From owner-freebsd-security Sun Jul 30 9:27:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 844EB37B561 for ; Sun, 30 Jul 2000 09:27:19 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 6B61C1C65; Sun, 30 Jul 2000 12:27:18 -0400 (EDT) Date: Sun, 30 Jul 2000 12:27:18 -0400 From: Bill Fumerola To: Miklos Niedermayer Cc: Mike Hoskins , Darren Reed , Pavol Adamec , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <20000730122718.P5021@jade.chc-chimes.com> References: <200007270800.SAA23526@cairo.anu.edu.au> <20000729194821.B1716@bsd.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000729194821.B1716@bsd.hu>; from mico@bsd.hu on Sat, Jul 29, 2000 at 07:48:21PM +0200 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jul 29, 2000 at 07:48:21PM +0200, Miklos Niedermayer wrote: > > The only real reason I've heard ipf reccomended since ipfw got > > keep-state/check-state is ipnat. > > I think that ipfw's statefullness is in a very early stage. It's unusable for any server that makes connections with a lot of clients (irc client server, www server, etc) but is useful for a server that only makes a few connections (application, irc hub server, etc..). Why? Add 6000 rules to your ipfw-based firewall and see what happens. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 11:34:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 99F4437B6C3 for ; Sun, 30 Jul 2000 11:34:40 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id OAA44308; Sun, 30 Jul 2000 14:34:30 -0400 (EDT) Date: Sun, 30 Jul 2000 14:34:30 -0400 (EDT) From: Igor Roshchin Message-Id: <200007301834.OAA44308@giganda.komkon.org> To: bokr@accessone.com Subject: Re: ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.5.32.20000729160602.00914500@mail.accessone.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Sat, 29 Jul 2000 16:06:02 -0700 > To: Mitch Collinsworth > From: Bengt Richter > Subject: Re: ? > Cc: freebsd-security@FreeBSD.ORG > > At 07:41 2000-07-28 -0400 Mitch Collinsworth wrote: > >suggest addressing any complaints to the lists admin and to the address > >in his X-Complaints-To: header, usenet@news.kharkiv.net. > > > > The "arkiv" in kharkiv.net sugggests the idea that they're subscribing > to various lists to do automatic archiving. I would like access to that, <..> Just FYI: Kharkiv is one of the largest cities in Ukraine. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 12:27:20 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id 7C78237B717; Sun, 30 Jul 2000 12:27:17 -0700 (PDT) From: "Jonathan M. Bresler" To: mike@adept.org Cc: stephen@math.missouri.edu, freebsd-security@freebsd.org In-reply-to: (message from Mike Hoskins on Tue, 25 Jul 2000 12:13:10 -0700 (PDT)) Subject: Re: Problems with natd and simple firewall Message-Id: <20000730192717.7C78237B717@hub.freebsd.org> Date: Sun, 30 Jul 2000 12:27:17 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I came into this mess with mostly only PIX/FW1 experience... I'll admit > some initial frustration when glancing over the man page, but after I > decided to read it, word for word, and started toying with the examples, > I've found ipfw's syntax/behavior to be (often) more appealing than the > other products I use on a daily basis. > > -mrh one significant advantage of ipfw over FW1, aside from cost, is that ipfw can test on which interface a packet arrives and/or leaves. as far as i know, in FW1 its not possible to act upon packets based upon which interface the packet hits. imagine wanting to screen (spoofed) packets with the inside IP addresses arriving on the outside interface. ;( jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 12:42: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id 447F937B6C1; Sun, 30 Jul 2000 12:42:02 -0700 (PDT) From: "Jonathan M. Bresler" To: stephen@math.missouri.edu Cc: freebsd-security@FreeBSD.ORG In-reply-to: <397E4487.A868B713@math.missouri.edu> (message from Stephen Montgomery-Smith on Tue, 25 Jul 2000 20:53:11 -0500) Subject: Re: log with dynamic firewall rules Message-Id: <20000730194202.447F937B6C1@hub.freebsd.org> Date: Sun, 30 Jul 2000 12:42:02 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Stephen Montgomery-Smith wrote: > > > > I would like to set up a firewall with dynamic rules to allow > > ssh from the outside. I would like these incoming ssh's logged. > > So I tried something like: > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > OK, does everyone else agree with me that if an ipfw rule is logged > and keep-state, then one only needs to log when the rule is established - > not every time a packet passes through it? adding an option to log only the packet that triggers the creation of the dynamic rule would be an excellent addition to ipfw. as you wrote in a later email, one option to log all packets (inherited by the dynamic rule) and one option to log the triggering packet only. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 14: 8:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.cluster.oleane.net (smtp2.cluster.oleane.net [195.25.12.17]) by hub.freebsd.org (Postfix) with ESMTP id 09C6737B7AB for ; Sun, 30 Jul 2000 14:08:53 -0700 (PDT) (envelope-from rguyom@321.net) Received: from diabolic-cow.321.net (dyn-1-1-024.Orl.dialup.oleane.fr [195.25.26.24]) by smtp2.cluster.oleane.net with ESMTP id XAA46232 for ; Sun, 30 Jul 2000 23:10:07 +0200 (CEST) Received: by diabolic-cow.321.net (Postfix, from userid 1000) id 16F99114; Sun, 30 Jul 2000 22:13:04 +0200 (CEST) Date: Sun, 30 Jul 2000 22:13:04 +0200 From: =?iso-8859-1?Q?R=E9mi_Guyomarch?= To: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall Message-ID: <20000730221304.A275@diabolic-cow.321.net> References: <20000730192717.7C78237B717@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org>; from jmb@hub.freebsd.org on Sun, Jul 30, 2000 at 12:27:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote: > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( Anti-spoofing stuff on FW1 is done differently than other rules. And you can configure anti-spoofing on each interface. But there's something you can't do with FW1 : NAT'ing the same hosts / networks to different (public) adresses according to the external interface the packets cross. You have possible workarounds, but they are ugly. -- Rémi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 15: 9:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 3A36837B67E; Sun, 30 Jul 2000 15:09:16 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id IAA29605; Mon, 31 Jul 2000 08:09:06 +1000 (EST) From: Darren Reed Message-Id: <200007302209.IAA29605@cairo.anu.edu.au> Subject: Re: Problems with natd and simple firewall In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org> from "Jonathan M. Bresler" at "Jul 30, 0 12:27:17 pm" To: jmb@hub.freebsd.org (Jonathan M. Bresler) Date: Mon, 31 Jul 2000 08:09:06 +1000 (EST) Cc: mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jonathan M. Bresler, sie said: > > > > I came into this mess with mostly only PIX/FW1 experience... I'll admit > > some initial frustration when glancing over the man page, but after I > > decided to read it, word for word, and started toying with the examples, > > I've found ipfw's syntax/behavior to be (often) more appealing than the > > other products I use on a daily basis. > > > > -mrh > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( If you're using FW-1 on Solaris, you can use IP Filter to do filtering before FW-1 in case you don't trust FW-1 :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 15:25:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 34F0337B786 for ; Sun, 30 Jul 2000 15:25:09 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000730222508.FMFU21928.mail.rdc1.il.home.com@math.missouri.edu>; Sun, 30 Jul 2000 15:25:08 -0700 Message-ID: <3984AB32.53B8D793@math.missouri.edu> Date: Sun, 30 Jul 2000 17:24:50 -0500 From: stephen@math.missouri.edu X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: "Jonathan M. Bresler" Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <20000730194202.447F937B6C1@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I submitted a PR http://www.freebsd.org/cgi/query-pr.cgi?pr=20198 suggesting this possibility. The response I got was that instead ipfw should work as follows: keep-state - log every entry; keep-state setup - only log when the rule is established. This is also very easy to program. Anyway I haven't heard from the people in charge for a while, so I don't know how it is going. ---- Actually, I'm becoming dissatisfied with the concept of dynamic rules using ipfw. I have gone back to static rules. I am only a home computer, and I don't need anything complicated. If I ever need dynamic rules, I will learn ipfilter and see how that does. My dissatisfaction is over how it times out. Suppose you have a rule like: add pass tcp from localhost to any 22 keep-state setup and you do an ssh somewhere Now wait five minutes and the dynamic rule times out, and it stops working. Well, that is OK I suppose - you shouldn't have left it so long. Now suppose instead you have add pass tcp from localhost to any 22 keep-state Now if it times out, well its OK, because when you press any key, another dynamic rule is established. Now this dynamic rule only lasts a few seconds. Now suppose you run a program that takes a while to send output, e.g. sleep 10; ls So typing in this command causes a dynamic rule to be created. This only lasts a few seconds, so when the above program sends its output, it cannot get through. If you get impatient wondering why you see nothing, you press a key to see if anything happens. The connection seems to do nothing for a second, then suddenly you see the output. This is because in pressing the key, you established another dynamic rule. The effect is somewhat jerky. If I had a naive user on my network, he would wonder what is gonig on, perhaps assume a bad connection or something. All this bad behavior could be stopped by having a rule add pass tcp from any to any established before all the other rules, but in that case why have dynamic rules at all? And you could also tinker with the default time outs. But in the end I find that static rules are quite satisfactory for me. "Jonathan M. Bresler" wrote: > > > > > Stephen Montgomery-Smith wrote: > > > > > > I would like to set up a firewall with dynamic rules to allow > > > ssh from the outside. I would like these incoming ssh's logged. > > > So I tried something like: > > > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > > > > OK, does everyone else agree with me that if an ipfw rule is logged > > and keep-state, then one only needs to log when the rule is established - > > not every time a packet passes through it? > > adding an option to log only the packet that triggers the > creation of the dynamic rule would be an excellent addition to ipfw. > > as you wrote in a later email, one option to log all packets > (inherited by the dynamic rule) and one option to log the triggering > packet only. > > jmb -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 15:53:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 0F8B637B52E for ; Sun, 30 Jul 2000 15:53:10 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 870241C65; Sun, 30 Jul 2000 18:53:09 -0400 (EDT) Date: Sun, 30 Jul 2000 18:53:09 -0400 From: Bill Fumerola To: stephen@math.missouri.edu Cc: "Jonathan M. Bresler" , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <20000730185309.W5021@jade.chc-chimes.com> References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3984AB32.53B8D793@math.missouri.edu>; from stephen@math.missouri.edu on Sun, Jul 30, 2000 at 05:24:50PM -0500 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 05:24:50PM -0500, stephen@math.missouri.edu wrote: > Actually, I'm becoming dissatisfied with the concept of dynamic > rules using ipfw. I have gone back to static rules. I am only > a home computer, and I don't need anything complicated. If I > ever need dynamic rules, I will learn ipfilter and see how that > does. I fear the dynamic rule code, or I'd attempt to figure it all out and come up with something better, but: > Now wait five minutes and the dynamic rule times out, and it stops > working. Well, that is OK I suppose - you shouldn't have left it so long. [boa.internal-billf 18:52:25] < /home/billf > sysctl -a |grep dyn net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 0 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 ... it is a controllable behavior. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 16: 0:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id E76F737B801 for ; Sun, 30 Jul 2000 16:00:19 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000730230019.GKCF21928.mail.rdc1.il.home.com@math.missouri.edu>; Sun, 30 Jul 2000 16:00:19 -0700 Message-ID: <3984B371.A5BF509E@math.missouri.edu> Date: Sun, 30 Jul 2000 18:00:01 -0500 From: stephen@math.missouri.edu X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.14 i686) X-Accept-Language: en MIME-Version: 1.0 To: Bill Fumerola Cc: "Jonathan M. Bresler" , freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu> <20000730185309.W5021@jade.chc-chimes.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bill Fumerola wrote: > > I fear the dynamic rule code, or I'd attempt to figure it all out > and come up with something better, but: > > > Now wait five minutes and the dynamic rule times out, and it stops > > working. Well, that is OK I suppose - you shouldn't have left it so long. > > [boa.internal-billf 18:52:25] > < /home/billf > sysctl -a |grep dyn > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 0 > net.inet.ip.fw.dyn_max: 1000 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 20 > net.inet.ip.fw.dyn_rst_lifetime: 5 > > ... it is a controllable behavior. Yes, I knew that. (I alluded to it at the end of my message.) Although it is not controllable unless you are root. There must have been some thought given to these default values, and why they are right. Make net.inet.ip.fw.dyn_ack_lifetime too big, and you begin to defeat its purpose. Make it too small, and you have the problem I describe. -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 16:23:47 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id 650D337B516; Sun, 30 Jul 2000 16:23:45 -0700 (PDT) From: "Jonathan M. Bresler" To: stephen@math.missouri.edu Cc: freebsd-security@FreeBSD.ORG In-reply-to: <3984AB32.53B8D793@math.missouri.edu> (stephen@math.missouri.edu) Subject: Re: log with dynamic firewall rules Message-Id: <20000730232345.650D337B516@hub.freebsd.org> Date: Sun, 30 Jul 2000 16:23:45 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [snip] > > All this bad behavior could be stopped by having a rule > > add pass tcp from any to any established > > before all the other rules, but in that case why have dynamic rules > at all? UDP ? set your timeouts to match the behavior of your apps. > > And you could also tinker with the default time outs. > > But in the end I find that static rules are quite satisfactory > for me. