From owner-freebsd-security Mon Jan 1 0: 6:12 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 00:06:08 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 121A237B400 for ; Mon, 1 Jan 2001 00:05:53 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14CzyH-0004QU-00; Mon, 01 Jan 2001 10:05:33 +0200 Date: Mon, 1 Jan 2001 10:05:33 +0200 (IST) From: Roman Shterenzon To: Warner Losh Cc: Subject: Re: Proposed modification to ftpd In-Reply-To: <200101010625.f016Pqs13614@billy-club.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 31 Dec 2000, Warner Losh wrote: > While the syntax is ugly, I agree that it would be useful to have in > our ftpd. > > In the little consulting I did, this was a huge, huge, huge requested > feature. > > While we could invent yet another syntax, it would likely be better to > use a slightly ugly, widely deployed syntax that people are familiar > with than a less ugly one they would be more inclined to make a > mistake with and have a false sense of security. Perhaps it's possible to leave the delimeter as an option, which defaults to "/./"? Or I'm missing the point? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 7: 3:37 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 07:03:35 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 003E137B400 for ; Mon, 1 Jan 2001 07:03:30 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 14D6UP-0006hW-00; Mon, 01 Jan 2001 17:03:09 +0200 Date: Mon, 1 Jan 2001 17:03:09 +0200 (IST) From: Roman Shterenzon To: John F Cuzzola Cc: Subject: Re: MTU In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Not exactly what you asked for, but take a look at: /usr/ports/net/tcpmssd On Wed, 27 Dec 2000, John F Cuzzola wrote: > Hi All, > I know this isn't much to do with security but i've asked other lists > with no response. Is there a utility or a way to determine(see) what the > Path MTU is to a host??? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 7:25:39 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 07:25:37 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 7DA4037B400 for ; Mon, 1 Jan 2001 07:25:37 -0800 (PST) Received: by gw.nectar.com (Postfix, from userid 1001) id D0F4D193E2; Mon, 1 Jan 2001 09:25:34 -0600 (CST) Date: Mon, 1 Jan 2001 09:25:34 -0600 From: "Jacques A. Vidrine" To: Roman Shterenzon Cc: Warner Losh , security@FreeBSD.ORG Subject: Re: Proposed modification to ftpd Message-ID: <20010101092534.B35186@spawn.nectar.com> References: <200101010625.f016Pqs13614@billy-club.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Mon, Jan 01, 2001 at 10:05:33AM +0200 X-Url: http://www.nectar.com/ Sender: nectar@nectar.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Jan 01, 2001 at 10:05:33AM +0200, Roman Shterenzon wrote: > On Sun, 31 Dec 2000, Warner Losh wrote: > > > While the syntax is ugly, I agree that it would be useful to have in > > our ftpd. [snip] > Perhaps it's possible to leave the delimeter as an option, which defaults > to "/./"? Or I'm missing the point? It is "/./" so that the result is still a valid path. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 10:23:34 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 10:23:30 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from panther.unisys.com.br (panther.unisys.com.br [200.220.64.10]) by hub.freebsd.org (Postfix) with ESMTP id 0FF0D37B400; Mon, 1 Jan 2001 10:23:29 -0800 (PST) Received: from uninet.com.br (cheetah.unisys.com.br [200.220.64.9]) by panther.unisys.com.br (8.11.1/8.11.1) with SMTP id f01JNU522186; Mon, 1 Jan 2001 16:23:31 -0300 (BDB) From: romualdo@uninet.com.br Sender: romualdo@uninet.com.br Reply-To: romualdo@uninet.com.br To: freebsd-security@freebsd.org Cc: freebsd-net@freebsd.org Date: Mon, 1 Jan 2001 16:21:27 -300 Subject: IPSTEALTH - transparent router Message-id: <3a50d8b7.3a6d.0@uninet.com.br> X-User-Info: 200.181.80.40 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I have many routers with wavelan card working with freeBSD and i am trying without sucessfull use IPSTEALTH work this is my kernel options options IPFIREWALL options IPDIVERT options IPSTEALTH options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=100 options DUMMYNET options NMBCLUSTERS=10240 i have some routes and i use ipfw fwd too i want whem one machine make traceroute dont show my router and go a way Thank for any help Romualdo Arcoverde UNINet Brasilia http://unimail.unisys.com.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 11:36:44 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 11:36:43 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 44FE037B400 for ; Mon, 1 Jan 2001 11:36:42 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id f01Jaes89479 for ; Mon, 1 Jan 2001 12:36:41 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA97739; Mon, 1 Jan 2001 11:33:57 -0700 (MST) Message-Id: <200101011833.LAA97739@harmony.village.org> To: Roman Shterenzon Subject: Re: Proposed modification to ftpd Cc: security@FreeBSD.ORG In-reply-to: Your message of "Mon, 01 Jan 2001 10:05:33 +0200." References: Date: Mon, 01 Jan 2001 11:33:57 -0700 From: Warner Losh Sender: imp@harmony.village.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message Roman Shterenzon writes: : Perhaps it's possible to leave the delimeter as an option, which defaults : to "/./"? Or I'm missing the point? If someone set it to : bad things would happen. Keep in mind that we have this in a passwd file and the syntax was chosen, no doubt, do that ~foo would work as the full path to the file outside the chroot'd environment. No other syntax that I'm aware of offers that. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 12:16:44 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 12:16:42 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 87C3337B400 for ; Mon, 1 Jan 2001 12:16:41 -0800 (PST) Received: (qmail 29889 invoked by uid 0); 1 Jan 2001 20:16:37 -0000 Received: from p3ee2163a.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.58) by mail.gmx.net (mail01) with SMTP; 1 Jan 2001 20:16:37 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id PAA11435 for freebsd-security@freebsd.org; Mon, 1 Jan 2001 15:25:10 +0100 Date: Mon, 1 Jan 2001 15:25:10 +0100 From: Gerhard Sittig To: FreeBSD Security Subject: Re: IPFilter and new rc.conf scripts Message-ID: <20010101152510.R253@speedy.gsinet> Mail-Followup-To: FreeBSD Security References: <20010101034042.8685.qmail@web1003.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010101034042.8685.qmail@web1003.mail.yahoo.com>; from e_chelon@yahoo.com on Sun, Dec 31, 2000 at 07:40:42PM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 31, 2000 at 19:40 -0800, echelon wrote: > > PR conf/22859 explains why ipf can't work on tun0 > after reboot. So the ad-hoc solution is to put "ipf > -y" in /etc/ppp/ppp.linkup. "ipf -y" is what you need in ppp.linkup -- as well as in ppp.linkdown -- anyway as soon as you have dynamic IP addresses on your tun* interfaces. So I wouldn't call this just "ad hoc" but more "given almost by default and necessity". :) This will make the 0.0.0.0/32 address in your rules work very much like MYADDR in ppp(8) syntax does. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 13: 9:36 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 13:09:34 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from vista.athms.com (athms.bayarea.net [204.71.213.154]) by hub.freebsd.org (Postfix) with ESMTP id 3216237B400 for ; Mon, 1 Jan 2001 13:09:34 -0800 (PST) Received: from goofy.int.athms.com ([192.168.100.12] helo=athms.com) by vista.athms.com with esmtp (Exim 3.16) id 14DCKj-0008k3-00 ; Mon, 01 Jan 2001 13:17:33 -0800 Message-ID: <3A50F2C3.BFCB550E@athms.com> Date: Mon, 01 Jan 2001 13:12:35 -0800 From: Tom Czarnik X-Mailer: Mozilla 4.61 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: FreeBSD Security Subject: Re: IPFilter and new rc.conf scripts References: <20010101034042.8685.qmail@web1003.mail.yahoo.com> <20010101152510.R253@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > On Sun, Dec 31, 2000 at 19:40 -0800, echelon wrote: > > > > PR conf/22859 explains why ipf can't work on tun0 > > after reboot. So the ad-hoc solution is to put "ipf > > -y" in /etc/ppp/ppp.linkup. > > "ipf -y" is what you need in ppp.linkup -- as well as in > ppp.linkdown -- anyway as soon as you have dynamic IP addresses > on your tun* interfaces. So I wouldn't call this just "ad hoc" > but more "given almost by default and necessity". :) This will > make the 0.0.0.0/32 address in your rules work very much like > MYADDR in ppp(8) syntax does. Let me reiterate that the problem of IPF needing a resync affects BOTH tun and interfaces loaded as modules. It needs to be fixed in rc.network for both conditions, and only in ppp.linkup/down if you are using a dynamic address. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 15:29:35 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 15:29:32 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id 9E45D37B400; Mon, 1 Jan 2001 15:29:31 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id RAA12070; Mon, 1 Jan 2001 17:29:25 -0600 Received: from colltech.com (ha59s140.d.shentel.net [204.111.59.140]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id RAA12946; Mon, 1 Jan 2001 17:29:23 -0600 Message-ID: <3A511471.5DE87129@colltech.com> Date: Mon, 01 Jan 2001 18:36:17 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Mikhail Kruk , "freebsd-security@freebsd.org" Subject: Re: Large scan activity References: <20001230091022.A29983@citusc.usc.edu> <20001230200855.B936@citusc.usc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also, see http://www.sans.org/giac.html for the GIAC (Global Incident Analysis Center?). They do semi-realtime tracking of port-scan activity based on volunteer reports of activity. They can also help get "interesting" logs analyzed. Daniel Kris Kennaway wrote: > > On Sat, Dec 30, 2000 at 12:44:41PM -0500, Mikhail Kruk wrote: > > BTW, I wanted to ask for some time now, is it a good idea to report the > > scans when I see them or it's a waste of time? > > Port scan reports are probably off-topic for this list. However you > might be interested in the 'incidents' mailing list hosted by > securityfocus.com which is for discussion of security incidents such > as probing and break-ins. