers. I probably missed something, but that's most of it. - Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 14:49: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.nwlink.com (smtp.nwlink.com [209.20.130.57]) by hub.freebsd.org (Postfix) with ESMTP id 7EB2537B63C for ; Sat, 8 Jul 2000 14:48:59 -0700 (PDT) (envelope-from cac@fuzzer.com) Received: from craigc (ip133.gte8.rb1.bel.nwlink.com [209.20.237.133]) by smtp.nwlink.com (8.9.3/8.9.3) with SMTP id OAA03187; Sat, 8 Jul 2000 14:48:37 -0700 (PDT) Message-ID: <05ac01bfe927$e349e390$0201010a@craigc> From: "Craig Critchley" To: "Webbie" , "Jim Durham" Cc: References: <39675126.D3CDCEAE@w2xo.pgh.pa.us> <14651280467.20000708145237@everyday.cx> Subject: Re: openssh and PAM Date: Sat, 8 Jul 2000 15:00:10 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I ran into this too. I don't see a problem, but I'm not a security expert, so better safe than sorry... As Jim mentions, without PAM enabled, building openssh gets a link error for the crypt function, so I also want to make sure adding libcrypt to the libraries isn't the wrong fix... The problem with PAM also seemed to be related to a missing crypt function; sshd added syslog complaints about being unable to load pam_unix.so because crypt was undefined; disabling PAM was the first step in trying to debug/fix this. I'm wondering if I'm missing a dependancy somewhere that would add an updated crypt to a library that openssh links to. Thanks, ...Craig ----- Original Message ----- From: "Webbie" To: "Jim Durham" Cc: Sent: Saturday, July 08, 2000 11:52 AM Subject: Re: openssh and PAM > Hello Jim, > > I have the same experience as you do. > > PAM is only a method to specify how you want to verify the password. > > What you/me have done was to tell sshd not to bother with pam auth and > just use the default freebsd password auth method, either MD5 or DES. > > So, I don't see a security problem here. > > > Saturday, July 08, 2000, 12:04:54 PM, you wrote: > > JD> Since this applies to a system in another galaxy far far away, I'll > JD> ask this here! > > JD> I was building openssh-2.1.1p2 with openssl-0.95a on a 3.3-RELEASE > JD> box. (Yes, I know it's upgrade time, but it's a production system > JD> and I'm replacing it soon). > > JD> The sshd daemon would not authenticate using the PAM stuff. I *did* > JD> install the stuff from the contrib directory in the openssh sources > JD> in /etc/pam.conf. > > JD> It was suggested by a posting elsewhere that it would work by configging > JD> it with --without-pam. You then get a link error, which you can fix > JD> with -lcrypt in the Makefile. > > JD> What sort of security compromise have I caused here? > > JD> Thanks... > > > > -- > Webbie > \\|// > (o o) > +-------------------------oOOo-(_)-oOOo-----------------------------+ > EMail : mailto:webbie(at)everyday(dot)cx > PGP Key : http://www.everyday.cx/pgpkey.txt > PGP Fingerprint: 0B9F E081 35CD B9AF 58EA 7E43 38EC C84F 4AB4 792C > +-------------------------------------------------------------------+ > Dodge: Dead Or Dying Garbage Emitter > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 15:41:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 035F737B60B; Sat, 8 Jul 2000 15:36:25 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id AAA66846; Sun, 9 Jul 2000 00:35:52 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Troy Arie Cobb Cc: "'Alex Popa'" , "Dan O'Connor" , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: securing the boot process (again?!?) References: From: Dag-Erling Smorgrav Date: 09 Jul 2000 00:35:52 +0200 In-Reply-To: Troy Arie Cobb's message of "Tue, 4 Jul 2000 06:48:12 -0400" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Troy Arie Cobb writes: > There are small locks you can buy which fit into a floppy drive > and secure it with a key. If your users don't need to put floppies > in on a regular basis (but perhaps YOU do occasionally), then > this can be a good choice to avoid booting the evil-floppy-kernel. RTFDL (Remove The Floppy Drive, Luke) DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 15:55: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.ru (sentry.granch.ru [212.20.5.135]) by hub.freebsd.org (Postfix) with ESMTP id 65F7037B594; Sat, 8 Jul 2000 15:54:49 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: (from shelton@localhost) by sentry.granch.ru (8.9.3/8.9.3) id FAA56255; Sun, 9 Jul 2000 05:55:59 +0700 (NOVST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Sun, 09 Jul 2000 05:55:59 +0700 (NOVST) Reply-To: "Rashid N. Achilov" Organization: Granch Ltd. From: "Rashid N. Achilov" To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: IP_DUMMYNET? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A bit strange problem has been occured recently: with 3.4-RELEASE kernel command: ipfw add pipe 1 ... ipfw pipe 1 config bw 9600bit/s delay 100 ms is OK, with latest CVSupped kernel 3.5-STABLE failed with message setsockopt (IP_DUMMYNET_CONFIGURE): Invalid argument Both kernel config files are completely equal. In kernel are IPFIREWALL, IPFIREWALL_VERBOSE, IPFIREWALL_FORWARD, DUMMYNET options -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Cert. ID: 28514, Granch Ltd. lead engineer e-mail: achilov@granch.ru, tel (383-2) 24-2363 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 8 16:25:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from netmint.com (netmint.com [207.106.21.130]) by hub.freebsd.org (Postfix) with ESMTP id 3DF3937B721; Sat, 8 Jul 2000 16:25:20 -0700 (PDT) (envelope-from support@netmint.com) Received: from localhost (support@localhost) by netmint.com (8.9.3/8.9.3) with ESMTP id TAA07445; Sat, 8 Jul 2000 19:22:23 -0400 (EDT) Date: Sat, 8 Jul 2000 19:22:23 -0400 (EDT) From: NetMint Support To: Dag-Erling Smorgrav Cc: Troy Arie Cobb , "'Alex Popa'" , "Dan O'Connor" , freebsd-security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: securing the boot process (again?!?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >RTFDL (Remove The Floppy Drive, Luke) > >DES >-- >Dag-Erling Smorgrav - des@flood.ping.uio.no By the same token: RTCDL (Remove The CD-ROM Drive, Luke) DBFODL (Disable Boot-From-Other-Devices, Luke) DNBvEL (Disable Network Boot via Ethernet, Luke) RESPL (Remove External SCSI Port, Luke) Same applies to keyboard, mouse, USB and other ports. The case should then be a metal safe box with an ethernet port, stored in a "cold room" to prevent overheating and access through ventialation holes... Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message