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 16:42:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id A761237B516; Sun, 30 Jul 2000 16:41:49 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id JAA14229; Mon, 31 Jul 2000 09:41:12 +1000 (EST) From: Darren Reed Message-Id: <200007302341.JAA14229@cairo.anu.edu.au> Subject: Re: log with dynamic firewall rules In-Reply-To: <3984B371.A5BF509E@math.missouri.edu> from "stephen@math.missouri.edu" at "Jul 30, 0 06:00:01 pm" To: stephen@math.missouri.edu Date: Mon, 31 Jul 2000 09:41:11 +1000 (EST) Cc: billf@chimesnet.com, jmb@hub.freebsd.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from stephen@math.missouri.edu, sie said: > Bill Fumerola wrote: > > > > I fear the dynamic rule code, or I'd attempt to figure it all out > > and come up with something better, but: > > > > > Now wait five minutes and the dynamic rule times out, and it stops > > > working. Well, that is OK I suppose - you shouldn't have left it so long. > > > > [boa.internal-billf 18:52:25] > > < /home/billf > sysctl -a |grep dyn > > net.inet.ip.fw.dyn_buckets: 256 > > net.inet.ip.fw.curr_dyn_buckets: 256 > > net.inet.ip.fw.dyn_count: 0 > > net.inet.ip.fw.dyn_max: 1000 > > net.inet.ip.fw.dyn_ack_lifetime: 300 > > net.inet.ip.fw.dyn_syn_lifetime: 20 > > net.inet.ip.fw.dyn_fin_lifetime: 20 > > net.inet.ip.fw.dyn_rst_lifetime: 5 > > > > ... it is a controllable behavior. > > Yes, I knew that. (I alluded to it at the end of my message.) > Although it is not controllable unless you are > root. There must have been some thought given to these default > values, and why they are right. Make net.inet.ip.fw.dyn_ack_lifetime > too big, and you begin to defeat its purpose. Make it too small, > and you have the problem I describe. Then again, maybe there wasn't. The timeout's above resemble nothing useful except arbitrary numbers pulled out of a hat. The timeouts used by IP Filter tend to be somewhat more realistic, with all (except RST/established) being 2*MSL. The established timeout is at 5 days. On top of this, the size of the state table (say with 6000 entries) does not make IP Filter behave like there are 6000 rules. I would go on to say that the "state" tracking in ipfw is a far cry from that in IP Filter (which is maturing rather nicely!). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 17:36:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.workofstone.net (w121.z208177130.sjc-ca.dsl.cnc.net [208.177.130.121]) by hub.freebsd.org (Postfix) with ESMTP id 3E9DD37B89B; Sun, 30 Jul 2000 17:36:37 -0700 (PDT) (envelope-from schluntz@timberwolf.workofstone.net) Received: from timberwolf (w126.z064001106.sjc-ca.dsl.cnc.net [64.1.106.126]) by mail.workofstone.net (8.9.3/8.9.3) with ESMTP id RAA10529; Sun, 30 Jul 2000 17:36:16 -0700 (PDT) Message-Id: <200007310036.RAA10529@mail.workofstone.net> To: Darren Reed Cc: jmb@hub.freebsd.org (Jonathan M. Bresler), mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Reply-To: "Sean J. Schluntz" In-Reply-To: Your message of "Mon, 31 Jul 2000 08:09:06 +1000." <200007302209.IAA29605@cairo.anu.edu.au> Date: Sun, 30 Jul 2000 17:32:15 -0700 From: schluntz@timberwolf.workofstone.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> > I came into this mess with mostly only PIX/FW1 experience... I'll admit >> > some initial frustration when glancing over the man page, but after I >> > decided to read it, word for word, and started toying with the examples, >> > I've found ipfw's syntax/behavior to be (often) more appealing than the >> > other products I use on a daily basis. >> > >> > -mrh >> >> one significant advantage of ipfw over FW1, aside from cost, >> is that ipfw can test on which interface a packet arrives and/or >> leaves. as far as i know, in FW1 its not possible to act upon packets >> based upon which interface the packet hits. imagine wanting to screen >> (spoofed) packets with the inside IP addresses arriving on the outside >> interface. ;( > >If you're using FW-1 on Solaris, you can use IP Filter to do filtering >before FW-1 in case you don't trust FW-1 :-) Or, if you really don't trust FW-1 on Solaris (but need some of it's functionality and like a second layer of protection) put a Cicso (or prefurably a FreeBSD box running ipfw) in front of it blocking all of the hainus stuff and just let the FW-1 box do some of the granularity. This also protects your FW-1 box from some of the FW-1 related attacks. -Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 17:45:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 374A637B89B for ; Sun, 30 Jul 2000 17:45:40 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id KAA26938; Mon, 31 Jul 2000 10:43:22 +1000 (EST) From: Darren Reed Message-Id: <200007310043.KAA26938@cairo.anu.edu.au> Subject: Re: Problems with natd and simple firewall In-Reply-To: <200007310036.RAA10529@mail.workofstone.net> from "schluntz@timberwolf.workofstone.net" at "Jul 30, 0 05:32:15 pm" To: schluntz@workofstone.com Date: Mon, 31 Jul 2000 10:43:22 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from schluntz@timberwolf.workofstone.net, sie said: > > >> > I came into this mess with mostly only PIX/FW1 experience... I'll admit > >> > some initial frustration when glancing over the man page, but after I > >> > decided to read it, word for word, and started toying with the examples, > >> > I've found ipfw's syntax/behavior to be (often) more appealing than the > >> > other products I use on a daily basis. > >> > > >> > -mrh > >> > >> one significant advantage of ipfw over FW1, aside from cost, > >> is that ipfw can test on which interface a packet arrives and/or > >> leaves. as far as i know, in FW1 its not possible to act upon packets > >> based upon which interface the packet hits. imagine wanting to screen > >> (spoofed) packets with the inside IP addresses arriving on the outside > >> interface. ;( > > > >If you're using FW-1 on Solaris, you can use IP Filter to do filtering > >before FW-1 in case you don't trust FW-1 :-) > > Or, if you really don't trust FW-1 on Solaris (but need some of it's > functionality and like a second layer of protection) put a Cicso (or > prefurably a FreeBSD box running ipfw) in front of it blocking all of > the hainus stuff and just let the FW-1 box do some of the granularity. > > This also protects your FW-1 box from some of the FW-1 related attacks. If you want to "add security" then you put in place something like a box with FWTK or Gauntlet. Layering packet filters does not add a second layer of protection, IMHO, just lets you stop FW-1 from crashing >;-) But you'd only use ipfw if you didn't know how to run up ipfilter in any case :-) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 18:51:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc1.il.home.com (ha1.rdc1.il.home.com [24.2.1.66]) by hub.freebsd.org (Postfix) with ESMTP id 2E7C637B93A for ; Sun, 30 Jul 2000 18:51:45 -0700 (PDT) (envelope-from stephen@math.missouri.edu) Received: from math.missouri.edu ([24.12.197.197]) by mail.rdc1.il.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000731015144.LCYC21928.mail.rdc1.il.home.com@math.missouri.edu>; Sun, 30 Jul 2000 18:51:44 -0700 Message-ID: <3984954F.949BFF58@math.missouri.edu> Date: Sun, 30 Jul 2000 20:51:27 +0000 From: Stephen Montgomery-Smith X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jonathan M. Bresler" Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <20000730232345.650D337B516@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jonathan M. Bresler" wrote: > > [snip] > > > > All this bad behavior could be stopped by having a rule > > > > add pass tcp from any to any established > > > > before all the other rules, but in that case why have dynamic rules > > at all? > > UDP ? > set your timeouts to match the behavior of your apps. > Ah yes, I had not thought of that. For udp the add pass .... keep-state setup wouldn't work as a means to log establishment only of connections. For udp connections, is it common to want to log establishment only of connections? (In fact if this option were allowed for dynamic rules, this would be the only way using ipfw to do this.) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 18:59:13 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 2242F37B93A; Sun, 30 Jul 2000 18:59:08 -0700 (PDT) From: FreeBSD Security Advisories Subject: FreeBSD Security Advisory distribution corrected Reply-To: security-advisories@freebsd.org Message-Id: <20000731015908.2242F37B93A@hub.freebsd.org> Date: Sun, 30 Jul 2000 18:59:08 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- It was brought to our attention that for the past month or two, Security Advisory announcements were not being sent through the freebsd-announce and freebsd-security-notifications mailing lists as intended. This problem began when the "From" address on outgoing Security Advisory mails was changed, but these two (closed-posting) mailing lists were not updated with the new address. This has now been corrected and advisories should again become available through all four official sources: freebsd-announce@FreeBSD.org freebsd-security-notifications@FreeBSD.org freebsd-security@FreeBSD.org http://www.freebsd.org/security.html Advisories are also submitted to the bugtraq@securityfocus.com mailing list at time of publication, although this is an external mailing list and FreeBSD has no control over its publication content. We apologise for the inconvenience and suggest that all users consult the list of recently-released advisories at the above website to confirm that they have not missed any of relevance to them. Regards, Kris Kennaway On behalf of the FreeBSD Security Officer team -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOYTbt1UuHi5z0oilAQGJ9gQAoJMwbC613F1vbQ28ASaI4PISzf7/mEnI VWNBg8Xb5YId2RB8VV+xCIGmrmjAvUpGkHOZjdmrDYvHkJPqr+dy3WlTy/Xr14KP XVmymRrfCl4EZESVr58eDRBx2wK26XZipDlbyzIHWUiWSlCPXbQ2kQCyKQ3JV5ba CAxLF23Yk6Y= =vbF7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 20:49: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 5DF6C37B81E for ; Sun, 30 Jul 2000 20:49:02 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id XAA23969; Sun, 30 Jul 2000 23:48:14 -0400 (EDT) Date: Sun, 30 Jul 2000 23:48:14 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Bill Fumerola Cc: Miklos Niedermayer , Mike Hoskins , Darren Reed , Pavol Adamec , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <20000730122718.P5021@jade.chc-chimes.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org heh, remember which sites we are running with ipfw in front of it? maybe theres a problem when its all on the same box ;) -trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Sun, 30 Jul 2000, Bill Fumerola wrote: > On Sat, Jul 29, 2000 at 07:48:21PM +0200, Miklos Niedermayer wrote: > > > > The only real reason I've heard ipf reccomended since ipfw got > > > keep-state/check-state is ipnat. > > > > I think that ipfw's statefullness is in a very early stage. > > It's unusable for any server that makes connections with a lot > of clients (irc client server, www server, etc) but is useful > for a server that only makes a few connections (application, > irc hub server, etc..). > > Why? Add 6000 rules to your ipfw-based firewall and see > what happens. > > -- > Bill Fumerola - Network Architect, BOFH / Chimes, Inc. > billf@chimesnet.com / billf@FreeBSD.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 21: 5:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 2928D37BA61 for ; Sun, 30 Jul 2000 21:05:40 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id BE4661C4D; Mon, 31 Jul 2000 00:05:37 -0400 (EDT) Date: Mon, 31 Jul 2000 00:05:37 -0400 From: Bill Fumerola To: Siobhan Patricia Lynch Cc: Miklos Niedermayer , Mike Hoskins , Darren Reed , Pavol Adamec , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <20000731000537.X5021@jade.chc-chimes.com> References: <20000730122718.P5021@jade.chc-chimes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from trish@bsdunix.net on Sun, Jul 30, 2000 at 11:48:14PM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 11:48:14PM -0400, Siobhan Patricia Lynch wrote: > heh, remember which sites we are running with ipfw in front of it? > > maybe theres a problem when its all on the same box ;) it's so much fun when we talk in generalities, but know the specifics. just an example, though using cheezy "benchmarks" lo0 and fetch, only default allow rule: 16MBps 1000 ip count (no looking into the tcp udp icmp etc): 4MBps I have the hardware setup right now to start doing real benchmarks and try to make a difference, but ipfw's design doesn't lend itself to large amounts of rules. Just so Darren doesn't have to say it: maybe I should spend my time looking into ipfilter instead of trying to hack ipfw. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 21:38:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 81F9A37BA15 for ; Sun, 30 Jul 2000 21:38:31 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id AAA13789; Mon, 31 Jul 2000 00:38:11 -0400 (EDT) Date: Mon, 31 Jul 2000 00:38:10 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Bill Fumerola Cc: Miklos Niedermayer , Mike Hoskins , Darren Reed , Pavol Adamec , freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <20000731000537.X5021@jade.chc-chimes.