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 17:24:51 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 17:24:50 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f275.pav1.hotmail.com [64.4.30.150]) by hub.freebsd.org (Postfix) with ESMTP id 01DEA37B400; Mon, 1 Jan 2001 17:24:50 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 1 Jan 2001 17:24:44 -0800 Received: from 63.10.232.141 by pv1fd.pav1.hotmail.msn.com with HTTP; Tue, 02 Jan 2001 01:24:44 GMT X-Originating-IP: [63.10.232.141] From: "unknown person" To: dhagan@colltech.com, kris@FreeBSD.ORG Cc: meshko@cs.brandeis.edu, freebsd-security@FreeBSD.ORG Subject: Re: Large scan activity Date: Tue, 02 Jan 2001 01:24:44 -0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 02 Jan 2001 01:24:44.0758 (UTC) FILETIME=[C9C7FF60:01C0745A] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That url dont work :) _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 17:35:29 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 17:35:28 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lark.capnet.state.tx.us (lark.capnet.state.tx.us [204.65.39.249]) by hub.freebsd.org (Postfix) with ESMTP id DAD5237B402 for ; Mon, 1 Jan 2001 17:35:27 -0800 (PST) Received: from localhost (bbradsby@localhost) by lark.capnet.state.tx.us (8.11.1/8.10.0-NO UCE) with ESMTP id f021ZRs04470 for ; Mon, 1 Jan 2001 19:35:27 -0600 (CST) Date: Mon, 1 Jan 2001 19:35:27 -0600 (CST) From: Bryan Bradsby Sender: To: "freebsd-security@freebsd.org" Subject: Re: Large scan activity In-Reply-To: <3A511471.5DE87129@colltech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Also, see http://www.sans.org/giac.html for the GIAC (Global Incident http://www.sans.org/giac.htm I guess Sans doesn't use apache ;-] -bryan bradsby To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 17:41:46 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 17:41:45 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from int-mail.syd.fl.net.au (int-mail.syd.fl.net.au [202.181.0.28]) by hub.freebsd.org (Postfix) with ESMTP id 699F337B400 for ; Mon, 1 Jan 2001 17:41:44 -0800 (PST) Received: from NINA (tanya.fl.net.au [203.30.61.186]) by int-mail.syd.fl.net.au (Postfix) with SMTP for id B3DA516AF5; Tue, 2 Jan 2001 12:41:38 +1100 (EST) Message-Id: <3.0.5.32.20010102124208.00f5c600@smtp.syd.fl.net.au> X-Sender: aw@smtp.syd.fl.net.au X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 02 Jan 2001 12:42:08 +1100 To: freebsd-security@freebsd.org From: Anthony Winning Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unsubscribe freebsd-security aw@fl.net.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 21:49:22 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 21:49:18 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from k2.jozsef.kando.hu (k2.jozsef.kando.hu [193.224.40.3]) by hub.freebsd.org (Postfix) with SMTP id F066A37B402 for ; Mon, 1 Jan 2001 21:49:17 -0800 (PST) Received: (qmail 22073 invoked by uid 1000); 2 Jan 2001 05:49:15 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Jan 2001 05:49:15 -0000 Date: Tue, 2 Jan 2001 06:49:14 +0100 (CET) From: Attila Nagy X-Sender: bra@k2.jozsef.kando.hu To: romualdo@uninet.com.br Cc: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPSTEALTH - transparent router In-Reply-To: <3a50d8b7.3a6d.0@uninet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > I have many routers with wavelan card working with freeBSD and i am > trying without sucessfull use IPSTEALTH work i want whem one machine > make traceroute dont show my router and go a way sysctl -w net.inet.ip.stealth=1 -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 22: 0:44 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 22:00:36 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.ticonet.co.cr (mail.ticonet.co.cr [196.40.4.5]) by hub.freebsd.org (Postfix) with ESMTP id 8C46737B6A6; Mon, 1 Jan 2001 22:00:11 -0800 (PST) Received: from Popeye [196.40.53.184] by mail.ticonet.co.cr (SMTPD32-6.05) id AA4327B01DA; Mon, 01 Jan 2001 22:52:51 +0000 To: Happy@FreeBSD.ORG, New@FreeBSD.ORG, !!@Year.FreeBSD.ORG From: Oldies@FreeBSD.ORG, Online@FreeBSD.ORG, Casino@FreeBSD.ORG Subject: 01-01-2001 Date: Mon, 01 Jan 2001 23:59:16 -0600 Message-Id: <36892.999497453704000.238432@localhost> MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oldies Online Casino - Happy New Year!!!

Oldies Online Casino
Would like to welcome you and your family a Happy New Year!

We Would also like to offer ALL NEW & EXISTING Members a
Holiday 25% Bonus
Oldies Online Casino offers Free no download Flash Internet
gambling, games include craps, keno, slots, video poker,
roulette and blackjack in real time. Play for fun or cash!
http://www.oldiesonlinecasino.com

to unsubscribe click here

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 1 22:30:33 2001 From owner-freebsd-security@FreeBSD.ORG Mon Jan 1 22:30:30 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fmdb.c3.hu (dial-239.digitel2002.hu [213.163.2.239]) by hub.freebsd.org (Postfix) with SMTP id 16C1937B400 for ; Mon, 1 Jan 2001 22:30:27 -0800 (PST) Received: (qmail 877 invoked by uid 1004); 2 Jan 2001 06:30:23 -0000 Date: Tue, 2 Jan 2001 07:30:23 +0100 From: Miklos Niedermayer To: Attila Nagy Cc: romualdo@uninet.com.br, freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPSTEALTH - transparent router Message-ID: <20010102073023.D309@bsd.hu> Mail-Followup-To: Miklos Niedermayer , Attila Nagy , romualdo@uninet.com.br, freebsd-security@freebsd.org, freebsd-net@freebsd.org References: <3a50d8b7.3a6d.0@uninet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from bra@fsn.hu on Tue, Jan 02, 2001 at 06:49:14AM +0100 X-Operating-System: FreeBSD - The Power to Serve Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, ( > Attila Nagy) > > I have many routers with wavelan card working with freeBSD and i am > > trying without sucessfull use IPSTEALTH work i want whem one machine > > make traceroute dont show my router and go a way > sysctl -w net.inet.ip.stealth=1 ...or you can live happy with IPFilter's fastroute feature, that does exactly what you want. -- ______ o _. __ / / / (_(_(__(_) @ bsd.hu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 6:38: 8 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 06:38:06 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from casbah.it.northwestern.edu (casbah.acns.nwu.edu [129.105.16.52]) by hub.freebsd.org (Postfix) with ESMTP id E5D8F37B402 for ; Tue, 2 Jan 2001 06:38:05 -0800 (PST) Received: from localhost (jdj168@localhost) by casbah.it.northwestern.edu (8.8.7/8.8.7) with ESMTP id IAA18169 for ; Tue, 2 Jan 2001 08:38:05 -0600 (CST) Date: Tue, 2 Jan 2001 08:38:05 -0600 (CST) From: Jason D Jenkins X-Sender: jdj168@casbah.acns.nwu.edu To: freebsd-security@FreeBSD.ORG Subject: quick question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone ever seen this in their syslog: Jan 1 16:25:53 int /kernel: rom 127.0.0.1:3051 ? I have no clue what this is reporting. Can anyone clarify? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 6:59:43 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 06:59:41 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id B376737B402 for ; Tue, 2 Jan 2001 06:59:39 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id MAA18599; Tue, 2 Jan 2001 12:00:20 -0300 (ART) From: Fernando Schapachnik Message-Id: <200101021500.MAA18599@ns1.via-net-works.net.ar> Subject: Re: Proposed modification to ftpd In-Reply-To: "from Roman Shterenzon at Jan 1, 2001 10:05:33 am" To: Roman Shterenzon Date: Tue, 2 Jan 2001 12:00:20 -0300 (ART) Cc: Warner Losh , security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Roman Shterenzon escribió: > On Sun, 31 Dec 2000, Warner Losh wrote: > > > While the syntax is ugly, I agree that it would be useful to have in > > our ftpd. > > > > In the little consulting I did, this was a huge, huge, huge requested > > feature. > > > > While we could invent yet another syntax, it would likely be better to > > use a slightly ugly, widely deployed syntax that people are familiar > > with than a less ugly one they would be more inclined to make a > > mistake with and have a false sense of security. > Perhaps it's possible to leave the delimeter as an option, which defaults > to "/./"? Or I'm missing the point? In the patch I made "/./" is an easely changeable #define. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 7:11:11 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 07:11:09 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from icon.icon.bg (icon.bg [62.176.80.58]) by hub.freebsd.org (Postfix) with SMTP id 4155F37B400 for ; Tue, 2 Jan 2001 07:11:08 -0800 (PST) Received: (qmail 80062 invoked by uid 1144); 2 Jan 2001 15:10:27 -0000 Date: Tue, 2 Jan 2001 17:10:27 +0200 From: Victor Ivanov To: freebsd-security@freebsd.org Subject: Re: quick question Message-ID: <20010102171027.A80047@icon.icon.bg> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jdj168@casbah.it.northwestern.edu on Tue, Jan 02, 2001 at 08:38:05AM -0600 Sender: v0rbiz@icon.icon.bg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 02, 2001 at 08:38:05AM -0600, Jason D Jenkins wrote: > Has anyone ever seen this in their syslog:=20 >=20 > Jan 1 16:25:53 int /kernel: rom 127.0.0.1:3051 >=20 > ? >=20 > I have no clue what this is reporting. Can anyone clarify? I gues it is "Refused connection to yourhost:someport from 127.0.0.1:3051" Probably squid or named misbehaving as usual :) If you have 'allow ip from any to any via lo0' and 'deny ip from any to 127.0.0.0/8' in your firewall it's probably not a security problem. If you type dmesg you should see the whole message. --=20 Players win and Winners play Have a lucky day --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOlHvV/D9M5lef5W3AQGU8QP/cMe3R5ecj/QKxO3I1kUT6WO074Vd+qRJ SRcwZBqg5M4WFTDXpZ68tSaiibjOq0zzv9x/3SG+nbnF7BsaH85ln4JeWS1YNh73 YVyAHxIkm9L/GvFL9zpOo8+fGL4Z/WTHGbXByl4fAZqOZRtOh4EumJNQ4Rz4oRVr xA5/4gI46F8= =6TFo -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 9:22:35 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 09:22:31 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtp.nettoll.com (matrix.nettoll.net [212.155.143.61]) by hub.freebsd.org (Postfix) with ESMTP id 42B8837B400; Tue, 2 Jan 2001 09:22:30 -0800 (PST) Received: by smtp.nettoll.com; Tue, 2 Jan 2001 18:18:41 +0100 (MET) Message-Id: <4.3.0.20010102182437.02274f00@pop.free.fr> X-Sender: usebsd@pop.free.fr X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Tue, 02 Jan 2001 18:27:33 +0100 To: Miklos Niedermayer , Attila Nagy From: mouss Subject: Re: IPSTEALTH - transparent router Cc: romualdo@uninet.com.br, freebsd-security@freebsd.org, freebsd-net@freebsd.org In-Reply-To: <20010102073023.D309@bsd.hu> References: <3a50d8b7.3a6d.0@uninet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:30 02/01/01 +0100, Miklos Niedermayer wrote: >Hello, > >( > Attila Nagy) > > > > I have many routers with wavelan card working with freeBSD and i am > > > trying without sucessfull use IPSTEALTH work i want whem one machine > > > make traceroute dont show my router and go a way > > sysctl -w net.inet.ip.stealth=1 > >...or you can live happy with IPFilter's fastroute feature, that does >exactly what you want. there are differences though. - with the sysctl, stealth applies to all connections, but packets follow the "standard" stack - with ipfilter, you can force selective "stealth", but you follow ipfilter forwarding functions. according to ipfilter docs, there are concerns. not a real problem, but one should know about. cheers, mouss To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 9:35: 3 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 09:35:02 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 1BBF137B400 for ; Tue, 2 Jan 2001 09:35:01 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.0/8.11.0) with ESMTP id f02HYxs93868; Tue, 2 Jan 2001 10:34:59 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id KAA30135; Tue, 2 Jan 2001 10:34:59 -0700 (MST) Message-Id: <200101021734.KAA30135@harmony.village.org> To: Fernando Schapachnik Subject: Re: Proposed modification to ftpd Cc: Roman Shterenzon , security@FreeBSD.ORG In-reply-to: Your message of "Tue, 02 Jan 2001 12:00:20 -0300." <200101021500.MAA18599@ns1.via-net-works.net.ar> References: <200101021500.MAA18599@ns1.via-net-works.net.ar> Date: Tue, 02 Jan 2001 10:34:59 -0700 From: Warner Losh Sender: imp@harmony.village.