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jul 2000, Bill Fumerola wrote: > On Sun, Jul 30, 2000 at 11:48:14PM -0400, Siobhan Patricia Lynch wrote: > > heh, remember which sites we are running with ipfw in front of it? > > > > maybe theres a problem when its all on the same box ;) > > it's so much fun when we talk in generalities, but know the specifics. > ahaha, yeah, well, I dunno why I'm so weird about saying that I work at VA Linux > just an example, though using cheezy "benchmarks" lo0 and fetch, > > only default allow rule: 16MBps > 1000 ip count (no looking into the tcp udp icmp etc): 4MBps > > I have the hardware setup right now to start doing real benchmarks > and try to make a difference, but ipfw's design doesn't lend itself > to large amounts of rules. I would almost agree with this, I'm pretty much allowing by default and disallowing to specific IP's depending on what it is. With the three layer (cisco router access-list, ipfw, and the arrowpoint) I don;t have to do much other than shield the arrowpoint from certain types of traffic that I've noticed tend to upset it. that being said, slashdot, freshmeat, thinkgeek, and animfactory have all been fairly happy since moving to exodus (except when someone puts test code on the live site, ugh) > > Just so Darren doesn't have to say it: maybe I should spend my time > looking into ipfilter instead of trying to hack ipfw. > it definitely depends on what you are doing, in my case ipfw was pretty much the *only* choice. > -- > Bill Fumerola - Network Architect, BOFH / Chimes, Inc. > billf@chimesnet.com / billf@FreeBSD.org > > > __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 21:48:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 54DF137B969 for ; Sun, 30 Jul 2000 21:48:28 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id OAA19094; Mon, 31 Jul 2000 14:47:47 +1000 (EST) From: Darren Reed Message-Id: <200007310447.OAA19094@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: from Siobhan Patricia Lynch at "Jul 31, 0 00:38:10 am" To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Mon, 31 Jul 2000 14:47:47 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Siobhan Patricia Lynch, sie said: > > > > Just so Darren doesn't have to say it: maybe I should spend my time > > looking into ipfilter instead of trying to hack ipfw. > > > > it definitely depends on what you are doing, in my case ipfw was > pretty much the *only* choice. because...? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 21:51:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 3C13337BAAB for ; Sun, 30 Jul 2000 21:51:29 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id AAA19516; Mon, 31 Jul 2000 00:50:48 -0400 (EDT) Date: Mon, 31 Jul 2000 00:50:27 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: schluntz@workofstone.com, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall In-Reply-To: <200007310043.KAA26938@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jul 2000, Darren Reed wrote: > If you want to "add security" then you put in place something like a box > with FWTK or Gauntlet. Layering packet filters does not add a second > layer of protection, IMHO, just lets you stop FW-1 from crashing >;-) > But you'd only use ipfw if you didn't know how to run up ipfilter in any > case :-) > well it depends, does ipfilter work with bridging on freebsd? then of course if I was going to use ipfilter and bridging I guess I'd be stuck with OpenBSD (or netbsd?) -trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 21:53:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 49DBD37BA56 for ; Sun, 30 Jul 2000 21:53:41 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id AAA05533; Mon, 31 Jul 2000 00:53:28 -0400 (EDT) Date: Mon, 31 Jul 2000 00:53:27 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007310447.OAA19094@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org because I'm bridging.... this may just be hearsay, but evidently ipf doesn;t work with freebsd and bridging, I have the "firewall" on one wire into the arrowpoint. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > > > Just so Darren doesn't have to say it: maybe I should spend my time > > > looking into ipfilter instead of trying to hack ipfw. > > > > > > > it definitely depends on what you are doing, in my case ipfw was > > pretty much the *only* choice. > > because...? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jul 30 23:59: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 694A137B94F for ; Sun, 30 Jul 2000 23:58:53 -0700 (PDT) (envelope-from cjc@184.215.6.64.reflexcom.com) Received: from 184.215.6.64.reflexcom.com ([64.6.215.184]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 30 Jul 2000 23:57:54 -0700 Received: (from cjc@localhost) by 184.215.6.64.reflexcom.com (8.9.3/8.9.3) id XAA28887; Sun, 30 Jul 2000 23:58:51 -0700 (PDT) (envelope-from cjc) Date: Sun, 30 Jul 2000 23:58:51 -0700 From: "Crist J . Clark" To: "Jonathan M. Bresler" Cc: mike@adept.org, stephen@math.missouri.edu, freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000730235851.B26209@184.215.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000730192717.7C78237B717@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000730192717.7C78237B717@hub.freebsd.org>; from jmb@hub.freebsd.org on Sun, Jul 30, 2000 at 12:27:17PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 12:27:17PM -0700, Jonathan M. Bresler wrote: > > > > I came into this mess with mostly only PIX/FW1 experience... I'll admit > > some initial frustration when glancing over the man page, but after I > > decided to read it, word for word, and started toying with the examples, > > I've found ipfw's syntax/behavior to be (often) more appealing than the > > other products I use on a daily basis. > > > > -mrh > > one significant advantage of ipfw over FW1, aside from cost, > is that ipfw can test on which interface a packet arrives and/or > leaves. as far as i know, in FW1 its not possible to act upon packets > based upon which interface the packet hits. imagine wanting to screen > (spoofed) packets with the inside IP addresses arriving on the outside > interface. ;( IIRC, you can act on packets depending on the interface. However, you cannont access this functionality through that @#*% GUI policy manager; you need to hack the script that the GUI generates which FW-1 actually eats. Once again, a GUI being used where a GUI should not be used... yet the GUI is probably why FW-1 is so popular. Similar situation to a certain popular operating system. The uninitiated think is easier to admin because it has a GUI when, if anything, the GUI gets in the way of any experienced admin. To be nice, I won't mention the OS by name, but its initials are NT. -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 0:34:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from ux1.ibb.net (ibb0005.ibb.uu.nl [131.211.124.5]) by hub.freebsd.org (Postfix) with ESMTP id 0A1BB37BB06 for ; Mon, 31 Jul 2000 00:34:07 -0700 (PDT) (envelope-from reinoud@ibb.net) Received: from localhost (reinoud@localhost) by ux1.ibb.net (8.9.3/8.9.3/UX1TT) with SMTP id JAA12177; Mon, 31 Jul 2000 09:33:49 +0200 Date: Mon, 31 Jul 2000 09:33:49 +0200 (MET DST) From: Reinoud To: Siobhan Patricia Lynch Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jul 2000, Siobhan Patricia Lynch wrote: > because I'm bridging.... > > this may just be hearsay, but evidently ipf doesn;t work with freebsd and > bridging, I have the "firewall" on one wire into the arrowpoint. > Aside from what's possible and what isnt. I do not understand why you want to use an ipfilter if you are bridging. Reinoud. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 5:17:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id B458337BA9C for ; Mon, 31 Jul 2000 05:17:31 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id WAA24806; Mon, 31 Jul 2000 22:17:19 +1000 (EST) From: Darren Reed Message-Id: <200007311217.WAA24806@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: from Siobhan Patricia Lynch at "Jul 31, 0 00:53:27 am" To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Mon, 31 Jul 2000 22:17:19 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Siobhan Patricia Lynch, sie said: > because I'm bridging.... > > this may just be hearsay, but evidently ipf doesn;t work with freebsd and > bridging, I have the "firewall" on one wire into the arrowpoint. Well, if you're doing layer 2 forwarding (i.e. bridging) then of course layer 3 filtering (IP firewalling) is going to be a problem. I could give you a patch to enable IP Filter to work here but I'm not sure I want to give implicit support to that sort of "thing". Heck, I look at it now (haven't before) and instantly see a bunch of ways to crash FreeBSD because a bunch of sanity checks are not being done before ip_fw_chk() is called if I can write layer 2 packets for FreeBSD to bridge - and that's without even testing. In essence, a bunch of code from the start of ip_input() needs do be duplicated and hasn't. That it is needed for what you want to do (ipfw for bridging) should speak volumes about this being the wrong way to skin this particular cat. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 6: 7:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 1E29937BAB8 for ; Mon, 31 Jul 2000 06:07:15 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id JAA19463; Mon, 31 Jul 2000 09:07:01 -0400 (EDT) Date: Mon, 31 Jul 2000 09:07:01 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007311217.WAA24806@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unfortunately, it was put in as a stop gap. you have to remember that certain people were opposed to me doing ANYTHING at first, however I have not had a problem to date. and the traffic flowing through it is quite heavy. noone is going to convince me that ipfw is the wrong thing for the job, maybe not the *best* thing, but that simply means that I would have needed an openbsd disk in an emergency at that particular time and had I had the cd's , well we wouldn;t be having this discussion on a *freebsd* list, eh? -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > because I'm bridging.... > > > > this may just be hearsay, but evidently ipf doesn;t work with freebsd and > > bridging, I have the "firewall" on one wire into the arrowpoint. > > Well, if you're doing layer 2 forwarding (i.e. bridging) then of course > layer 3 filtering (IP firewalling) is going to be a problem. > > I could give you a patch to enable IP Filter to work here but I'm not > sure I want to give implicit support to that sort of "thing". > > Heck, I look at it now (haven't before) and instantly see a bunch of > ways to crash FreeBSD because a bunch of sanity checks are not being > done before ip_fw_chk() is called if I can write layer 2 packets for > FreeBSD to bridge - and that's without even testing. In essence, a > bunch of code from the start of ip_input() needs do be duplicated and > hasn't. That it is needed for what you want to do (ipfw for bridging) > should speak volumes about this being the wrong way to skin this > particular cat. > > Darren > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 6:21: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 6D79F37BAB4 for ; Mon, 31 Jul 2000 06:21:04 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 13092 invoked by uid 0); 31 Jul 2000 13:21:02 -0000 Received: from pc19f60d9.dip.t-dialin.net (HELO speedy.gsinet) (193.159.96.217) by mail.gmx.net with SMTP; 31 Jul 2000 13:21:02 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id HAA04185 for freebsd-security@FreeBSD.ORG; Mon, 31 Jul 2000 07:04:59 +0200 Date: Mon, 31 Jul 2000 07:04:59 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <20000731070459.M24476@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20000730194202.447F937B6C1@hub.freebsd.org> <3984AB32.53B8D793@math.missouri.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3984AB32.53B8D793@math.missouri.edu>; from stephen@math.missouri.edu on Sun, Jul 30, 2000 at 05:24:50PM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jul 30, 2000 at 17:24 -0500, stephen@math.missouri.edu wrote: > > All this bad behavior could be stopped by having a rule > > add pass tcp from any to any established > > before all the other rules, but in that case why have dynamic > rules at all? It depends on the criterion behing the "established" keyword. Do you have a state table on your own or do you believe in a (foreign!) TCP packet flag? The latter would be very much like putting a guard at the door having people pass through based on their(!) answer to the question "are you allowed to walk in?". There's no real point in doing so without comparing the answer against what the guard should think who's allowed. Admittedly, when the "guest" has no appointment and thus nobody to talk to or to walk around with, he cannot "misinform" or "misinstruct" an employee. But what are they doing in the building in the first place? May I suggest reading the ipfilter HowTo at http://www.obfuscation.org/ipf/ ? It has a lot of general stuff so it's of use for anyone implementing a packet filter. But using anything other than ipf after reading this you notice what's missing. :) Unless others have caught up. But I feel they're just about to do so. Until then I prefer the original with the code that has been around for a while. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 6:24:13 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 5324437BB20 for ; Mon, 31 Jul 2000 06:24:05 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id XAA29849; Mon, 31 Jul 2000 23:23:55 +1000 (EST) From: Darren Reed Message-Id: <200007311323.XAA29849@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: from Siobhan Patricia Lynch at "Jul 31, 0 09:07:01 am" To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Mon, 31 Jul 2000 23:23:55 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Siobhan Patricia Lynch, sie said: > unfortunately, it was put in as a stop gap. you have to remember that > certain people were opposed to me doing ANYTHING at first, however I have > not had a problem to date. and the traffic flowing through it is quite > heavy. It occurs to me that perhaps these people should have been listened to more closely... > noone is going to convince me that ipfw is the wrong thing for the job, > maybe not the *best* thing, but that simply means that I would have needed > an openbsd disk in an emergency at that particular time and had I had the > cd's , well we wouldn;t be having this discussion on a *freebsd* list, > eh? Well, had you gone the OpenBSD route you wouldn't have introduced a number of bugs which can lead to a system doing filtering on bridged packets going "boom". This is the sort of careless activity that leads to security holes being introduced - and what's worse, it could have been avoided. Maybe the post to bugtraq about this should list you personally as the reason to blame if you want to claim the responsibility for it (ipfw for bridging) being introduced. Darren p.s. I'm indifferent to what OS you chose, but not so to blantantly buggy code being added to the kernel. Nobody reviewed it either ? SIGH! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 8:22: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from njord.bart.nl (njord.bart.nl [194.158.170.15]) by hub.freebsd.org (Postfix) with ESMTP id 7A96937BC11; Mon, 31 Jul 2000 08:21:50 -0700 (PDT) (envelope-from asmodai@wxs.nl) Received: from daemon.ninth-circle.org (root@daemon.ninth-circle.org [195.38.210.81]) by njord.bart.nl (8.10.1/8.10.1) with ESMTP id e6VFLbE53601; Mon, 31 Jul 2000 17:21:37 +0200 (CEST) Received: (from asmodai@localhost) by daemon.ninth-circle.org (8.9.3/8.9.3) id RAA36035; Mon, 31 Jul 2000 17:21:30 +0200 (CEST) (envelope-from asmodai) Date: Mon, 31 Jul 2000 17:21:29 +0200 From: Jeroen Ruigrok/Asmodai To: Kris Kennaway Cc: Robert Watson , freebsd-security@FreeBSD.org, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? Message-ID: <20000731172129.J32129@daemon.ninth-circle.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from kris@FreeBSD.org on Thu, Jul 27, 2000 at 11:06:45PM -0700 Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -On [20000728 10:00], Kris Kennaway (kris@FreeBSD.org) wrote: >Several people had weird problems with 0.9.5a which I could never >reproduce or track down - this made me nervous to merge it. If I had some >success stories of people who have successfully run SSL webservers using >it in -current it might ease my fears somewhat :-) How do I test it? I want this issues resolved. ;) -- Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] Documentation nutter/C-rated Coder BSD: Technical excellence at its best The BSD Programmer's Documentation Project Abandon hope, all ye who enter here... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 8:39:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 94A5A37BBD4 for ; Mon, 31 Jul 2000 08:39:23 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA10910; Mon, 31 Jul 2000 11:39:02 -0400 (EDT) Date: Mon, 31 Jul 2000 11:39:01 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007311323.XAA29849@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org funny, the amount fo traffic we do, and it hasn;t gone boom yet tell me how to reproduce it, and well, if I crash it, then I'll switch, you'll have to do some convincing first. like I said, I do some pretty insane traffic through this thing and I haven;t had *any* problems to date. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > unfortunately, it was put in as a stop gap. you have to remember that > > certain people were opposed to me doing ANYTHING at first, however I have > > not had a problem to date. and the traffic flowing through it is quite > > heavy. > > It occurs to me that perhaps these people should have been listened to > more closely... > > > noone is going to convince me that ipfw is the wrong thing for the job, > > maybe not the *best* thing, but that simply means that I would have needed > > an openbsd disk in an emergency at that particular time and had I had the > > cd's , well we wouldn;t be having this discussion on a *freebsd* list, > > eh? > > Well, had you gone the OpenBSD route you wouldn't have introduced a number > of bugs which can lead to a system doing filtering on bridged packets going > "boom". This is the sort of careless activity that leads to security holes > being introduced - and what's worse, it could have been avoided. Maybe the > post to bugtraq about this should list you personally as the reason to blame > if you want to claim the responsibility for it (ipfw for bridging) being > introduced. > > Darren > > p.s. I'm indifferent to what OS you chose, but not so to blantantly buggy > code being added to the kernel. Nobody reviewed it either ? SIGH! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 8:39:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id BB4E437BBD4; Mon, 31 Jul 2000 08:39:48 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA06423; Mon, 31 Jul 2000 11:39:39 -0400 (EDT) Date: Mon, 31 Jul 2000 11:39:38 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Jeroen Ruigrok/Asmodai Cc: Kris Kennaway , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? In-Reply-To: <20000731172129.J32129@daemon.ninth-circle.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I;ve been playing with it, I wonder under what conditions they are seeing weirdness, because I'm not. __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Jeroen Ruigrok/Asmodai wrote: > -On [20000728 10:00], Kris Kennaway (kris@FreeBSD.org) wrote: > >Several people had weird problems with 0.9.5a which I could never > >reproduce or track down - this made me nervous to merge it. If I had some > >success stories of people who have successfully run SSL webservers using > >it in -current it might ease my fears somewhat :-) > > How do I test it? > > I want this issues resolved. ;) > > -- > Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] > Documentation nutter/C-rated Coder BSD: Technical excellence at its best > The BSD Programmer's Documentation Project > Abandon hope, all ye who enter here... > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 9:35:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by hub.freebsd.org (Postfix) with ESMTP id 4037F37BB3B for ; Mon, 31 Jul 2000 09:35:24 -0700 (PDT) (envelope-from bokr@accessone.com) Received: from [129.250.38.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp (Exim 3.12 #7) id 13JIXA-0000uz-00; Mon, 31 Jul 2000 16:35:20 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp3.email.verio.net with smtp (Exim 3.15 #4) id 13JIX9-0003Mp-00; Mon, 31 Jul 2000 16:35:19 +0000 Message-Id: <3.0.5.32.20000731093859.0094a100@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 31 Jul 2000 09:38:59 -0700 To: Igor Roshchin From: Bengt Richter Subject: Re: ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200007301834.OAA44308@giganda.komkon.org> References: <3.0.5.32.20000729160602.00914500@mail.accessone.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 14:34 2000-07-30 -0400 Igor Roshchin wrote: >> Date: Sat, 29 Jul 2000 16:06:02 -0700 >> To: Mitch Collinsworth >> From: Bengt Richter >> Subject: Re: ? >> Cc: freebsd-security@FreeBSD.ORG >> >> At 07:41 2000-07-28 -0400 Mitch Collinsworth wrote: >> >suggest addressing any complaints to the lists admin and to the address >> >in his X-Complaints-To: header, usenet@news.kharkiv.net. >> > >> >> The "arkiv" in kharkiv.net sugggests the idea that they're subscribing >> to various lists to do automatic archiving. I would like access to that, > ><..> > >Just FYI: Kharkiv is one of the largest cities in Ukraine. > I would have recognized Kharkov, (with 'o') but what was I thinking? Goes to show you how too much coffee + fixation.with.current.idea will filter reality. But what about the idea? I.e., is there an archive forming that we could have some eventual beneficial symbiosis with? (Or are we going to be spammed with Cyrillic ?;-) Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 10: 4:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from warf.msc.cornell.edu (warf.msc.cornell.edu [128.84.249.249]) by hub.freebsd.org (Postfix) with ESMTP id 5004037BB95 for ; Mon, 31 Jul 2000 10:04:06 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from khitomer.msc.cornell.edu (IDENT:0@khitomer.msc.cornell.edu [128.84.249.245]) by warf.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id NAA28429; Mon, 31 Jul 2000 13:04:03 -0400 Received: from localhost (mitch@localhost) by khitomer.msc.cornell.edu (8.9.3/8.9.3) with ESMTP id NAA17067; Mon, 31 Jul 2000 13:04:02 -0400 X-Authentication-Warning: khitomer.msc.cornell.edu: mitch owned process doing -bs Date: Mon, 31 Jul 2000 13:04:02 -0400 (EDT) From: Mitch Collinsworth To: Bengt Richter Cc: Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: ? In-Reply-To: <3.0.5.32.20000731093859.0094a100@mail.accessone.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jul 2000, Bengt Richter wrote: > But what about the idea? I.e., is there an archive forming > that we could have some eventual beneficial symbiosis with? > (Or are we going to be spammed with Cyrillic ?;-) Why don't you write them and ask? The rest of us surely don't know what they're up to. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 11:26:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by hub.freebsd.org (Postfix) with ESMTP id 90C8E37BE21 for ; Mon, 31 Jul 2000 11:26:40 -0700 (PDT) (envelope-from bokr@accessone.com) Received: from [129.250.38.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp (Exim 3.12 #7) id 13JKGn-0006wu-00; Mon, 31 Jul 2000 18:26:33 +0000 Received: from [204.250.68.168] (helo=gazelle) by dfw-mmp3.email.verio.net with smtp (Exim 3.15 #4) id 13JKGm-0004Ze-00; Mon, 31 Jul 2000 18:26:33 +0000 Message-Id: <3.0.5.32.20000731113018.00957520@mail.accessone.com> X-Sender: bokr@mail.accessone.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 31 Jul 2000 11:30:18 -0700 To: Mitch Collinsworth From: Bengt Richter Subject: Re: ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <3.0.5.32.20000731093859.0094a100@mail.accessone.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 13:04 2000-07-31 -0400 Mitch Collinsworth wrote: > > >On Mon, 31 Jul 2000, Bengt Richter wrote: > >> But what about the idea? I.e., is there an archive forming >> that we could have some eventual beneficial symbiosis with? >> (Or are we going to be spammed with Cyrillic ?;-) > >Why don't you write them and ask? The rest of us surely don't know >what they're up to. > Since they apparently subscribe, I assumed I was/am doing that (indirectly, but hopefully with added chance of someone there noticing). Sorry to bother anyone uninterested. This will be my last on this ((probably too) indirectly security-related) subject. Perhaps someone there (or here - Postmaster decisions?) will make a status announcement in due time. Regards, Bengt Richter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 11:50:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 7952137B50F for ; Mon, 31 Jul 2000 11:50:26 -0700 (PDT) (envelope-from root@infowest.com) Received: by ns1.infowest.com (Postfix, from userid 0) id B214E210AF; Mon, 31 Jul 2000 12:50:23 -0600 (MDT) To: security@freebsd.org Subject: RE: log with dynamic firewall rules Reply-To: From: "Aaron D. Gifford" Message-Id: <20000731185023.B214E210AF@ns1.infowest.com> Date: Mon, 31 Jul 2000 12:50:23 -0600 (MDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Regarding the mention of the various sysctl timeouts on dynamic rules, I posted a patch to this list a week or two ago that added the ability for an individual rule to override the default sysctl dynamic rule lifetime on a rule-by-rule basis. It works great. I just do: ipfw add 90 permit tcp from ${myip} to any 22 out setup keep-state lifetime 86400 The "lifetime 86400" extends the timeout for ONLY this rule past the default 5 minutes (300 seconds) that the sysctl variable uses to a full day. That gets rid of the annoying problems of frozen sessions because I left it idle too long while still keeping the shorter default for things like HTTP sessions where the default 300 seconds is plenty and I really wouldn't want it increased. Will the next version of ipfirewall have the ability to adjust timeouts on a rule-by-rule basis? The 5-day timeout is fine and all for most folks, but I would love the ability to shorten things on a case-by-case basis where I know the TCP session in question should not be idle that long. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 13:17:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from sn1oexchr01.nextvenue.com (sn1oexchr01.nextvenue.com [63.209.169.9]) by hub.freebsd.org (Postfix) with SMTP id 9098437B708 for ; Mon, 31 Jul 2000 13:17:18 -0700 (PDT) (envelope-from nevans@nextvenue.com) Received: FROM sn1exchmbx.nextvenue.com BY sn1oexchr01.nextvenue.com ; Mon Jul 31 16:15:24 2000 -0400 Received: by sn1exchmbx.nextvenue.com with Internet Mail Service (5.5.2650.21) id ; Mon, 31 Jul 2000 16:12:45 -0400 Message-ID: <712384017032D411AD7B0001023D799B33B17A@sn1exchmbx.nextvenue.com> From: Nick Evans To: 'Siobhan Patricia Lynch' , Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: RE: ipf or ipfw (was: log with dynamic firewall rules) Date: Mon, 31 Jul 2000 16:12:45 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BFFB2B.B07A8C10" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFFB2B.B07A8C10 Content-Type: text/plain; charset="iso-8859-1" OpenBSD to the rescue anyone? -----Original Message----- From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net] Sent: Monday, July 31, 2000 12:53 AM To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) because I'm bridging.... this may just be hearsay, but evidently ipf doesn;t work with freebsd and bridging, I have the "firewall" on one wire into the arrowpoint. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > > > > > Just so Darren doesn't have to say it: maybe I should spend my time > > > looking into ipfilter instead of trying to hack ipfw. > > > > > > > it definitely depends on what you are doing, in my case ipfw was > > pretty much the *only* choice. > > because...? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01BFFB2B.B07A8C10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ipf or ipfw (was: log with dynamic firewall rules)

OpenBSD to the rescue anyone?

-----Original Message-----
From: Siobhan Patricia Lynch [mailto:trish@bsdunix.net]
Sent: Monday, July 31, 2000 12:53 AM
To: Darren Reed
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipf or ipfw (was: log with dynamic = firewall rules)


because I'm bridging....

this may just be hearsay, but evidently ipf doesn;t = work with freebsd and
bridging, I have the "firewall" on one = wire into the arrowpoint.

-Trish

__

Trish Lynch
FreeBSD - The Power to Serve    =         trish@bsdunix.net
Rush Networking =         =         =         trish@rush.net

On Mon, 31 Jul 2000, Darren Reed wrote:

> In some mail from Siobhan Patricia Lynch, sie = said:
> > >
> > > Just so Darren doesn't have to say = it: maybe I should spend my time
> > > looking into ipfilter instead of = trying to hack ipfw.
> > >
> >
> >     it definitely depends = on what you are doing, in my case ipfw was
> > pretty much the *only* choice.
>
> because...?