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200101021500.MAA18599@ns1.via-net-works.net.ar> Fernando Schapachnik writes: : In the patch I made "/./" is an easely changeable #define. Maybe I missed the pointer to it, but can you post a pointer to your patch for review? Audit@ might be a good list to cc it to as well. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 15:18:37 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 15:18:32 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pooka.techfuel.com (pooka.techfuel.com [216.133.15.161]) by hub.freebsd.org (Postfix) with ESMTP id CD6E837B400 for ; Tue, 2 Jan 2001 15:18:32 -0800 (PST) Received: from basilisk.techfuel.com (mail-internal.techfuel.com [172.16.1.2]) by pooka.techfuel.com (8.9.3/8.9.3) with ESMTP id PAA37848; Tue, 2 Jan 2001 15:18:19 -0800 (PST) (envelope-from kehlet@fisix.com) Received: (from root@localhost) by basilisk.techfuel.com (8.9.3/8.9.3) id PAA78218; Tue, 2 Jan 2001 15:18:19 -0800 (PST) Received: from leviathan.techfuel.com (leviathan.techfuel.com [172.16.1.26]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id PAA78156; Tue, 2 Jan 2001 15:18:18 -0800 (PST) Received: (from kehlet@localhost) by leviathan.techfuel.com (8.11.1/8.11.0) id f02NIH963265; Tue, 2 Jan 2001 15:18:17 -0800 (PST) (envelope-from kehlet@fisix.com) X-Authentication-Warning: leviathan.techfuel.com: kehlet set sender to kehlet@fisix.com using -f Date: Tue, 2 Jan 2001 15:18:17 -0800 From: Steven Kehlet To: Rene de Vries Cc: Luigi Rizzo , freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <20010102151817.F59927@leviathan.techfuel.com> References: <20001220184937.A788@canyon.demon.nl> <200012201757.eBKHvIb77566@iguana.aciri.org> <20001220232239.A1012@canyon.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001220232239.A1012@canyon.demon.nl>; from freebsd@canyon.demon.nl on Wed, Dec 20, 2000 at 11:22:39PM +0100 X-scanner: scanned by Inflex 0.1.4 - (http://www.spyda.co.za/inflex) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ moved from -hackers to -security ] For whatever it's worth, I struggled with this same problem for an entire day before giving up and using ipfilter. It seems to me that there is a fundamental problem with using the ipfw stateful rules and natd (as I'm sure you discovered yourself): the ordering of translation needs to be reversed upon return, and I couldn't seem to find a way to do that with ipfw. That is, the ordering should be: out: 1. make dynamic rule via keep state 2. translate via natd returning: 3. untranslate via natd 4. validate packet via dynamic rules But there is no way to do this with ipfw because outgoing processing stops at step #1, preventing the packets from reaching the natd rule. Another sensible scenario might be: out: 1. translate via natd 2. make dynamic rule via keep state returning: 3. validate packet via dynamic rules 4. untranslate via natd But now you're screwed the other direction: you can't do steps #3 then #4 on returning because processing stops at #3. I too started getting desperate and tried a number of tricks like having two natd rules (none of which worked, however) :-). Please correct me if my analysis is incorrect! :-) I like the interface of ipfw much better than ipf and would rather use it if possible. Steve On Wed, Dec 20, 2000 at 11:22:39PM +0100, Rene de Vries wrote: > Date: Wed, 20 Dec 2000 23:22:39 +0100 > From: Rene de Vries > To: Luigi Rizzo > Cc: freebsd-hackers@FreeBSD.ORG > Subject: Re: statefull packet filter together with natd question > > On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote: > > > Currently I'm trying to move towards a statefull packet filter. When testing > > > without nat all seems to work fine. But when I added natd (as the first > > > rule) packets that were natd-ed on their way out had their return traffic > > > blocked. The question is, what am I doing wrong?!? > > > > nat changes addresses and then reinjects packets in the firewall. > > Chances are that there is no dynamic rule matching the > > packet after the translation. > > This is what I know, the problem is how to nat at the right time. I played > with two natting rules, one for incoming and one for outgoing traffic (to the > same nat process) but I didn't got working. This made me think that there > should be a simple solution to this problem. > > -- > Rene de Vries http://www.tcja.nl mailto:rene@tcja.nl > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 15:41:43 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 15:41:42 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail1.javanet.com (mail1.javanet.com [205.219.162.10]) by hub.freebsd.org (Postfix) with ESMTP id A456137B400 for ; Tue, 2 Jan 2001 15:41:41 -0800 (PST) Received: from wintermute.sekt7.org (146-115-75-83.c6-0.brl-ubr1.sbo-brl.ma.cable.rcn.com [146.115.75.83]) by mail1.javanet.com (8.9.3/8.9.2) with ESMTP id SAA18139 for ; Tue, 2 Jan 2001 18:41:41 -0500 (EST) Date: Tue, 2 Jan 2001 18:45:09 -0500 (EST) From: Evan S X-Sender: kaworu@wintermute.sekt7 To: freebsd-security@freebsd.org Subject: Few questions about Jail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey, I run a project called Openroot. Basically, Openroot is a computer on my network where I give root access to anyone. Openroot is run inside of a Jail. It has been running for four weeks, without much problems. Although, I am looking to make some modifications to Jail, and I was wondering if someone could point me where to start. (I've already looked at jail.c, and .h) I want the Jail to be able to have a different secure level than the host machine, therefore, I can eliminate the problem of users typing 'chflags schg _filename_' on Openroot, preventing the restore script to work. In order to avoid this, Openroot runs in Securelevel 0, which I do not like, because I'd like to be able to chflags schg login.conf in the Jail's etc directory, to enter a process, memory, and cpu usage limit to prevent fork bombs and such.. Thanks a lot, Evan Sarmiento (kaworu@sektor7.ath.cx) http://sekt7.org/es/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 16:16: 2 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 16:15:58 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 2644F37B400; Tue, 2 Jan 2001 16:15:57 -0800 (PST) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id VAA49573; Tue, 2 Jan 2001 21:16:57 -0300 (ART) From: Fernando Schapachnik Message-Id: <200101030016.VAA49573@ns1.via-net-works.net.ar> Subject: Re: Proposed modification to ftpd In-Reply-To: <200101021734.KAA30135@harmony.village.org> "from Warner Losh at Jan 2, 2001 10:34:59 am" To: Warner Losh Date: Tue, 2 Jan 2001 21:16:57 -0300 (ART) Cc: Fernando Schapachnik , Roman Shterenzon , security@FreeBSD.ORG, audit@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Warner Losh escribió: > In message <200101021500.MAA18599@ns1.via-net-works.net.ar> Fernando Schapachnik writes: > : In the patch I made "/./" is an easely changeable #define. > > Maybe I missed the pointer to it, but can you post a pointer to your > patch for review? Audit@ might be a good list to cc it to as well. I did in my first post, but here it goes again: PR bin/23944. I also submitted a follow up that for some reason can't be seen through the web interface which add checks for strdup result values that are missing in the first patch. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Conmutador: (54-11) 4323-3333 - Soporte: 0810-333-AYUDA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 18:10:25 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 18:10:19 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id E617E37B400 for ; Tue, 2 Jan 2001 18:10:17 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.1/8.11.1) with ESMTP id f0329Ju20538; Tue, 2 Jan 2001 21:09:19 -0500 (EST) (envelope-from darren@nighttide.net) Date: Tue, 2 Jan 2001 21:09:19 -0500 (EST) From: Darren Henderson Sender: To: Steven Kehlet Cc: Rene de Vries , Luigi Rizzo , Subject: Re: statefull packet filter together with natd question In-Reply-To: <20010102151817.F59927@leviathan.techfuel.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Jan 2001, Steven Kehlet wrote: > [ moved from -hackers to -security ] > > For whatever it's worth, I struggled with this same problem for an > entire day before giving up and using ipfilter. It seems to me > that there is a fundamental problem with using the ipfw stateful > rules and natd (as I'm sure you discovered yourself): the ordering Perhaps I'm missing the gist of the problem (not enough details here) but I don't haven't seen any problems with this under 4.2-Stable, (haven't used natd with a 5-Current system yet).... Sample rule set follows. Let me know if you (or anyone for that matter) see any problems with this. #!/bin/sh fwcmd="/sbin/ipfw" oif="ppp0" oip="a.b.c.d" iif="dc0" iip="10.a.b.c" imk="10.a.b.c/8" $fwcmd -f flush # loopback has to work $fwcmd add allow all from any to any via lo0 # disallow spoofing of loopback $fwcmd add deny log all from any to 127.0.0.0/8 # disallow spoofing of our address $fwcmd add deny log ip from $oip to any in via $oif # no private space address should cross the outside interface $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # divert the the outside interface $fwcmd add divert natd all from any to any via $oif # allow all established sessions $fwcmd add allow tcp from any to any established # we want to allow some connections to originate outside $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup # allow required ICMP $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 # allow udp dns queries $fwcmd add allow udp from any to any 53 $fwcmd add allow udp from any 53 to any # allow traceroute $fwcmd add allow udp from any to $oip 33400-33499 via $oif # allow smb traffic $fwcmd add allow udp from any to any 137-139 via $iif # dynamic rule set $fwcmd add check-state # let this machine talk to anyone $fwcmd add allow ip from $oip to any keep-state out via $oif # allow any traffic from the inner network to any $fwcmd add allow ip from $imk to any keep-state via $iif # deny everything else $fwcmd add 65435 deny log logamount 1000 ip from any to any ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 2 20:45:47 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 20:45:44 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from biperson.com (biperson.com [64.19.199.34]) by hub.freebsd.org (Postfix) with ESMTP id 4CD3237B404 for ; Tue, 2 Jan 2001 20:45:42 -0800 (PST) Received: (from root@localhost) by biperson.com (8.9.3/8.9.3) id UAA04281 for FreeBSD-security@FreeBSD.org; Tue, 2 Jan 2001 20:45:40 -0800 Date: Tue, 2 Jan 2001 20:45:40 -0800 From: lolly@biperson.com Message-Id: <200101030445.UAA04281@biperson.com> To: FreeBSD-security@FreeBSD.org Subject: If you come only once, you've been cheated. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Our motto: More tail for less money. We've got whining, spoiled, American bitches getting what's coming to them. And liking it! Spum guzzling hose hogs who can't live without a white boy's jimmy or a black boy's cactus in their mouths 24 hours a day! (We have to punish them when they swallow instead of taking it on the face!) Delicate, oriental beauties with tight cooters getting split down the middle, lumberjack style! Sign me up Jack!!! Gorgeous, buxom, chocolate wenches that will make your snicker caramel its nuts! Latin lovelies getting their tacos stuffed with the biggest beef in Texas! Remember that teacher with big knobs whose skirt you used to look up? Yes? Well, we got her too! Young? Old? Thick? Thin? Tall? Short? Whatever! If it's got a hole and a temperature we've got it! http://64.19.199.34/index.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 0:13:21 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 00:13:19 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 025E537B698 for ; Wed, 3 Jan 2001 00:13:11 -0800 (PST) Received: (qmail 10163 invoked by uid 666); 3 Jan 2001 08:12:53 -0000 Date: Wed, 3 Jan 2001 10:12:53 +0200 From: Alex Popa To: freebsd-security@freebsd.org Subject: Connections to UDP port 512 Message-ID: <20010103101253.A10140@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: razor@ldc.ro Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Any ideas as of what might be generating a few of these: "Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2595" (from log_in_vain, of course) Thanks, Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 0:20:23 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 00:20:20 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail7.sc.rr.com (fe7.southeast.rr.com [24.93.67.54]) by hub.freebsd.org (Postfix) with ESMTP id 3208E37B400 for ; Wed, 3 Jan 2001 00:20:20 -0800 (PST) Received: from sc.rr.com ([24.88.102.101]) by mail7.sc.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Wed, 3 Jan 2001 03:20:17 -0500 Received: (from dmaddox@localhost) by sc.rr.com (8.11.1/8.11.1) id f038KpS20652; Wed, 3 Jan 2001 03:20:51 -0500 (EST) (envelope-from dmaddox) Date: Wed, 3 Jan 2001 03:20:51 -0500 From: "Donald J . Maddox" To: Alex Popa Cc: freebsd-security@freebsd.org Subject: Re: Connections to UDP port 512 Message-ID: <20010103032051.A20577@cae88-102-101.sc.rr.com> Reply-To: dmaddox@sc.rr.com Mail-Followup-To: Alex Popa , freebsd-security@freebsd.org References: <20010103101253.A10140@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010103101253.A10140@ldc.ro>; from razor-bsd-security@ldc.ro on Wed, Jan 03, 2001 at 10:12:53AM +0200 Return-Receipt-To: dmaddox@sc.rr.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's just comsat. Mail... On Wed, Jan 03, 2001 at 10:12:53AM +0200, Alex Popa wrote: > Any ideas as of what might be generating a few of these: > > "Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2595" > (from log_in_vain, of course) > > Thanks, > Alex > > ------------+------------------------------------------ > Alex Popa, | "Artificial Intelligence is > razor@ldc.ro| no match for Natural Stupidity" > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 0:21:20 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 00:21:16 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id CCD9237B400 for ; Wed, 3 Jan 2001 00:21:16 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 3 Jan 2001 00:19:35 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id f038LEb05937; Wed, 3 Jan 2001 00:21:14 -0800 (PST) (envelope-from cjc) Date: Wed, 3 Jan 2001 00:21:14 -0800 From: "Crist J. Clark" To: Alex Popa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Connections to UDP port 512 Message-ID: <20010103002114.B95729@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <20010103101253.A10140@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010103101253.A10140@ldc.ro>; from razor-bsd-security@ldc.ro on Wed, Jan 03, 2001 at 10:12:53AM +0200 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 03, 2001 at 10:12:53AM +0200, Alex Popa wrote: > Any ideas as of what might be generating a few of these: > > "Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2595" > (from log_in_vain, of course) biff(1) -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 0:24: 0 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 00:23:58 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.interactivate.com (unknown [63.141.73.15]) by hub.freebsd.org (Postfix) with ESMTP id ADFFD37B400 for ; Wed, 3 Jan 2001 00:23:58 -0800 (PST) Received: from interactivate.com (snakcx408168-b.@cx408168-b.escnd1.sdca.home.com [24.20.227.61]) by mail.interactivate.com (8.11.1/8.11.1) with ESMTP id f038iuv28380; Wed, 3 Jan 2001 00:44:58 -0800 (PST) (envelope-from larry@interactivate.com) Sender: lomion@mail.interactivate.com Message-ID: <3A52E197.8B9829C5@interactivate.com> Date: Wed, 03 Jan 2001 00:23:51 -0800 From: Lawrence Sica Organization: Interactivate, Inc. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Alex Popa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Connections to UDP port 512 References: <20010103101253.A10140@ldc.ro> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alex Popa wrote: > Any ideas as of what might be generating a few of these: > grep 512 /etc/services exec 512/tcp #remote process execution; biff 512/udp comsat #used by mail system to notify users it's generated by something trying to see if you have mail, im guessing you have inetd turned off? the /etc/services file usually has a good list of what is what based on port number. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 0:27:38 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 00:27:36 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fj.dkuug.dk (fj.dkuug.dk [195.215.30.71]) by hub.freebsd.org (Postfix) with ESMTP id 76E0437B402 for ; Wed, 3 Jan 2001 00:27:35 -0800 (PST) Received: (from fj@localhost) by fj.dkuug.dk (8.8.8/8.8.8) id JAA21598; Wed, 3 Jan 2001 09:27:04 +0100 (CET) (envelope-from fj) From: Flemming Jacobsen Message-Id: <200101030827.JAA21598@fj.dkuug.dk> Subject: Re: Connections to UDP port 512 In-Reply-To: <20010103101253.A10140@ldc.ro> from Alex Popa at "Jan 3, 2001 10:12:53 am" To: razor-bsd-security@ldc.ro (Alex Popa) Date: Wed, 3 Jan 2001 09:27:04 +0100 (CET) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: fj@fj.dkuug.dk Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alex Popa wrote: > Any ideas as of what might be generating a few of these: > "Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2595" > (from log_in_vain, of course) Somebody got mail, and sendmail is trying to tell the fact to the comsat (biff) server. Either: + Add this to your sendmail .mc config file: define(`LOCAL_MAILER_FLAGS', LOCAL_MAILER_FLAGS`'P)dnl + Delete the biff-line in /etc/services + Start comsat in /etc/inetd.conf - BAD idea IMHO. to make the messages stop. FJ -- Flemming Jacobsen Email: fj@batmule.dk Phone: +45 3916 1833 ---=== If speed kills, Windows users may live forever. ===--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 1:46:19 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 01:46:17 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id B33DF37B400 for ; Wed, 3 Jan 2001 01:45:59 -0800 (PST) Received: (qmail 10618 invoked by uid 666); 3 Jan 2001 09:45:10 -0000 Resent-Message-ID: <20010103094510.10617.qmail@ldc.ro> Date: Wed, 3 Jan 2001 10:27:51 +0200 From: Alex Popa To: "Donald J . Maddox" Subject: Re: Connections to UDP port 512 Message-ID: <20010103102751.A10258@ldc.ro> References: <20010103101253.A10140@ldc.ro> <20010103032051.A20577@cae88-102-101.sc.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010103032051.A20577@cae88-102-101.sc.rr.com>; from dmaddox@sc.rr.com on Wed, Jan 03, 2001 at 03:20:51AM -0500 Resent-From: razor@ldc.ro Resent-Date: Wed, 3 Jan 2001 11:45:10 +0200 Resent-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jan 03, 2001 at 03:20:51AM -0500, Donald J . Maddox wrote: > It's just comsat. Mail... > > [snip] Stupid me... did a grep 512 /etc/services and was distracted by 512/tcp (exec)... Anyway, it seems to be procmail's fault. Thanks a lot! Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 2:32:44 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 02:32:41 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 42D9937B400 for ; Wed, 3 Jan 2001 02:32:37 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f03AWQ479661; Wed, 3 Jan 2001 02:32:26 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101031032.f03AWQ479661@iguana.aciri.org> Subject: Re: statefull packet filter together with natd question In-Reply-To: <20010102151817.F59927@leviathan.techfuel.com> from Steven Kehlet at "Jan 2, 2001 3:18:17 pm" To: kehlet@fisix.com (Steven Kehlet) Date: Wed, 3 Jan 2001 02:32:26 -0800 (PST) Cc: freebsd@canyon.demon.nl, rizzo@aciri.org, freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: rizzo@iguana.aciri.