>
>
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>



To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

------_=_NextPart_001_01BFFB2B.B07A8C10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 13:54:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from zippy.osd.bsdi.com (zippy.osd.bsdi.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 4021137B5A0 for ; Mon, 31 Jul 2000 13:54:54 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.osd.bsdi.com (8.9.3/8.9.3) with ESMTP id NAA02531; Mon, 31 Jul 2000 13:54:53 -0700 (PDT) (envelope-from jkh@zippy.osd.bsdi.com) To: Darren Reed Cc: trish@bsdunix.net (Siobhan Patricia Lynch), freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-reply-to: Your message of "Mon, 31 Jul 2000 23:23:55 +1000." <200007311323.XAA29849@cairo.anu.edu.au> Date: Mon, 31 Jul 2000 13:54:53 -0700 Message-ID: <2528.965076893@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Well, had you gone the OpenBSD route you wouldn't have introduced a number > of bugs which can lead to a system doing filtering on bridged packets going > "boom". This is the sort of careless activity that leads to security holes I think you're probably forgetting that there are few alternatives to ipfw in FreeBSD right now. ipfilter is sort of an alternative, but it's also been very poorly maintained until recently in FreeBSD and the author doesn't respond to bug reports or ipfilter related discussions when they come up in various FreeBSD mailing lists. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 14: 0:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 0594137B7D0 for ; Mon, 31 Jul 2000 14:00:12 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id GAA28275; Tue, 1 Aug 2000 06:59:56 +1000 (EST) From: Darren Reed Message-Id: <200007312059.GAA28275@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <2528.965076893@localhost> from "Jordan K. Hubbard" at "Jul 31, 0 01:54:53 pm" To: jkh@zippy.osd.bsdi.com (Jordan K. Hubbard) Date: Tue, 1 Aug 2000 06:59:55 +1000 (EST) Cc: avalon@coombs.anu.edu.au, trish@bsdunix.net, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jordan K. Hubbard, sie said: > > Well, had you gone the OpenBSD route you wouldn't have introduced a number > > of bugs which can lead to a system doing filtering on bridged packets going > > "boom". This is the sort of careless activity that leads to security holes > > I think you're probably forgetting that there are few alternatives to > ipfw in FreeBSD right now. ipfilter is sort of an alternative, but > it's also been very poorly maintained until recently in FreeBSD and > the author doesn't respond to bug reports or ipfilter related > discussions when they come up in various FreeBSD mailing lists. :) The author is extremely busy and rest assured that generic problems (such as those with the FTP proxy) and already deletes enough email but isn't opposed to adding more ;-) btw, I am glad to see that FreeBSD PR's for IP Filter are being assigned to me - they're something I can't hide from and can't accidently delete either :) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 14: 5: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id A239037BCF8 for ; Mon, 31 Jul 2000 14:05:00 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id HAA28604; Tue, 1 Aug 2000 07:04:53 +1000 (EST) From: Darren Reed Message-Id: <200007312104.HAA28604@cairo.anu.edu.au> Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: from Siobhan Patricia Lynch at "Jul 31, 0 11:39:01 am" To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Tue, 1 Aug 2000 07:04:52 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Siobhan Patricia Lynch, sie said: > funny, the amount fo traffic we do, and it hasn;t gone boom yet > > tell me how to reproduce it, and well, if I crash it, then I'll switch, > you'll have to do some convincing first. > > like I said, I do some pretty insane traffic through this thing and I > haven;t had *any* problems to date. Send an ethernet frame which consists of only an ethernet header with ETHERTYPE_IPi (i.e. 14 bytes in size or so) or any IP packet with a collection of values in the IP header which are insane. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 14:11:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id C309837BCDC for ; Mon, 31 Jul 2000 14:11:43 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id HAA29084; Tue, 1 Aug 2000 07:11:36 +1000 (EST) From: Darren Reed Message-Id: <200007312111.HAA29084@cairo.anu.edu.au> Subject: Bridge filtering can cause crash To: trish@bsdunix.net (Siobhan Patricia Lynch) Date: Tue, 1 Aug 2000 07:11:36 +1000 (EST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just in case anyone is wondering, if you look at the bridge_filter() routine in /sys/net/if_bridg.c for OpenBSD, you will see that it does a number of sanity checks on the packet - none of which FreeBSD does - before passing it to the filtering routine(s). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 14:26:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id C9DE837B553; Mon, 31 Jul 2000 14:26:48 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA91726; Mon, 31 Jul 2000 14:26:48 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Mon, 31 Jul 2000 14:26:48 -0700 (PDT) From: Kris Kennaway To: Siobhan Patricia Lynch Cc: Jeroen Ruigrok/Asmodai , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jul 2000, Siobhan Patricia Lynch wrote: > I;ve been playing with it, I wonder under what conditions they are seeing > weirdness, because I'm not. Install the apache-modssl port, generate a test certificate, and try connecting to it from netscape on a client. One or two people were getting certificate verification errors when they did this (with Netscape) but IE worked fine. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 21:45:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from hormann.tzo.cc (cvg-29-15-234.cinci.rr.com [24.29.15.234]) by hub.freebsd.org (Postfix) with ESMTP id 100E737BE06 for ; Mon, 31 Jul 2000 21:45:46 -0700 (PDT) (envelope-from ghormann@alumni.indiana.edu) Received: from localhost (ghormann@localhost) by hormann.tzo.cc (8.9.3/8.9.3) with ESMTP id AAA89536 for ; Tue, 1 Aug 2000 00:45:27 -0400 (EDT) (envelope-from ghormann@alumni.indiana.edu) X-Authentication-Warning: hormann.tzo.cc: ghormann owned process doing -bs Date: Tue, 1 Aug 2000 00:45:26 -0400 (EDT) From: Greg Hormann X-Sender: ghormann@hormann.tzo.cc To: security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Today I noticed that my FreeBSD nat server was getting a extremely high number of packet hits. Turns out that my socks5 server was under some type of attack from multiple host. Looks like it started at about 2pm and ran until I shut Socks5 down just after midnight. Turns out the permit line in my socks5.conf just contained "-", a left over from my dialup days. Not understanding exactly how the SOCKS protocol works, I wonder (1) What damage might this have done? The destination port appears to always be 6112. Anybody know what is on this port? (2) Whats the best way to block this? If I block external access to the Socks5 port in my firewall will socks5 still work? Should I just use a permit/auth statement? Thanks for any input. Greg. Aug 1 00:13:51 hormann Socks5[89393]: TCP Connection Established: Connect (24.141.20.175:3560 to 216.148.246.9:6112) for user Aug 1 00:13:52 hormann Socks5[89394]: TCP Connection Request: Connect (24.141.20.175:3561 to 216.148.246.9:6112) for user Aug 1 00:14:06 hormann Socks5[89397]: TCP Connection Terminated: Normal (24.141.20.175:3580 to 216.148.246.9:6112) for user : 1 bytes out, 0 bytes in To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 21:53:10 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 0A64C37BE58 for ; Mon, 31 Jul 2000 21:53:03 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 33807 invoked by uid 1000); 1 Aug 2000 04:52:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Aug 2000 04:52:59 -0000 Date: Mon, 31 Jul 2000 23:52:59 -0500 (CDT) From: Mike Silbersack To: Greg Hormann Cc: security@freebsd.org Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Aug 2000, Greg Hormann wrote: > Turns out the permit line in my socks5.conf just contained "-", a left > over from my dialup days. Not understanding exactly how the SOCKS > protocol works, I wonder > > (1) What damage might this have done? The destination port appears to > always be 6112. Anybody know what is on this port? That's the port battle.net servers use, but I'm not certain if the address you listed is one of them or not. If it is, don't let angry diablo / starcraft fans find you. (Direct them to the person relaying through you instead!) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 31 21:58:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 3795C37B52F for ; Mon, 31 Jul 2000 21:58:22 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 33826 invoked by uid 1000); 1 Aug 2000 04:58:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Aug 2000 04:58:21 -0000 Date: Mon, 31 Jul 2000 23:58:21 -0500 (CDT) From: Mike Silbersack To: Greg Hormann Cc: security@freebsd.org Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 31 Jul 2000, Mike Silbersack wrote: > On Tue, 1 Aug 2000, Greg Hormann wrote: > > > (1) What damage might this have done? The destination port appears to > > always be 6112. Anybody know what is on this port? > > That's the port battle.net servers use, but I'm not certain if the address > you listed is one of them or not. Well, guess I could've looked before sending that last message: ;; ANSWER SECTION: uswest.battle.net. 1H IN A 216.148.246.8 uswest.battle.net. 1H IN A 216.148.246.7 uswest.battle.net. 1H IN A 216.148.246.9 Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 2:23:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from njord.bart.nl (njord.bart.nl [194.158.170.15]) by hub.freebsd.org (Postfix) with ESMTP id EE67237BF14; Tue, 1 Aug 2000 02:23:42 -0700 (PDT) (envelope-from asmodai@wxs.nl) Received: from daemon.ninth-circle.org (root@daemon.ninth-circle.org [195.38.210.81]) by njord.bart.nl (8.10.1/8.10.1) with ESMTP id e719NR001694; Tue, 1 Aug 2000 11:23:28 +0200 (CEST) Received: (from asmodai@localhost) by daemon.ninth-circle.org (8.9.3/8.9.3) id LAA54136; Tue, 1 Aug 2000 11:20:08 +0200 (CEST) (envelope-from asmodai) Date: Tue, 1 Aug 2000 11:20:07 +0200 From: Jeroen Ruigrok/Asmodai To: Kris Kennaway Cc: Siobhan Patricia Lynch , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? Message-ID: <20000801112007.Q32129@daemon.ninth-circle.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from kris@FreeBSD.org on Mon, Jul 31, 2000 at 02:26:48PM -0700 Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -On [20000801 00:01], Kris Kennaway (kris@FreeBSD.org) wrote: >On Mon, 31 Jul 2000, Siobhan Patricia Lynch wrote: > >> I;ve been playing with it, I wonder under what conditions they are seeing >> weirdness, because I'm not. > >Install the apache-modssl port, generate a test certificate, and try >connecting to it from netscape on a client. One or two people were getting >certificate verification errors when they did this (with Netscape) but IE >worked fine. The certificate `errors' which I got only had to do with the virtualhost not being www.snakeoil.com. Other from that, everything just works how its supposed to. -- Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] Documentation nutter/C-rated Coder BSD: Technical excellence at its best The BSD Programmer's Documentation Project Abandon hope, all ye who enter here... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 8:44:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id AB87937BEF8; Tue, 1 Aug 2000 08:44:27 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id LAA20408; Tue, 1 Aug 2000 11:42:34 -0400 (EDT) Date: Tue, 1 Aug 2000 11:42:34 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Jeroen Ruigrok/Asmodai Cc: Kris Kennaway , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? In-Reply-To: <20000801112007.Q32129@daemon.ninth-circle.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org yah I've been working fine on it a few days, I think we're safe. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Tue, 1 Aug 2000, Jeroen Ruigrok/Asmodai wrote: > -On [20000801 00:01], Kris Kennaway (kris@FreeBSD.org) wrote: > >On Mon, 31 Jul 2000, Siobhan Patricia Lynch wrote: > > > >> I;ve been playing with it, I wonder under what conditions they are seeing > >> weirdness, because I'm not. > > > >Install the apache-modssl port, generate a test certificate, and try > >connecting to it from netscape on a client. One or two people were getting > >certificate verification errors when they did this (with Netscape) but IE > >worked fine. > > The certificate `errors' which I got only had to do with the virtualhost > not being www.snakeoil.com. > > Other from that, everything just works how its supposed to. > > -- > Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] > Documentation nutter/C-rated Coder BSD: Technical excellence at its best > The BSD Programmer's Documentation Project > Abandon hope, all ye who enter here... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 9:58:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from njord.bart.nl (njord.bart.nl [194.158.170.15]) by hub.freebsd.org (Postfix) with ESMTP id F02D137BFE4; Tue, 1 Aug 2000 09:58:10 -0700 (PDT) (envelope-from asmodai@wxs.nl) Received: from daemon.ninth-circle.org (root@daemon.ninth-circle.org [195.38.210.81]) by njord.bart.nl (8.10.1/8.10.1) with ESMTP id e71Gw3b42456; Tue, 1 Aug 2000 18:58:03 +0200 (CEST) Received: (from asmodai@localhost) by daemon.ninth-circle.org (8.9.3/8.9.3) id SAA55639; Tue, 1 Aug 2000 18:48:15 +0200 (CEST) (envelope-from asmodai) Date: Tue, 1 Aug 2000 18:48:15 +0200 From: Jeroen Ruigrok/Asmodai To: Siobhan Patricia Lynch Cc: Kris Kennaway , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? Message-ID: <20000801184815.S32129@daemon.ninth-circle.org> References: <20000801112007.Q32129@daemon.ninth-circle.