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > entire day before giving up and using ipfilter. It seems to me > that there is a fundamental problem with using the ipfw stateful i think you are making the wrong assumption -- you can create the dynamic rule and divert to natd by putting the 'keep-state' option into the 'divert natd' rule (step 1&2 of your first example). cheers luigi > rules and natd (as I'm sure you discovered yourself): the ordering > of translation needs to be reversed upon return, and I couldn't > seem to find a way to do that with ipfw. That is, the ordering > should be: > > out: > 1. make dynamic rule via keep state > 2. translate via natd > > returning: > 3. untranslate via natd > 4. validate packet via dynamic rules > > But there is no way to do this with ipfw because outgoing processing > stops at step #1, preventing the packets from reaching the natd > rule. > > Another sensible scenario might be: > > out: > 1. translate via natd > 2. make dynamic rule via keep state > > returning: > 3. validate packet via dynamic rules > 4. untranslate via natd > > But now you're screwed the other direction: you can't do steps #3 > then #4 on returning because processing stops at #3. > > I too started getting desperate and tried a number of tricks like > having two natd rules (none of which worked, however) :-). Please > correct me if my analysis is incorrect! :-) I like the interface > of ipfw much better than ipf and would rather use it if possible. > > Steve > > > > On Wed, Dec 20, 2000 at 11:22:39PM +0100, Rene de Vries wrote: > > Date: Wed, 20 Dec 2000 23:22:39 +0100 > > From: Rene de Vries > > To: Luigi Rizzo > > Cc: freebsd-hackers@FreeBSD.ORG > > Subject: Re: statefull packet filter together with natd question > > > > On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote: > > > > Currently I'm trying to move towards a statefull packet filter. When testing > > > > without nat all seems to work fine. But when I added natd (as the first > > > > rule) packets that were natd-ed on their way out had their return traffic > > > > blocked. The question is, what am I doing wrong?!? > > > > > > nat changes addresses and then reinjects packets in the firewall. > > > Chances are that there is no dynamic rule matching the > > > packet after the translation. > > > > This is what I know, the problem is how to nat at the right time. I played > > with two natting rules, one for incoming and one for outgoing traffic (to the > > same nat process) but I didn't got working. This made me think that there > > should be a simple solution to this problem. > > > > -- > > Rene de Vries http://www.tcja.nl mailto:rene@tcja.nl > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 10:45:42 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 10:45:37 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 9BC0537B400 for ; Wed, 3 Jan 2001 10:45:36 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id NAA04626; Wed, 3 Jan 2001 13:50:27 -0500 Reply-To: From: "Peter Brezny" To: Cc: Subject: RE: statefull packet filter together with natd question Date: Wed, 3 Jan 2001 13:44:35 -0800 Message-ID: <001501c075ce$5de6e660$14011e0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is very similar to what i came up with. http://www.bsdtoday.com/2000/December/Features359.html Peter Brezny SysAdmin Services Inc. -----Original Message----- From: darren@nighttide.net [mailto:darren@nighttide.net] Sent: Tuesday, January 02, 2001 6:09 PM To: Steven Kehlet Cc: Rene de Vries; Luigi Rizzo; freebsd-security@FreeBSD.ORG Subject: Re: statefull packet filter together with natd question On Tue, 2 Jan 2001, Steven Kehlet wrote: > [ moved from -hackers to -security ] > > For whatever it's worth, I struggled with this same problem for an > entire day before giving up and using ipfilter. It seems to me > that there is a fundamental problem with using the ipfw stateful > rules and natd (as I'm sure you discovered yourself): the ordering Perhaps I'm missing the gist of the problem (not enough details here) but I don't haven't seen any problems with this under 4.2-Stable, (haven't used natd with a 5-Current system yet).... Sample rule set follows. Let me know if you (or anyone for that matter) see any problems with this. #!/bin/sh fwcmd="/sbin/ipfw" oif="ppp0" oip="a.b.c.d" iif="dc0" iip="10.a.b.c" imk="10.a.b.c/8" $fwcmd -f flush # loopback has to work $fwcmd add allow all from any to any via lo0 # disallow spoofing of loopback $fwcmd add deny log all from any to 127.0.0.0/8 # disallow spoofing of our address $fwcmd add deny log ip from $oip to any in via $oif # no private space address should cross the outside interface $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif # divert the the outside interface $fwcmd add divert natd all from any to any via $oif # allow all established sessions $fwcmd add allow tcp from any to any established # we want to allow some connections to originate outside $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup # allow required ICMP $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 # allow udp dns queries $fwcmd add allow udp from any to any 53 $fwcmd add allow udp from any 53 to any # allow traceroute $fwcmd add allow udp from any to $oip 33400-33499 via $oif # allow smb traffic $fwcmd add allow udp from any to any 137-139 via $iif # dynamic rule set $fwcmd add check-state # let this machine talk to anyone $fwcmd add allow ip from $oip to any keep-state out via $oif # allow any traffic from the inner network to any $fwcmd add allow ip from $imk to any keep-state via $iif # deny everything else $fwcmd add 65435 deny log logamount 1000 ip from any to any ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 12: 5:19 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 12:05:12 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pooka.techfuel.com (pooka.techfuel.com [216.133.15.161]) by hub.freebsd.org (Postfix) with ESMTP id A22D737B400 for ; Wed, 3 Jan 2001 12:05:12 -0800 (PST) Received: from basilisk.techfuel.com (mail-internal.techfuel.com [172.16.1.2]) by pooka.techfuel.com (8.9.3/8.9.3) with ESMTP id MAA43255; Wed, 3 Jan 2001 12:04:50 -0800 (PST) (envelope-from kehlet@fisix.com) Received: (from root@localhost) by basilisk.techfuel.com (8.9.3/8.9.3) id MAA72548; Wed, 3 Jan 2001 12:04:50 -0800 (PST) Received: from leviathan.techfuel.com (leviathan.techfuel.com [172.16.1.26]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id MAA72485; Wed, 3 Jan 2001 12:04:49 -0800 (PST) Received: (from kehlet@localhost) by leviathan.techfuel.com (8.11.1/8.11.0) id f03K4nq68486; Wed, 3 Jan 2001 12:04:49 -0800 (PST) (envelope-from kehlet@fisix.com) X-Authentication-Warning: leviathan.techfuel.com: kehlet set sender to kehlet@fisix.com using -f Date: Wed, 3 Jan 2001 12:04:49 -0800 From: Steven Kehlet To: Darren Henderson Cc: Rene de Vries , Luigi Rizzo , freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <20010103120449.A66966@leviathan.techfuel.com> References: <20010102151817.F59927@leviathan.techfuel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from darren@nighttide.net on Tue, Jan 02, 2001 at 09:09:19PM -0500 X-scanner: scanned by Inflex 0.1.4 - (http://www.spyda.co.za/inflex) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Your rules work :-), but because you're just passing any established tcp traffic you're not taking advantage of the security gain the statefulness of the firewall can give you (i.e., checking sequence numbers on established packets, etc). I see you got this from http://www.bsdtoday.com/2000/December/Features359.html. You could improve security by instead denying all established packets and putting this check after your check-state rule (as the ipfw manpage suggests). So let's say you do this. Now here's the problem I was originally bringing up: Internet-bound packets from your internal network still cause two dynamic rules to be created--one passing over the internal interface, untranslated; and the other passing over the external interface, translated--but because natd is at the top of your rules, returning packets get untranslated immediately and thus no packets ever touch the second dynamic rule. This second dynamic rule is left in a half-open state until it finally times out. Depending on how tightly you structure your rules this becomes more than just a nuisance :-). My question was: how can we arrange our rules to avoid creating this second superfluous dynamic rule? Luigi suggested adding keep-state on the natd rule itself, which I will try tonight. Thanks! :-), Steve On Tue, Jan 02, 2001 at 09:09:19PM -0500, Darren Henderson wrote: > Date: Tue, 2 Jan 2001 21:09:19 -0500 (EST) > From: Darren Henderson > To: Steven Kehlet > cc: Rene de Vries , Luigi Rizzo , > > Subject: Re: statefull packet filter together with natd question > > On Tue, 2 Jan 2001, Steven Kehlet wrote: > > > [ moved from -hackers to -security ] > > > > For whatever it's worth, I struggled with this same problem for an > > entire day before giving up and using ipfilter. It seems to me > > that there is a fundamental problem with using the ipfw stateful > > rules and natd (as I'm sure you discovered yourself): the ordering > > Perhaps I'm missing the gist of the problem (not enough details here) but > I don't haven't seen any problems with this under 4.2-Stable, (haven't > used natd with a 5-Current system yet).... Sample rule set follows. Let me > know if you (or anyone for that matter) see any problems with this. > > > #!/bin/sh > > fwcmd="/sbin/ipfw" > > oif="ppp0" > oip="a.b.c.d" > iif="dc0" > iip="10.a.b.c" > imk="10.a.b.c/8" > > $fwcmd -f flush > > # loopback has to work > $fwcmd add allow all from any to any via lo0 > > # disallow spoofing of loopback > $fwcmd add deny log all from any to 127.0.0.0/8 > > # disallow spoofing of our address > $fwcmd add deny log ip from $oip to any in via $oif > > # no private space address should cross the outside interface > $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif > $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif > $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif > $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif > $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif > $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif > > # stop draft-manning-dsua-01.txt nets on the outside interface > $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif > $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif > $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif > $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif > $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif > $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif > $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif > $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif > $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif > $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif > > # divert the the outside interface > $fwcmd add divert natd all from any to any via $oif > > # allow all established sessions > $fwcmd add allow tcp from any to any established > > # we want to allow some connections to originate outside > $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup > > # allow required ICMP > $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 > > # allow udp dns queries > $fwcmd add allow udp from any to any 53 > $fwcmd add allow udp from any 53 to any > > # allow traceroute > $fwcmd add allow udp from any to $oip 33400-33499 via $oif > > # allow smb