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from trish@bsdunix.net on Tue, Aug 01, 2000 at 11:42:34AM -0400 Organisation: Ninth-Circle Enterprises Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -On [20000801 18:00], Siobhan Patricia Lynch (trish@bsdunix.net) wrote: >yah I've been working fine on it a few days, I think we're safe. Kris and me were able to reproduce the problem. When you make apache13-modssl (which needs a hack against idea.h) it will ask you to make certificate after compilation. When you do this, the RSA certs is generated are corrupt somewhere. I sent Kris all the relevant details, but we do have some problems still yeah. =\ -- Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] Documentation nutter/C-rated Coder BSD: Technical excellence at its best The BSD Programmer's Documentation Project Abandon hope, all ye who enter here... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 11:27:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from jello.geekspace.com (216-064-051-142.inaddr.vitts.com [216.64.51.142]) by hub.freebsd.org (Postfix) with SMTP id 05A2937B51C for ; Tue, 1 Aug 2000 11:27:36 -0700 (PDT) (envelope-from psion@geekspace.com) Received: (qmail 14863 invoked from network); 1 Aug 2000 18:29:26 -0000 Received: from 216-064-051-140.inaddr.vitts.com (HELO geekspace.com) (216.64.51.140) by 216-064-051-142.inaddr.vitts.com with SMTP; 1 Aug 2000 18:29:26 -0000 Message-ID: <398716A0.7812EEC1@geekspace.com> Date: Tue, 01 Aug 2000 14:27:44 -0400 From: Chris Williams X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: John F Cuzzola Cc: security@FreeBSD.ORG Subject: Re: invalid-state References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > invalid state: 0x0 > invalid state: 0x1 > invalid state: 0x2 > invalid state: 0x3 I encountered these messages when my natd was out of sync with my kernel, I believe when I had a 4.0-RELEASE natd but a 4.0-stable kernel, about a month ago.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 14:11:19 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id CB0F437B71C; Tue, 1 Aug 2000 14:11:17 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id C90172E8195; Tue, 1 Aug 2000 14:11:17 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Tue, 1 Aug 2000 14:11:17 -0700 (PDT) From: Kris Kennaway To: Greg Hormann Cc: security@freebsd.org Subject: Re: your mail In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Aug 2000, Greg Hormann wrote: > (2) Whats the best way to block this? If I block external access to the > Socks5 port in my firewall will socks5 still work? Should I just use a > permit/auth statement? For maximum results use both an ACL in SOCKS to only permit from the hosts you want, and firewall incoming connections to that port. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 17:39: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with SMTP id 4F5DB37B5E5 for ; Tue, 1 Aug 2000 17:39:00 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 36757 invoked by uid 1000); 2 Aug 2000 00:38:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Aug 2000 00:38:58 -0000 Date: Tue, 1 Aug 2000 19:38:58 -0500 (CDT) From: Mike Silbersack To: security@freebsd.org Subject: Ip packet filtering with bridging on freebsd (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org AFAIK, you found the bug(s), know what they are, know how to fix them, and have commit access, Darren. So why did you take the script-kiddie route and mail bugtraq before any hint of a patch appeared? Mike "Silby" Silbersack ---------- Forwarded message ---------- Date: Tue, 1 Aug 2000 07:14:50 +1000 From: Darren Reed To: BUGTRAQ@SECURITYFOCUS.COM Subject: Ip packet filtering with bridging on freebsd If someone is doing packet filtering using ipfw to do packet filtering with a FreeBSD box configured to do bridging, it is relatively easy to make the box go "boom" as none of the standard header sanity checks are done prior to the filter routine being called (check /sys/net/bridge.c) It is a feature "copied" from OpenBSD but somehow large amounts of code were not copied and bugs resulted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 1 19:36:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id A431937BF99 for ; Tue, 1 Aug 2000 19:36:50 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id MAA23561; Wed, 2 Aug 2000 12:36:30 +1000 (EST) From: Darren Reed Message-Id: <200008020236.MAA23561@cairo.anu.edu.au> Subject: Re: Ip packet filtering with bridging on freebsd (fwd) In-Reply-To: from Mike Silbersack at "Aug 1, 0 07:38:58 pm" To: silby@silby.com (Mike Silbersack) Date: Wed, 2 Aug 2000 12:36:30 +1000 (EST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Mike Silbersack, sie said: > > AFAIK, you found the bug(s), know what they are, know how to fix them, and > have commit access, Darren. But not the time. I mentioned here what needs to be done, how come nobody else has done it ? Maybe because a PR hasn't been lodged ? :) It's one of the great failings of open source - assuming that "someone else" will do the work "because they can" when in reality "nobody does". > So why did you take the script-kiddie route and mail bugtraq before any > hint of a patch appeared? Given the latest flamage from my commits, I don't have time to make and test the required changes even so far as compiling goes so that should be enough to rule me doing it out. It's also not my balliwhack (that section of the code) so I'm not eager to step on someone else's toes... btw, don't whinge about it being posted to bugtraq - the patch is not that hard and I already spelt out here what needs doing. Just copy the OpenBSD code. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 7:54:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 392D337B984; Wed, 2 Aug 2000 07:54:44 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id KAA07568; Wed, 2 Aug 2000 10:54:28 -0400 (EDT) Date: Wed, 2 Aug 2000 10:54:27 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Jeroen Ruigrok/Asmodai Cc: Kris Kennaway , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? In-Reply-To: <20000801184815.S32129@daemon.ninth-circle.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org weird, ok, maybe its something with the port, I built apache 1.3.12 with modssl from sources (defined -DNO_IDEA) in mod_ssl.h (NO jokes) everything seems to work, been using it for a few days. -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Tue, 1 Aug 2000, Jeroen Ruigrok/Asmodai wrote: > -On [20000801 18:00], Siobhan Patricia Lynch (trish@bsdunix.net) wrote: > >yah I've been working fine on it a few days, I think we're safe. > > Kris and me were able to reproduce the problem. > > When you make apache13-modssl (which needs a hack against idea.h) it > will ask you to make certificate after compilation. > > When you do this, the RSA certs is generated are corrupt somewhere. > > I sent Kris all the relevant details, but we do have some problems still > yeah. =\ > > -- > Jeroen Ruigrok vd Werven/Asmodai asmodai@[wxs.nl|bart.nl|freebsd.org] > Documentation nutter/C-rated Coder BSD: Technical excellence at its best > The BSD Programmer's Documentation Project > Abandon hope, all ye who enter here... > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 14:21:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id CD4C837BB13 for ; Wed, 2 Aug 2000 14:21:28 -0700 (PDT) (envelope-from billf@jade.chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 8236F1C70; Wed, 2 Aug 2000 17:21:27 -0400 (EDT) Date: Wed, 2 Aug 2000 17:21:27 -0400 From: Bill Fumerola To: Darren Reed Cc: Mike Silbersack , security@FreeBSD.ORG Subject: Re: Ip packet filtering with bridging on freebsd (fwd) Message-ID: <20000802172127.E58109@jade.chc-chimes.com> References: <200008020236.MAA23561@cairo.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200008020236.MAA23561@cairo.anu.edu.au>; from avalon@coombs.anu.edu.au on Wed, Aug 02, 2000 at 12:36:30PM +1000 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 02, 2000 at 12:36:30PM +1000, Darren Reed wrote: > But not the time. I mentioned here what needs to be done, how come nobody > else has done it ? Maybe because a PR hasn't been lodged ? :) Because you mentioned it all of 48 hours ago or so. > > So why did you take the script-kiddie route and mail bugtraq before any > > hint of a patch appeared? > > Given the latest flamage from my commits, I don't have time to make and > test the required changes even so far as compiling goes so that should > be enough to rule me doing it out. > > It's also not my balliwhack (that section of the code) so I'm not eager > to step on someone else's toes... Code that compiles doesn't seem to be your balliwhack either. I'm actually rather suprised that someone didn't just backout your recent batch entirely. > btw, don't whinge about it being posted to bugtraq - the patch is not that > hard and I already spelt out here what needs doing. Just copy the OpenBSD > code. I hope the next time an ipfilter issue comes up whoever finds it is more courteous then you. I'm trying to be very non-biased and trying to live in a world where both ipfw and ipfilter exist on FreeBSD. I'm even trying to make ipfw better, and I was even going to look at the bridging code after you made mention of that. Just being an asshole and making broad statements on bugtraq without even an attempt to mail security-officer@freebsd.org or give everyone time to check their mail before you mail bugtraq is just unacceptable. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org PS. maybe it's not even the kernels job to make sanity checks before handing off to the ipfw/ipfilter. What if ipfw/ipfilter wants to look at the original packet? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 16:57:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id 46B8C37B880 for ; Wed, 2 Aug 2000 16:57:09 -0700 (PDT) (envelope-from avalon@cairo.anu.edu.au) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id JAA23890; Thu, 3 Aug 2000 09:57:02 +1000 (EST) From: Darren Reed Message-Id: <200008022357.JAA23890@cairo.anu.edu.au> Subject: Re: Ip packet filtering with bridging on freebsd (fwd) In-Reply-To: <20000802172127.E58109@jade.chc-chimes.com> from Bill Fumerola at "Aug 2, 0 05:21:27 pm" To: billf@chimesnet.com (Bill Fumerola) Date: Thu, 3 Aug 2000 09:57:01 +1000 (EST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Bill Fumerola, sie said: > On Wed, Aug 02, 2000 at 12:36:30PM +1000, Darren Reed wrote: > > > It's also not my balliwhack (that section of the code) so I'm not eager > > to step on someone else's toes... > > Code that compiles doesn't seem to be your balliwhack either. I'm actually > rather suprised that someone didn't just backout your recent batch entirely. Sorta - it's my responsibility to make sure it works when committed. > Bill Fumerola - Network Architect, BOFH / Chimes, Inc. I guess this email ranting is you being the "B" in the "BOFH"... > PS. maybe it's not even the kernels job to make sanity checks before handing > off to the ipfw/ipfilter. What if ipfw/ipfilter wants to look at the original > packet? This is another problem and people are trying to solve too many problems with the same code line then. IP Filter (and maybe ipfw) is built to do packet filtering for IP packets, *NOT* ethernet packets. Small but significant difference. As such, when doing IP filtering it isunreasonable to expect (or assume) that any fields from the link layer protocol will be present. If you want to do filtering on layer 2 packets/information then I'd recommend implementing something using BPF. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 20:13:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id E29E137B599; Wed, 2 Aug 2000 20:13:12 -0700 (PDT) (envelope-from shevlandj@kpi.com.au) Received: from grail (www.kpi.com.au [203.39.132.210]) by www.kpi.com.au (8.9.3/8.9.3) with SMTP id NAA37875; Thu, 3 Aug 2000 13:15:33 +1000 (EST) (envelope-from shevlandj@kpi.com.au) From: "Joe Shevland" To: "Siobhan Patricia Lynch" , "Jeroen Ruigrok/Asmodai" Cc: "Kris Kennaway" , "Robert Watson" , , Subject: RE: MFC'ing OpenSSL 0.9.5a? Date: Thu, 3 Aug 2000 13:15:47 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I guess its worth noting that modssl is different to Apache-SSL? We're = using Apache-SSL (1.3.12) and haven't seen any problems at all (both = with 0.9.5a and over the last couple of years, perhaps been lucky :) Cheers, Joe >-----Original Message----- >From: owner-freebsd-security@FreeBSD.ORG >[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Siobhan = Patricia >Lynch >Sent: Thursday, 3 August 2000 12:54 AM >To: Jeroen Ruigrok/Asmodai >Cc: Kris Kennaway; Robert Watson; freebsd-security@FreeBSD.ORG; >ogud@tislabs.com >Subject: Re: MFC'ing OpenSSL 0.9.5a? > > >weird, ok, maybe its something with the port, I built apache 1.3.12 = with >modssl from sources (defined -DNO_IDEA) in mod_ssl.h (NO jokes) > >everything seems to work, been using it for a few days. > >-Trish > >__ > >Trish Lynch >FreeBSD - The Power to Serve trish@bsdunix.net >Rush Networking trish@rush.net > >On Tue, 1 Aug 2000, Jeroen Ruigrok/Asmodai wrote: > >> -On [20000801 18:00], Siobhan Patricia Lynch (trish@bsdunix.net) = wrote: >> >yah I've been working fine on it a few days, I think we're safe. >>=20 >> Kris and me were able to reproduce the problem. >>=20 >> When you make apache13-modssl (which needs a hack against idea.h) it >> will ask you to make certificate after compilation. >>=20 >> When you do this, the RSA certs is generated are corrupt somewhere. >>=20 >> I sent Kris all the relevant details, but we do have some problems = still >> yeah. =3D\ >>=20 >> --=20 >> Jeroen Ruigrok vd Werven/Asmodai = asmodai@[wxs.nl|bart.nl|freebsd.org] >> Documentation nutter/C-rated