traffic > $fwcmd add allow udp from any to any 137-139 via $iif > > # dynamic rule set > $fwcmd add check-state > > # let this machine talk to anyone > $fwcmd add allow ip from $oip to any keep-state out via $oif > > # allow any traffic from the inner network to any > $fwcmd add allow ip from $imk to any keep-state via $iif > > # deny everything else > $fwcmd add 65435 deny log logamount 1000 ip from any to any > > > ______________________________________________________________________ > Darren Henderson darren@nighttide.net > > Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 13:27: 1 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 13:26:55 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id B7B9F37B400 for ; Wed, 3 Jan 2001 13:26:53 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.1/8.11.1) with ESMTP id f03LQkx26186; Wed, 3 Jan 2001 16:26:46 -0500 (EST) (envelope-from darren@nighttide.net) Date: Wed, 3 Jan 2001 16:26:46 -0500 (EST) From: Darren Henderson Sender: To: Peter Brezny Cc: Subject: RE: statefull packet filter together with natd question In-Reply-To: <001501c075ce$5de6e660$14011e0a@sysadmininc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, its very similar. I borrowed from a number of sources, including your web site. It was a great help. I hadn't kept the references unfortunately. Apologies for that. My main point was that the natd and dynamic rules weren't mutually exclusive. On Wed, 3 Jan 2001, Peter Brezny wrote: > This is very similar to what i came up with. > > http://www.bsdtoday.com/2000/December/Features359.html > > > > Peter Brezny > SysAdmin Services Inc. > > > -----Original Message----- > From: darren@nighttide.net [mailto:darren@nighttide.net] > Sent: Tuesday, January 02, 2001 6:09 PM > To: Steven Kehlet > Cc: Rene de Vries; Luigi Rizzo; freebsd-security@FreeBSD.ORG > Subject: Re: statefull packet filter together with natd question > > > On Tue, 2 Jan 2001, Steven Kehlet wrote: > > > [ moved from -hackers to -security ] > > > > For whatever it's worth, I struggled with this same problem for an > > entire day before giving up and using ipfilter. It seems to me > > that there is a fundamental problem with using the ipfw stateful > > rules and natd (as I'm sure you discovered yourself): the ordering > > Perhaps I'm missing the gist of the problem (not enough details here) but > I don't haven't seen any problems with this under 4.2-Stable, (haven't > used natd with a 5-Current system yet).... Sample rule set follows. Let me > know if you (or anyone for that matter) see any problems with this. > > > #!/bin/sh > > fwcmd="/sbin/ipfw" > > oif="ppp0" > oip="a.b.c.d" > iif="dc0" > iip="10.a.b.c" > imk="10.a.b.c/8" > > $fwcmd -f flush > > # loopback has to work > $fwcmd add allow all from any to any via lo0 > > # disallow spoofing of loopback > $fwcmd add deny log all from any to 127.0.0.0/8 > > # disallow spoofing of our address > $fwcmd add deny log ip from $oip to any in via $oif > > # no private space address should cross the outside interface > $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif > $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif > $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif > $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif > $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif > $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif > > # stop draft-manning-dsua-01.txt nets on the outside interface > $fwcmd add deny log all from 0.0.0.0/8 to any in via $oif > $fwcmd add deny log all from 169.254.0.0/16 to any in via $oif > $fwcmd add deny log all from 192.0.2.0/24 to any in via $oif > $fwcmd add deny log all from 224.0.0.0/4 to any in via $oif > $fwcmd add deny log all from 240.0.0.0/4 to any in via $oif > $fwcmd add deny log all from any to 0.0.0.0/8 in via $oif > $fwcmd add deny log all from any to 169.254.0.0/16 in via $oif > $fwcmd add deny log all from any to 192.0.2.0/24 in via $oif > $fwcmd add deny log all from any to 224.0.0.0/4 in via $oif > $fwcmd add deny log all from any to 240.0.0.0/4 in via $oif > > # divert the the outside interface > $fwcmd add divert natd all from any to any via $oif > > # allow all established sessions > $fwcmd add allow tcp from any to any established > > # we want to allow some connections to originate outside > $fwcmd add allow tcp from any to $oip 21,22,25,53,80,113 setup > > # allow required ICMP > $fwcmd add allow icmp from any to any icmptypes 0,3,4,8,11,12 > > # allow udp dns queries > $fwcmd add allow udp from any to any 53 > $fwcmd add allow udp from any 53 to any > > # allow traceroute > $fwcmd add allow udp from any to $oip 33400-33499 via $oif > > # allow smb traffic > $fwcmd add allow udp from any to any 137-139 via $iif > > # dynamic rule set > $fwcmd add check-state > > # let this machine talk to anyone > $fwcmd add allow ip from $oip to any keep-state out via $oif > > # allow any traffic from the inner network to any > $fwcmd add allow ip from $imk to any keep-state via $iif > > # deny everything else > $fwcmd add 65435 deny log logamount 1000 ip from any to any > > > ______________________________________________________________________ > Darren Henderson darren@nighttide.net > > Help fight junk e-mail, visit http://www.cauce.org/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 13:38: 9 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 13:38:07 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id CCB6637B400 for ; Wed, 3 Jan 2001 13:38:05 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.1/8.11.1) with ESMTP id f03Lbo626233; Wed, 3 Jan 2001 16:37:50 -0500 (EST) (envelope-from darren@nighttide.net) Date: Wed, 3 Jan 2001 16:37:50 -0500 (EST) From: Darren Henderson Sender: To: Steven Kehlet Cc: Rene de Vries , Luigi Rizzo , Subject: Re: statefull packet filter together with natd question In-Reply-To: <20010103120449.A66966@leviathan.techfuel.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Jan 2001, Steven Kehlet wrote: > numbers on established packets, etc). I see you got this from > http://www.bsdtoday.com/2000/December/Features359.html. Yes, it was a very helpful site. Hopefully I haven't given the impression that this was personal creation; in future I need to make notation regarding source material for such things. It is simply the current rule set on one of my system. > You could improve security by instead denying all established > packets and putting this check after your check-state rule (as the > ipfw manpage suggests). : > My question was: how can we arrange our rules to avoid creating > this second superfluous dynamic rule? Luigi suggested adding > keep-state on the natd rule itself, which I will try tonight. Ah, I did suspect I had missed the full nature of the problem. On the off chance that I hadn't I just wanted to forward what I had, I know searching for answers can be quite time consuming on occassion and I had it on hand. Luigi's suggestion sounds promissing. Best of luck, Darren ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 13:55: 4 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 13:55:01 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pooka.techfuel.com (pooka.techfuel.com [216.133.15.161]) by hub.freebsd.org (Postfix) with ESMTP id 9041137B400 for ; Wed, 3 Jan 2001 13:55:01 -0800 (PST) Received: from basilisk.techfuel.com (mail-internal.techfuel.com [172.16.1.2]) by pooka.techfuel.com (8.9.3/8.9.3) with ESMTP id NAA44075; Wed, 3 Jan 2001 13:54:55 -0800 (PST) (envelope-from kehlet@fisix.com) Received: (from root@localhost) by basilisk.techfuel.com (8.9.3/8.9.3) id NAA88136; Wed, 3 Jan 2001 13:54:55 -0800 (PST) Received: from leviathan.techfuel.com (leviathan.techfuel.com [172.16.1.26]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id NAA88077; Wed, 3 Jan 2001 13:54:54 -0800 (PST) Received: (from kehlet@localhost) by leviathan.techfuel.com (8.11.1/8.11.0) id f03Lssf73456; Wed, 3 Jan 2001 13:54:54 -0800 (PST) (envelope-from kehlet@fisix.com) X-Authentication-Warning: leviathan.techfuel.com: kehlet set sender to kehlet@fisix.com using -f Date: Wed, 3 Jan 2001 13:54:54 -0800 From: Steven Kehlet To: Darren Henderson Cc: freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <20010103135454.D68832@leviathan.techfuel.com> References: <20010103120449.A66966@leviathan.techfuel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from darren@nighttide.net on Wed, Jan 03, 2001 at 04:37:50PM -0500 X-scanner: scanned by Inflex 0.1.4 - (http://www.spyda.co.za/inflex) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > numbers on established packets, etc). I see you got this from > > http://www.bsdtoday.com/2000/December/Features359.html. > > Yes, it was a very helpful site. Hopefully I haven't given the impression > that this was personal creation; in future I need to make notation I'm sure no one got upset :-). I only pointed it out because the author of that page (Peter Brezny) had joined in this thread, and other people might be interested in that url as well :-). Credit never hurts, but in this community we're all borrowing from each other anyway... > Ah, I did suspect I had missed the full nature of the problem. On the off > chance that I hadn't I just wanted to forward what I had, I know searching > for answers can be quite time consuming on occassion and I had it on hand. THANKS for offering your rules for discussion... I should have made my appreciation more clear :-). There are very few examples of stateful ipfw + natd out there... Thanks! :-), Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 3 21:16: 7 2001 From owner-freebsd-security@FreeBSD.ORG Wed Jan 3 21:16:05 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from dragon.awen.com (dragon.awen.com [208.176.22.138]) by hub.freebsd.org (Postfix) with ESMTP id 0C56B37B400 for ; Wed, 3 Jan 2001 21:16:05 -0800 (PST) Received: (from mburgett@localhost) by dragon.awen.com (8.11.1/8.11.1) id f045G4j61054; Wed, 3 Jan 2001 21:16:04 -0800 (PST) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Wed, 03 Jan 2001 21:16:04 -0800 (PST) Reply-To: Mike Burgett Sender: mburgett@smaug.awen.com From: Mike Burgett To: security@freebsd.org Subject: IPSec tunnels and natd Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've a fairly recent -stable box (dec 19) that I use for natd/firewalling for my internal net. It has a static default route, to the outside world. Recently, I added IPSec into the equation, and setup tunnels to three networks on the other side of a Gauntlet GVPN box. The ipsec tunnels are statically keyed, so setkey is only run at init. Every thing works, _most_ of the time, and I'm able to access the remote nets from any machine in my internal net, with everything appearing on the remotes as if it came from my tunnel-end. Every so often, though, I start getting messages from natd: "failed to write packet back (No route to host)" If I go to another window, and start pinging the external IP of the GVPN box, (the other tunnel-end), it may, or may not drop a few packets, and then start working, and at that point, my IPSec tunnels seem to be working again. If I'm watching with tcpdump during this time, I don't see any ip traffic going out to the other tunnel-end. If I leave a 'ping' running to the other tunnel-end, I don't seem to see the problem. I'm game for sticking in some diag lines, to try and gather more info about the circumstances surrounding these events, but don't really know where to start. Constructive suggestions welcome. Thanks, Mike ---------------------------------- E-Mail: Mike Burgett Date: 03-Jan-01 Time: 20:52:50 This message was sent by XFMail ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 3:30:19 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 03:30:11 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (mg134-005.ricochet.net [204.179.134.5]) by hub.freebsd.org (Postfix) with ESMTP id D875C37B400; Thu, 4 Jan 2001 03:30:06 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id DAA00395; Thu, 4 Jan 2001 03:29:33 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101041129.DAA00395@spammie.svbug.com> Date: Thu, 4 Jan 2001 03:29:32 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: The Talk: ssh - are you nuts!?! To: tech@openbsd.org Cc: tech-security@netbsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org SSH - are you nuts!?! by Jesus Monroy, Jr. I'm too tired to get this out, but i promised it would be available, so here it is. The Offical Part ---------------- On Jan. 4, 2001, a talk entitled "ssh - are you nuts!?!" will be given at the SVBUG (Silicon Valley BSD User Group) monthly meeting by Club President Jesse Monroy, Jr. Details available at: http://www.svbug.com/events/ My part ------- Today at 7:45pm (local time) this talk will start. People say I'm nuts, sometimes I think they are right. Currently, I've heard hundreds of points of views, read dozens of papers, and comtemplated solutions with vicious circles. Two days before Christmas I related this to my brother-in-law, a Havard/Yale/Cambridge MBA. His response was, "Builds character."; hmm.. Thanks. Other club presidents ask me, "Are you serious about this?" My business partner expressed, just after Christmas, "Is this worth it?" I'll admit, at times, this whole thing has been a bit crazy. So as I've said today at 7:45pm local time, here in Silicon Valley, I will be speaking. The title is "SSH - are you nuts!?!" What do I mean by this? Well to get exactly what I mean you may: 1) Come to the talk. Details are available at: http://www.svbug.com/events/ 2) See my notes after the talk - posted to: http://www.svbug.com/past/ 3) Or see the event with on-line video when it's available later this year. For those you you interested, below are selected points from my talk. ------------------------------------------------------------------- -What I won't be saying -SSH is evil. -SSH is useless. -SSH is a bad idea. -Authentication/Encryption is a hoax or does not work. -Public Key Encryption does not work. (I have no proof.) -I can break Public Key Encryption. (At least, not now.) -I USE SSH. (1 or 2) -I never intend to use SSH. -My systems have never been compromised. -My frame of reference -What I will be saying -Voice my personal complaints -Expose encryption/security myths -Investigate the technical specs/issues -Investigage Technical, Social, Economic, Financial Problems -Investigate attackers and attacks -Tell you where to get SSH -Showing alternatives -Why I'm doing this -My Personal Complaints -What people have to say -SSHv1 vs. SSHv2 -SSHv2 Features -The SSH Specs (the problems within) -Authentication/Encryption - Two methods to argue -can never be broken -can always be broken -SSH(v2) Faults -New Technical problems it creates -Technical Problems outside of SSH control -There are common misconceptions about it's functionality -Social Problems -Economic Problems -Financial Problems -Still Subject to ... -Who wants your data -What is the Man-In-The-Middle -Your Governments Involvement -What SSH programs there are -What alternatives you have -Start with a Strategem -Technical Prevention -Technical Counter Measures -Last words To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 7:27: 3 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 07:27:01 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from foghorn.strategicit.net (exchange.strategicit.net [207.17.172.204]) by hub.freebsd.org (Postfix) with ESMTP id 67E2F37B400 for ; Thu, 4 Jan 2001 07:27:00 -0800 (PST) Received: by exchange.strategicit.net with Internet Mail Service (5.5.2650.21) id ; Thu, 4 Jan 2001 10:29:58 -0500 Message-ID: <6381A6A8826BD31199500090279CAFBA24F41A@exchange.strategicit.net> From: "Portwood, Jason" To: "'freebsd-security@FreeBSD.ORG'" Subject: ftpd and anonymous setup Date: Thu, 4 Jan 2001 10:29:53 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I noticed that the permissions given for the anonymous ftp setup in the ftpd man page seem a little off. Now of course before anyone goes setting up an anonymous FTP site they should be very cautious. That can't be said enough. From man 8 ftpd... ~ftp/pub Make this directory mode 777 and owned by ``ftp''. Guests can then place files which are to be accessible via the anonymous account in this directory. Now that creates a directory that is world readble/writeable/executable. So an anonymous user can upload but also download what he/she put up there. As well as grab what others have placed there as well. If someone takes it to heart and thinks there fine they could eventually have problems if found. I think it might be better to have the following: ~ftp/pub Make the directory mode 555 and owned by ``ftp''. ~ftp/pub/upload Make this directory mode 773 and owned by ``ftp''. I chose 773 to allow someone to be assigned to the group to control the contents of that directory. That will allow files to be uploaded and not be viewable. Of course there is still the problem with a directory could be created in the upload directory. Files uploaded to that new directory would be world readable so the problem starts all over again if it were found. Security through obscurity isn't always the best but it does help a little here... Of course this is what wu-ftpd/ProFTPD is for if you need tighter control on anonymous FTP. I wonder if a change to ftpd adding a flag to disable anonymous users from directory creations would be a help with this? As well as avoid yet another configuration file to have to deal with. Just my thought. Jason Portwood (jason@iac.net) Internet Systems Administrator Strategic / Internet Access Cincinnati Sales & Tech Support 513-860-9052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 7:32:43 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 07:32:40 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 28BBE37B402 for ; Thu, 4 Jan 2001 07:32:40 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA59487; Thu, 4 Jan 2001 10:32:36 -0500 (EST) (envelope-from wollman) Date: Thu, 4 Jan 2001 10:32:36 -0500 (EST) From: Garrett Wollman Message-Id: <200101041532.KAA59487@khavrinen.lcs.mit.edu> To: "Portwood, Jason" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: ftpd and anonymous setup In-Reply-To: <6381A6A8826BD31199500090279CAFBA24F41A@exchange.strategicit.net> References: <6381A6A8826BD31199500090279CAFBA24F41A@exchange.strategicit.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > I chose 773 to allow someone to be assigned to the group to control the > contents of that > directory. > That will allow files to be uploaded and not be viewable. Doesn't help -- the WaReZ d00dz are perfectly capable of telling their 31337 co-conspirators the name under which they have uploaded the file. The only solution is an ftpd configuration option (like in wuftpd) which creates files under a different user id and a mode which is not readable by the kiddies. A useful addition to ftpd would be an option to disable all operations which would modify the filesystem. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 8:16:56 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 08:16:53 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id D8C5B37B400 for ; Thu, 4 Jan 2001 08:16:52 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id KAA01257; Thu, 4 Jan 2001 10:16:52 -0600 Received: from colltech.com (dhcp5212.wdc.colltech.com [10.20.5.212]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id KAA23006; Thu, 4 Jan 2001 10:16:50 -0600 Message-ID: <3A54A1F4.1B090FF9@colltech.com> Date: Thu, 04 Jan 2001 11:16:52 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman Cc: "Portwood, Jason" , "'freebsd-security@FreeBSD.ORG'" Subject: Re: ftpd and anonymous setup References: <6381A6A8826BD31199500090279CAFBA24F41A@exchange.strategicit.net> <200101041532.KAA59487@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's a flag (-r) that already defines a read-only mode. It could be used for the anonymous account to prevent fs mods (I guess?). I'm messing around w/ ftpd for the chroot stuff mentioned earlier, so I'll try to take a look sometime and see what I can find out. Daniel Garrett Wollman wrote: > > < said: > > > I chose 773 to allow someone to be assigned to the group to control the > > contents of that > > directory. > > > That will allow files to be uploaded and not be viewable. > > Doesn't help -- the WaReZ d00dz are perfectly capable of telling their > 31337 co-conspirators the name under which they have uploaded the > file. > > The only solution is an ftpd configuration option (like in wuftpd) > which creates files under a different user id and a mode which is not > readable by the kiddies. > > A useful addition to ftpd would be an option to disable all operations > which would modify the filesystem. > > -GAWollman > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 9:14:55 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 09:14:42 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from athena.cs.vt.edu (athena.cs.vt.edu [128.173.40.29]) by hub.freebsd.org (Postfix) with ESMTP id 863E037B400; Thu, 4 Jan 2001 09:14:41 -0800 (PST) Received: (from dhagan@localhost) by athena.cs.vt.edu (8.11.1/8.11.1) id f04HEfB75136; Thu, 4 Jan 2001 12:14:41 -0500 (EST) (envelope-from dhagan) Date: Thu, 4 Jan 2001 12:14:41 -0500 (EST) Message-Id: <200101041714.f04HEfB75136@athena.cs.vt.edu> To: freebsd-audit@freebsd.org Subject: Re: ftpd and anonymous setup (modified ftpd) From: Daniel Hagan Reply-To: Daniel Hagan Sender: Daniel Hagan Cc: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here's a quick patch that includes the chroot/cwd patch mentioned earlier and a login.conf capability to set a session to