Coder BSD: Technical excellence at=20 >its best =20 >> The BSD Programmer's Documentation Project = >> Abandon hope, all ye who enter here... >>=20 >>=20 >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >>=20 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 22:42:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 4F30A37B743 for ; Wed, 2 Aug 2000 22:42:31 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.10.1/8.10.1) with ESMTP id e735gS604543 for ; Thu, 3 Aug 2000 07:42:29 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail1.siemens.de (8.10.1/8.10.1) with ESMTP id e735gS613083 for ; Thu, 3 Aug 2000 07:42:28 +0200 (MET DST) Received: (from localhost) by curry.mchp.siemens.de (8.10.2/8.10.2) id e735gSa46200 for freebsd-security@freebsd.org; Thu, 3 Aug 2000 07:42:28 +0200 (CEST) Date: Thu, 3 Aug 2000 07:42:28 +0200 From: Andre Albsmeier To: freebsd-security@freebsd.org Subject: What will I lose if ssh is no more suid root? Message-ID: <20000803074228.A1682@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As the subject says: What functionality will I lose when ssh in 4.1-STABLE is not setuid root anymore? The reason for asking is that I want to socksify ssh on the fly with runsocks. I removed the setuid root mode and it seems to work. Since I assume that no program is suid root without reason, can someone please enlighten me what I will lose now? Thanks, -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 22:54:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 157AD37B5DC for ; Wed, 2 Aug 2000 22:54:48 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grimreaper.grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.9.3/8.9.3) with ESMTP id HAA02280; Thu, 3 Aug 2000 07:54:58 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200008030554.HAA02280@grimreaper.grondar.za> To: Andre Albsmeier Cc: freebsd-security@FreeBSD.ORG Subject: Re: What will I lose if ssh is no more suid root? References: <20000803074228.A1682@curry.mchp.siemens.de> In-Reply-To: <20000803074228.A1682@curry.mchp.siemens.de> ; from Andre Albsmeier "Thu, 03 Aug 2000 07:42:28 +0200." Date: Thu, 03 Aug 2000 07:54:57 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > As the subject says: What functionality will I lose when ssh > in 4.1-STABLE is not setuid root anymore? There are reasons, but I can't remember them offhand; perhaps if you asked on the openssh mailing list? (at www.openssh.org). :-) M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 22:57:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 0407137B6F1 for ; Wed, 2 Aug 2000 22:57:43 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.10.1/8.10.1) with ESMTP id e735vV609681; Thu, 3 Aug 2000 07:57:31 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail1.siemens.de (8.10.1/8.10.1) with ESMTP id e735vU618227; Thu, 3 Aug 2000 07:57:30 +0200 (MET DST) Received: (from localhost) by curry.mchp.siemens.de (8.10.2/8.10.2) id e735vUa46280; Date: Thu, 3 Aug 2000 07:57:30 +0200 From: Andre Albsmeier To: Mark Murray Cc: Andre Albsmeier , freebsd-security@FreeBSD.ORG Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000803075730.A2568@curry.mchp.siemens.de> References: <20000803074228.A1682@curry.mchp.siemens.de> <200008030554.HAA02280@grimreaper.grondar.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200008030554.HAA02280@grimreaper.grondar.za>; from mark@grondar.za on Thu, Aug 03, 2000 at 07:54:57AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 03-Aug-2000 at 07:54:57 +0200, Mark Murray wrote: > > As the subject says: What functionality will I lose when ssh > > in 4.1-STABLE is not setuid root anymore? > > There are reasons, but I can't remember them offhand; perhaps > if you asked on the openssh mailing list? (at www.openssh.org). It might have to do with rhosts authentication (this one needs to come from a privileged port as the rcmds do it). But if this is the only reason then that's no problem for me... Thanks, -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 23: 6:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from amazhan.bitstream.net (amazhan.bitstream.net [216.243.128.132]) by hub.freebsd.org (Postfix) with SMTP id 889E437B6F1 for ; Wed, 2 Aug 2000 23:06:30 -0700 (PDT) (envelope-from airboss@bitstream.net) Received: (qmail 45435 invoked from network); 3 Aug 2000 06:06:28 -0000 Received: from unknown (HELO dmitri.bitstream.net) (206.144.236.191) by mail with SMTP; 3 Aug 2000 06:06:28 -0000 Date: Thu, 3 Aug 2000 01:15:23 -0500 (CDT) From: airboss@bitstream.net To: Andre Albsmeier Cc: freebsd-security@freebsd.org Subject: Re: What will I lose if ssh is no more suid root? In-Reply-To: <20000803074228.A1682@curry.mchp.siemens.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Aug 2000, Andre Albsmeier wrote: > As the subject says: What functionality will I lose when ssh > in 4.1-STABLE is not setuid root anymore? The setuid SSH uses low ephemeral ports -- starting around 1000 for ordinary SSH, and at 950 or so for OpenSSH -- instead of the ordinary 1024-65535. Apparently, the intent is that one "proves" one's authenticity by binding to a low port. All this really proves (IMHO) is that you have a setuid binary on your machine ;). Removing the setuid bit may (as stated by others) break rhosts authentication, but is otherwise harmless, AFAIK. There's plenty of comment on this subject on the OpenSSH mailing list. ~Dan D. -- __________________________________________________________________ -- I feel the earth move. -- I feel the tumbling down, the tumbling down. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 2 23:10:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from goliath.siemens.de (goliath.siemens.de [194.138.37.131]) by hub.freebsd.org (Postfix) with ESMTP id 6709637B70E for ; Wed, 2 Aug 2000 23:10:53 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer goliath.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by goliath.siemens.de (8.10.1/8.10.1) with ESMTP id e736Aoc08341; Thu, 3 Aug 2000 08:10:50 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail2.siemens.de (8.10.1/8.10.1) with ESMTP id e736Anl02151; Thu, 3 Aug 2000 08:10:49 +0200 (MET DST) Received: (from localhost) by curry.mchp.siemens.de (8.10.2/8.10.2) id e736Ana46345; Date: Thu, 3 Aug 2000 08:10:49 +0200 From: Andre Albsmeier To: airboss@bitstream.net Cc: Andre Albsmeier , freebsd-security@freebsd.org Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000803081049.A2901@curry.mchp.siemens.de> References: <20000803074228.A1682@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from airboss@bitstream.net on Thu, Aug 03, 2000 at 01:15:23AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 03-Aug-2000 at 01:15:23 -0500, airboss@bitstream.net wrote: > On Thu, 3 Aug 2000, Andre Albsmeier wrote: > > > As the subject says: What functionality will I lose when ssh > > in 4.1-STABLE is not setuid root anymore? > > The setuid SSH uses low ephemeral ports -- starting around 1000 for > ordinary SSH, and at 950 or so for OpenSSH -- instead of the ordinary > 1024-65535. Apparently, the intent is that one "proves" one's authenticity > by binding to a low port. All this really proves (IMHO) is that you have a > setuid binary on your machine ;). > > Removing the setuid bit may (as stated by others) break rhosts > authentication, but is otherwise harmless, AFAIK. There's plenty of > comment on this subject on the OpenSSH mailing list. Will look there, thanks for the hint. -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 0:39:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 9429937B82E; Thu, 3 Aug 2000 00:39:38 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13KFay-000BFl-00; Thu, 03 Aug 2000 09:39:12 +0200 Date: Thu, 3 Aug 2000 09:39:12 +0200 From: Neil Blakey-Milner To: Joe Shevland Cc: Siobhan Patricia Lynch , Jeroen Ruigrok/Asmodai , Kris Kennaway , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? Message-ID: <20000803093912.A43239@mithrandr.moria.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from shevlandj@kpi.com.au on Thu, Aug 03, 2000 at 01:15:47PM +1000 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2000-08-03 (13:15), Joe Shevland wrote: > I guess its worth noting that modssl is different to Apache-SSL? We're > using Apache-SSL (1.3.12) and haven't seen any problems at all (both > with 0.9.5a and over the last couple of years, perhaps been lucky :) How often do you generate certificates with it? I've had a number of complaints about 0.9.5a generating certificates that Internet Explorer just can't comprehend. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 0:41:57 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id E342C37B566; Thu, 3 Aug 2000 00:41:55 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id E04DE2E8193; Thu, 3 Aug 2000 00:41:55 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Thu, 3 Aug 2000 00:41:55 -0700 (PDT) From: Kris Kennaway To: Neil Blakey-Milner Cc: Joe Shevland , Siobhan Patricia Lynch , Jeroen Ruigrok/Asmodai , Robert Watson , freebsd-security@FreeBSD.ORG, ogud@tislabs.com Subject: Re: MFC'ing OpenSSL 0.9.5a? In-Reply-To: <20000803093912.A43239@mithrandr.moria.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 3 Aug 2000, Neil Blakey-Milner wrote: > On Thu 2000-08-03 (13:15), Joe Shevland wrote: > > I guess its worth noting that modssl is different to Apache-SSL? We're > > using Apache-SSL (1.3.12) and haven't seen any problems at all (both > > with 0.9.5a and over the last couple of years, perhaps been lucky :) > > How often do you generate certificates with it? I've had a number of > complaints about 0.9.5a generating certificates that Internet Explorer > just can't comprehend. In fact that's precisely the opposite problem we're trying to investigate here..I haven't heard that complaint. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 0:53:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id A335237B7AA; Thu, 3 Aug 2000 00:53:26 -0700 (PDT) (envelope-from shevlandj@kpi.com.au) Received: from grail (www.kpi.com.au [203.39.132.210]) by www.kpi.com.au (8.9.3/8.9.3) with SMTP id RAA38844; Thu, 3 Aug 2000 17:56:42 +1000 (EST) (envelope-from shevlandj@kpi.com.au) From: "Joe Shevland" To: "Kris Kennaway" , "Neil Blakey-Milner" Cc: "Siobhan Patricia Lynch" , "Jeroen Ruigrok/Asmodai" , "Robert Watson" , , Subject: RE: MFC'ing OpenSSL 0.9.5a? Date: Thu, 3 Aug 2000 17:56:58 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's interesting; I did experience this problem (apols!) but I put it = down to IE's inability to handle 128-bit certificates... when I upgraded = IE using the Mickeysoft update patch everything worked again. Hence I = pointed the finger at IE... perhaps wrongly? Cheers, Joe >-----Original Message----- >From: Kris Kennaway [mailto:kris@hub.freebsd.org] >Sent: Thursday, 3 August 2000 5:42 PM >To: Neil Blakey-Milner >Cc: Joe Shevland; Siobhan Patricia Lynch; Jeroen Ruigrok/Asmodai; = Robert >Watson; freebsd-security@FreeBSD.ORG; ogud@tislabs.com >Subject: Re: MFC'ing OpenSSL 0.9.5a? > > >On Thu, 3 Aug 2000, Neil Blakey-Milner wrote: > >> On Thu 2000-08-03 (13:15), Joe Shevland wrote: >> > I guess its worth noting that modssl is different to Apache-SSL? = We're >> > using Apache-SSL (1.3.12) and haven't seen any problems at all = (both >> > with 0.9.5a and over the last couple of years, perhaps been lucky = :) >>=20 >> How often do you generate certificates with it? I've had a number of >> complaints about 0.9.5a generating certificates that Internet = Explorer >> just can't comprehend. > >In fact that's precisely the opposite problem we're trying to = investigate >here..I haven't heard that complaint. > >Kris > >-- >In God we Trust -- all others must submit an X.509 certificate. > -- Charles Forsythe > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 2:57:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from berlin.sfai.edu (berlin.sfai.edu [63.197.251.100]) by hub.freebsd.org (Postfix) with ESMTP id 0F38F37B72C for ; Thu, 3 Aug 2000 02:57:46 -0700 (PDT) (envelope-from karsten@berlin.sfai.edu) Received: (from karsten@localhost) by berlin.sfai.edu (8.10.0.Beta12/8.10.0Beta12) id e736ve607549; Thu, 3 Aug 2000 02:57:40 -0400 Date: Thu, 3 Aug 2000 02:57:40 -0400 From: Karsten Patzwaldt To: Andre Albsmeier , freebsd-security@freebsd.org Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000803025740.A7484@berlin.sfai.edu> References: <20000803074228.A1682@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.1.2i In-Reply-To: <20000803074228.A1682@curry.mchp.siemens.de>; from andre.albsmeier@mchp.siemens.de on Thu, Aug 03, 2000 at 07:42:28AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Aug 03, 2000 at 07:42:28AM +0200, Andre Albsmeier wrote: > As the subject says: What functionality will I lose when ssh > in 4.1-STABLE is not setuid root anymore? > > The reason for asking is that I want to socksify ssh on the > fly with runsocks. I removed the setuid root mode and it seems > to work. > > Since I assume that no program is suid root without reason, > can someone please enlighten me what I will lose now? SSH uses ports <1024 when it opens a connection, which is only allowed for root. I don't have a reasonable explanation for this, although it could give some protection from clients that were not installed by the admin. But this ports <1024-protection doesn't work anyways (who has no UNIX computer at home? Does this protection work on Windows? Er...), so IMHO it should be save to remove SUID. Regards, -- Karsten To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 3: 0:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from goliath.siemens.de (goliath.siemens.de [194.138.37.131]) by hub.freebsd.org (Postfix) with ESMTP id 7F3E237B898 for ; Thu, 3 Aug 2000 03:00:27 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer goliath.siemens.de) Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by goliath.siemens.de (8.10.1/8.10.1) with ESMTP id e73A0Ec12842; Thu, 3 Aug 2000 12:00:22 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail2.siemens.de (8.10.1/8.10.1) with ESMTP id e73A0Dl23832; Thu, 3 Aug 2000 12:00:13 +0200 (MET DST) Received: (from localhost) by curry.mchp.siemens.de (8.10.2/8.10.2) id e73A0Da47685; Date: Thu, 3 Aug 2000 12:00:13 +0200 From: Andre Albsmeier To: Karsten Patzwaldt Cc: Andre Albsmeier , freebsd-security@freebsd.org Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000803120013.A174@curry.mchp.siemens.de> References: <20000803074228.A1682@curry.mchp.siemens.de> <20000803025740.A7484@berlin.sfai.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20000803025740.A7484@berlin.sfai.edu>; from karsten@berlin.sfai.edu on Thu, Aug 03, 2000 at 02:57:40AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 03-Aug-2000 at 02:57:40 -0400, Karsten Patzwaldt wrote: > On Thu, Aug 03, 2000 at 07:42:28AM +0200, Andre Albsmeier wrote: > > As the subject says: What functionality will I lose when ssh > > in 4.1-STABLE is not setuid root anymore? > > > > The reason for asking is that I want to socksify ssh on the > > fly with runsocks. I removed the setuid root mode and it seems > > to work. > > > > Since I assume that no program is suid root without reason, > > can someone please enlighten me what I will lose now? > > SSH uses ports <1024 when it opens a connection, which is only allowed > for root. I don't have a reasonable explanation for this, although it > could give some protection from clients that were not installed by the > admin. But this ports <1024-protection doesn't work anyways (who has no > UNIX computer at home? Does this protection work on Windows? Er...), so > IMHO it should be save to remove SUID. When using rhosts authentication, ssh must use a reserved port. Apart from that, no other reason for setuid'ing root is known by me until know. -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 5:27:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from srv5-cba.cba.zaz.com.br (srv5-cba.cba.zaz.com.br [200.241.191.7]) by hub.freebsd.org (Postfix) with ESMTP id 88C9037B781 for ; Thu, 3 Aug 2000 05:26:54 -0700 (PDT) (envelope-from waltercruz@terra.com.br) Received: from capitao ([200.241.191.102]) by srv5-cba.cba.zaz.com.br (8.9.3/8.9.3) with SMTP id IAA12128 for ; Thu, 3 Aug 2000 08:18:25 -0400 Message-ID: <006101bffd3d$ca001a60$66bff1c8@cba.terra.com.br> From: "Walter Cruz" To: Subject: Problem with SWAP. Date: Thu, 3 Aug 2000 08:27:19 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (sorry, my english is terrible!) Hi! I'm a BSD newbie and my web server (FreeBSD 4.0) is crashing constantly ... "swap_space_getswapspace: failed" ... this is the error message. Please, can anyone post the step-by-step to add more swap space? Anything 'll be welcome! []'s Cap To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 3 6: 8:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id E386337B98A for ; Thu, 3 Aug 2000 06:08:06 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id KAA04559; Thu, 3 Aug 2000 10:08:04 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200008031308.KAA04559@ns1.via-net-works.net.ar> Subject: Re: Problem with SWAP. In-Reply-To: <006101bffd3d$ca001a60$66bff1c8@cba.terra.com.br> from Walter Cruz at "Aug 3, 0 08:27:19 am" To: waltercruz@terra.com.br (Walter Cruz) Date: Thu, 3 Aug 2000 10:08:03 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Walter Cruz escribió: > (sorry, my english is terrible!) > > Hi! > > I'm a BSD newbie and my web server (FreeBSD 4.0) is crashing constantly ... > "swap_space_getswapspace: failed" ... this is the error message. > Please, can anyone post the step-by-step to add more swap space? Anything > 'll be welcome! You have that in the handbook (or FAQ, I don't remember which). I don't think there are portuguese versions, but there are spanish ones. Good luck! PD: By the way, you will be better off asking this kind of questions in -questions, not in -security :) Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 0:30:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E785537B8C5 for ; Fri, 4 Aug 2000 00:30:34 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id JAA40304; Fri, 4 Aug 2000 09:30:10 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Darren Reed Cc: billf@chimesnet.com (Bill Fumerola), security@FreeBSD.ORG Subject: Re: Ip packet filtering with bridging on freebsd (fwd) References: <200008022357.JAA23890@cairo.anu.edu.au> From: Dag-Erling Smorgrav Date: 04 Aug 2000 09:30:09 +0200 In-Reply-To: Darren Reed's message of "Thu, 3 Aug 2000 09:57:01 +1000 (EST)" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed writes: > In some mail from Bill Fumerola, sie said: > > Code that compiles doesn't seem to be your balliwhack either. I'm actually > > rather suprised that someone didn't just backout your recent batch entirely. > Sorta - it's my responsibility to make sure it works when committed. But you don't. And you come up with lame excuses when confronted with the resulting breakage. It's "bailiwick", BTW. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 7:39:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from dlt.follo.net (elde.org [195.204.143.185]) by hub.freebsd.org (Postfix) with ESMTP id 8E82A37BB5D for ; Fri, 4 Aug 2000 07:39:20 -0700 (PDT) (envelope-from terje@elde.net) Received: by dlt.follo.net (Postfix, from userid 1002) id 467F75EF3D; Fri, 4 Aug 2000 16:39:18 +0200 (CEST) Date: Fri, 4 Aug 2000 16:39:18 +0200 From: Terje Elde To: Andre Albsmeier Cc: freebsd-security@FreeBSD.ORG Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000804163918.W23567@dlt.follo.net> References: <20000803074228.A1682@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000803074228.A1682@curry.mchp.siemens.de>; from andre.albsmeier@mchp.siemens.de on Thu, Aug 03, 2000 at 07:42:28AM +0200 X-Mailer: Mutt http://www.mutt.org/ X-Editor: Vim http://www.vim.org/ X-IRC: ircii!epic4-2000 - prevail[1214] X-Goal: Exterminate All Rational Thought Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Andre Albsmeier (andre.albsmeier@mchp.siemens.de) [000803 07:47]: > Since I assume that no program is suid root without reason, > can someone please enlighten me what I will lose now? It seems everyone's mentioned the low port issues, which IMHO isn't offering much security as it could be any box popped up on the same IP... Anyways, what it does give you is the ability to read the host key's private part, and thus use RSAHostAuthentication, which is far more useful. If you don't need/want it though, running with the setuid bits off should not give you too much of a problem. Terje -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE5itWV8HLgLrwmRg0RAmOTAJ9rKG5Mm/UqZ373Hx3RIIhuenVQHQCgr7zC PJ1oz7uelJhMC/WHg/z6klk= =CB1U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 8:12:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id A2A0A37BB35 for ; Fri, 4 Aug 2000 08:12:18 -0700 (PDT) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.10.1/8.10.1) with ESMTP id e74FCD618112; Fri, 4 Aug 2000 17:12:14 +0200 (MET DST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail1.siemens.de (8.10.1/8.10.1) with ESMTP id e74FCCP26982; Fri, 4 Aug 2000 17:12:13 +0200 (MET DST) Received: (from localhost) by curry.mchp.siemens.de (8.10.2/8.10.2) id e74FCCT56744; Date: Fri, 4 Aug 2000 17:12:12 +0200 From: Andre Albsmeier To: Terje Elde Cc: Andre Albsmeier , freebsd-security@FreeBSD.ORG Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000804171212.B6933@curry.mchp.siemens.de> References: <20000803074228.A1682@curry.mchp.siemens.de> <20000804163918.W23567@dlt.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20000804163918.W23567@dlt.follo.net>; from terje@elde.net on Fri, Aug 04, 2000 at 04:39:18PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 04-Aug-2000 at 16:39:18 +0200, Terje Elde wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > * Andre Albsmeier (andre.albsmeier@mchp.siemens.de) [000803 07:47]: > > Since I assume that no program is suid root without reason, > > can someone please enlighten me what I will lose now? > > It seems everyone's mentioned the low port issues, which IMHO isn't offering > much security as it could be any box popped up on the same IP... > > Anyways, what it does give you is the ability to read the host key's private > part, and thus use RSAHostAuthentication, which is far more useful. Yes, I found this issue in the docs meanwhile... > If you don't need/want it though, running with the setuid bits off should not > give you too much of a problem. No, I am currently running without it and didn't have problems. Thanks, -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 11:26:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from pf39.warszawa.sdi.tpnet.pl (pf39.warszawa.sdi.tpnet.pl [213.25.209.39]) by hub.freebsd.org (Postfix) with ESMTP id ABF2937BAC1 for ; Fri, 4 Aug 2000 11:26:36 -0700 (PDT) (envelope-from zaks@pf39.warszawa.sdi.tpnet.pl) Received: (from zaks@localhost) by pf39.warszawa.sdi.tpnet.pl (8.9.3/8.9.3) id UAA02615; Fri, 4 Aug 2000 20:26:26 +0200 (CEST) (envelope-from zaks) Content-MD5: 00500bf21ad4d2d8df46ad52c03cb5cb From: Slawek Zak To: freebsd-security@freebsd.org Subject: IPFW + bridge fix. Date: 04 Aug 2000 20:26:26 +0200 Message-ID: <87punodgrx.fsf@pf39.warszawa.sdi.tpnet.pl> Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Bryce Canyon) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is anyone working on the fix for problem so irresponsibly reported to bugtraq by Darren Reed. Is any security advisory going to be released. /S -- hundred-and-one symptoms of being an internet addict: 138. You develop a liking for cold coffee. * Suavek Zak / PGP: finger://zaks@prioris.mini.pw.edu.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 11:46:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CE30537BB92 for ; Fri, 4 Aug 2000 11:46:21 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id OAA56441; Fri, 4 Aug 2000 14:46:05 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Fri, 4 Aug 2000 14:46:05 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Slawek Zak Cc: freebsd-security@freebsd.org Subject: Re: IPFW + bridge fix. In-Reply-To: <87punodgrx.fsf@pf39.warszawa.sdi.tpnet.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 4 Aug 2000, Slawek Zak wrote: > Is anyone working on the fix for problem so irresponsibly reported to > bugtraq by Darren Reed. Is any security advisory going to be released. I'm not sure who else is working on this, but it is my plan to attempt to address these issues in the next few days; I was at IETF for the last week so didn't have access to a bridge test bed. Now that I'm back in DC I have test machines + network, I should make some progress. I'd like to see a general cleanup of the ipfw code, as although it is correct in most cases, it is hard to tell that by inspection. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 12:26:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id B9F8037B6DB for ; Fri, 4 Aug 2000 12:26:41 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 11612 invoked by uid 1021); 4 Aug 2000 19:34:12 -0000 Date: Fri, 4 Aug 2000 20:33:31 +0100 From: "Bruce M. Simpson" To: Andre Albsmeier Subject: Re: What will I lose if ssh is no more suid root? Message-ID: <20000804203331.F8029@closed-networks.com> References: <20000803074228.A1682@curry.mchp.siemens.de> <20000804163918.W23567@dlt.follo.net> <20000804171212.B6933@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000804171212.B6933@curry.mchp.siemens.de>; from andre.albsmeier@mchp.siemens.de on Fri, Aug 04, 2000 at 05:12:12PM +0200 Organization: Closed Networks, London, UK X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andre, On Fri, Aug 04, 2000 at 05:12:12PM +0200, Andre Albsmeier wrote: > > Anyways, what it does give you is the ability to read the host key's private > > part, and thus use RSAHostAuthentication, which is far more useful. > > Yes, I found this issue in the docs meanwhile... > > > If you don't need/want it though, running with the setuid bits off should not > > give you too much of a problem. > > No, I am currently running without it and didn't have problems. You're a very trusting man. ;> Seriously, isn't this a good candidate app for a privilege API? i.e. give a privilege to the ssh client on the system to use the host key for helping to identify itself to the remote peer. Yet another example of the kind of thing which gets people implementing lots of kludges using group numbers and kernel patches. Easily solved with a privilege API. Just my 2c. -- Bruce M. Simpson [udp] Digital Security Architect, Closed Networks www: www.closed-networks.com/~udp London [gsm+wap] www.packetfactory.net/~udp United Kingdom email+pgp: bruce@closed-networks.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 4 14:21:42 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B908E37BA09; Fri, 4 Aug 2000 14:21:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id B2A742E8196; Fri, 4 Aug 2000 14:21:40 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Fri, 4 Aug 2000 14:21:40 -0700 (PDT) From: Kris Kennaway To: Slawek Zak Cc: freebsd-security@freebsd.org Subject: Re: IPFW + bridge fix. In-Reply-To: <87punodgrx.fsf@pf39.warszawa.sdi.tpnet.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 4 Aug 2000, Slawek Zak wrote: > Is anyone working on the fix for problem so irresponsibly reported to > bugtraq by Darren Reed. Is any security advisory going to be released. It's being investigated, but may take a week or more to get fixed due to people's schedules. This is why posting it first was so inappropriate, because it creates undue pressure on people who would have fixed it anyway had they been told. A security advisory will be released if the claims are verified. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message