read-only. [Apologies if you receive this twice, I think it got bounced at freebsd.org] Daniel Index: ftpcmd.y =================================================================== RCS file: /raid/ncvs/src/libexec/ftpd/ftpcmd.y,v retrieving revision 1.19 diff -u -r1.19 ftpcmd.y --- ftpcmd.y 2000/12/16 19:19:19 1.19 +++ ftpcmd.y 2001/01/04 15:55:42 @@ -92,6 +92,8 @@ extern char tmpline[]; extern int readonly; extern int noepsv; +extern int dochroot; +extern char *cd_dir, *chroot_dir; off_t restart_point; @@ -505,8 +507,11 @@ | CWD check_login CRLF { if ($2) { - if (guest) - cwd("/"); + if (guest || dochroot) + if (cd_dir != NULL) + cwd(cd_dir); + else + cwd("/"); else cwd(pw->pw_dir); } Index: ftpd.8 =================================================================== RCS file: /raid/ncvs/src/libexec/ftpd/ftpd.8,v retrieving revision 1.36 diff -u -r1.36 ftpd.8 --- ftpd.8 2000/12/18 08:33:25 1.36 +++ ftpd.8 2001/01/04 16:58:49 @@ -158,6 +158,10 @@ .It Fl r Put server in read-only mode. All commands which may modify the local filesystem are disabled. +Read-only mode may be set on a per account basis in +.Xr login.conf 5 +with the boolean capability "ftp-readonly". Once set in a session +it cannot be cleared (i.e. by USER). .It Fl E Disable the EPSV command. This is useful for servers behind older firewalls. @@ -311,13 +315,14 @@ or the user is a member of a group with a group entry in this file, i.e. one prefixed with .Ql \&@ , -the session's root will be changed to the user's login directory by +the session's root will be changed to the user's login directory (up to the first /./) by .Xr chroot 2 as for an .Dq anonymous or .Dq ftp account (see next item). +The user is placed into the directory that remainds after stripping the former from the user's login directory. This facility may also be triggered by enabling the boolean "ftp-chroot" capability in .Xr login.conf 5 . Index: ftpd.c =================================================================== RCS file: /raid/ncvs/src/libexec/ftpd/ftpd.c,v retrieving revision 1.72 diff -u -r1.72 ftpd.c --- ftpd.c 2000/12/20 03:34:54 1.72 +++ ftpd.c 2001/01/04 17:00:42 @@ -140,6 +140,7 @@ int anon_only = 0; /* Only anonymous ftp allowed */ int guest; int dochroot; +char *cd_dir = NULL, *chroot_dir = NULL; int stats; int statfd = -1; int type; @@ -188,6 +189,9 @@ char *pid_file = NULL; +/* WARNING: FTP_CHROOT_SEPARATOR *MUST* end in / */ +#define FTP_CHROOT_SEPARATOR "/./" + /* * Timeout intervals for retrying connections * to hosts that don't accept PORT cmds. This @@ -251,6 +255,7 @@ static char *sgetsave __P((char *)); static void reapchild __P((int)); static void logxfer __P((char *, long, long)); +static void get_chroot_and_cd_dirs __P((char *, char **, char **)); static char * curdir() @@ -1038,6 +1043,13 @@ logged_in = 0; guest = 0; dochroot = 0; + /* + * do not reset readonly to 0 b/c once session is ro, we leave it + * that way for security's sake. + */ + free(chroot_dir); + free(cd_dir); + chroot_dir = cd_dir = NULL; } #if !defined(NOPAM) @@ -1291,19 +1303,24 @@ login_getcapbool(lc, "ftp-chroot", 0) || #endif checkuser(_PATH_FTPCHROOT, pw->pw_name, 1); - if (guest) { +#ifdef LOGIN_CAP /* Check for ftp-readonly */ + if (readonly = 0) + readonly = login_getcapbool(lc, "ftp-readonly", 0); +#endif + if (guest || dochroot) { /* * We MUST do a chdir() after the chroot. Otherwise * the old current directory will be accessible as "." * outside the new root! */ - if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) { - reply(550, "Can't set guest privileges."); - goto bad; - } - } else if (dochroot) { - if (chroot(pw->pw_dir) < 0 || chdir("/") < 0) { - reply(550, "Can't change root."); + get_chroot_and_cd_dirs(pw->pw_dir, &chroot_dir, &cd_dir); + /* + * Do not free chroot_dir & cd_dir b/c they are used in + * processing CWD commands from client. They should be + * free'd during a user logout. + */ + if (chroot(chroot_dir) < 0 || chdir(cd_dir) < 0) { + reply(550, guest ? "Can't set guest privileges." : "Can't change root."); goto bad; } } else if (chdir(pw->pw_dir) < 0) { @@ -2802,5 +2819,50 @@ ctime(&now)+4, ident, remotehost, path, name, size, now - start + (now == start)); write(statfd, buf, strlen(buf)); + } +} + +/* + * Make a pointer to the chroot dir and another to the cd dir. + * The first is all the path up to the first FTP_CHROOT_SEPARATOR. + * The later is the remaining chars, not including the FTP_CHROOT_SEPARATOR, + * but prepending a '/', if FTP_CHROOT_SEPARATOR is found. + * Otherwise, return user_home_dir as chroot_dir and "/" as cd_dir. + */ +static void +get_chroot_and_cd_dirs(user_home_dir, chroot_dir, cd_dir) + char *user_home_dir; + char **chroot_dir; + char **cd_dir; +{ + char *p; + + /* Make a pointer to first character of string FTP_CHROOT_SEPARATOR + inside user_home_dir. */ + p = (char *) strstr(user_home_dir, FTP_CHROOT_SEPARATOR); + if (p == NULL) { + /* + * There is not FTP_CHROOT_SEPARATOR string inside + * user_home_dir. Return user_home_dir as chroot_dir, + * and "/" as cd_dir. + */ + if ((*chroot_dir = (char *) strdup(user_home_dir)) == NULL) + fatal("Ran out of memory."); + if ((*cd_dir = (char *) strdup("/")) == NULL) + fatal("Ran out of memory."); + } else { + /* + * Use strlen(user_home_dir) as maximun length for + * both cd_dir and chroot_dir, as both are substrings of + * user_home_dir. + */ + if ((*chroot_dir = malloc(strlen(user_home_dir))) == NULL) + fatal("Ran out of memory."); + if ((*cd_dir = malloc(strlen(user_home_dir))) == NULL) + fatal("Ran out of memory."); + (void) strncpy(*chroot_dir, user_home_dir, p-user_home_dir); + /* Skip FTP_CHROOT_SEPARATOR (except the last /). */ + p += strlen(FTP_CHROOT_SEPARATOR)-1; + (void) strncpy(*cd_dir, p, strlen(p)); } } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 9:35:11 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 09:35:08 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fmdb.c3.hu (dial-146.digitel2002.hu [213.163.2.146]) by hub.freebsd.org (Postfix) with SMTP id D7A0237B402 for ; Thu, 4 Jan 2001 09:34:57 -0800 (PST) Received: (qmail 2710 invoked by uid 1004); 4 Jan 2001 17:34:50 -0000 Date: Thu, 4 Jan 2001 18:34:49 +0100 From: Miklos Niedermayer To: Romualdo Arcoverde Cc: Attila Nagy , mouss , freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPSTEALTH - transparent router Message-ID: <20010104183449.A1274@bsd.hu> Mail-Followup-To: Miklos Niedermayer , Romualdo Arcoverde , Attila Nagy , mouss , freebsd-security@freebsd.org, freebsd-net@freebsd.org References: <3a50d8b7.3a6d.0@uninet.com.br> <4.3.0.20010102182437.02274f00@pop.free.fr> <001601c075ff$62929de0$8250b5c8@isiteleinformatica.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001601c075ff$62929de0$8250b5c8@isiteleinformatica.com.br>; from romualdo@uninet.com.br on Thu, Jan 04, 2001 at 01:28:15AM -0200 X-Operating-System: FreeBSD - The Power to Serve Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, ( > Romualdo Arcoverde) > I use sysctl and works fine how i want, i have to use ipfw becouse i use > dummynet. We are using both IPFilter and ipfw. (ipfw for DUMMYNET and IPFilter for packet filtering. But we are going to replace DUMMYNET with ALTQ) -- ______ o _. __ / / / (_(_(__(_) @ bsd.hu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 10: 7: 8 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 10:07:05 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from naughty.monkey.org (naughty.monkey.org [63.77.239.20]) by hub.freebsd.org (Postfix) with ESMTP id A886737B402 for ; Thu, 4 Jan 2001 10:07:05 -0800 (PST) Received: by naughty.monkey.org (Postfix, from userid 1001) id 9053D10860D; Thu, 4 Jan 2001 13:06:59 -0500 (EST) Received: from openbsd.cs.colorado.edu (openbsd.cs.colorado.edu [128.138.192.83]) by naughty.monkey.org (Postfix) with ESMTP id 752A010863D; Thu, 4 Jan 2001 12:26:35 -0500 (EST) Received: from localhost (domo@localhost) by openbsd.cs.colorado.edu (8.10.1/8.10.1) with SMTP id f04HP1732309; Thu, 4 Jan 2001 10:25:01 -0700 (MST) Received: by openbsd.org (TLB v0.11a (1.26 tibbs 1998/09/22 04:41:41)); Thu, 04 Jan 2001 10:21:57 -0700 (MST) Received: (from domo@localhost) by openbsd.cs.colorado.edu (8.10.1/8.10.1) id f04HLtl31602 for tech-list; Thu, 4 Jan 2001 10:21:55 -0700 (MST) Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by openbsd.cs.colorado.edu (8.10.1/8.10.1) with ESMTP id f04HLsT02350 for ; Thu, 4 Jan 2001 10:21:54 -0700 (MST) Received: from citi.umich.edu (ooty.citi.umich.edu [141.211.169.121]) by citi.umich.edu (Postfix) with ESMTP id 76813207C1 for ; Thu, 4 Jan 2001 12:21:53 -0500 (EST) Subject: Re: The Talk: ssh - are you nuts!?! To: tech@openbsd.org From: Jim Rees In-Reply-To: opentrax@email.com, Thu, 04 Jan 2001 03:29:32 PST Date: Thu, 04 Jan 2001 12:21:53 -0500 Message-Id: <20010104172153.76813207C1@citi.umich.edu> Sender: owner-tech@openbsd.org X-Loop: tech@openbsd.org Resent-From: dugsong@monkey.org Resent-Date: Thu, 4 Jan 2001 13:06:59 -0500 Resent-To: tech-security@netbsd.org, freebsd-security@freebsd.org Resent-Message-Id: <20010104180659.9053D10860D@naughty.monkey.org> Resent-Sender: dugsong@naughty.monkey.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jesus Monroy, Jr. is a name I haven't heard in years, and had hoped to never hear again. He is a famous net crank from long ago, and even had an alt.fan newsgroup of his own. See, for example: http://www.suslik.org/Humour/Computer/Internet/nl4.html#monroy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 10:48:28 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 10:48:24 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id 9410437B698; Thu, 4 Jan 2001 10:48:23 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id MAA13203; Thu, 4 Jan 2001 12:47:47 -0600 Received: from colltech.com (dhcp5212.wdc.colltech.com [10.20.5.212]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id MAA17030; Thu, 4 Jan 2001 12:47:45 -0600 Message-ID: <3A54C54F.90C7FFEC@colltech.com> Date: Thu, 04 Jan 2001 13:47:43 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-audit@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, wollman@khavrinen.lcs.mit.edu Subject: Re: ftpd and anonymous setup (modified ftpd) References: <200101041714.f04HEfB75136@athena.cs.vt.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > +#ifdef LOGIN_CAP /* Check for ftp-readonly */ > + if (readonly = 0) > + readonly = login_getcapbool(lc, "ftp-readonly", 0); > +#endif Doh! That should have been if (readonly == 0) ;-) Didn't see that first time through. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 11:30:11 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 11:30:07 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id 9335537B400; Thu, 4 Jan 2001 11:30:06 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id NAA16037; Thu, 4 Jan 2001 13:30:05 -0600 Received: from colltech.com (dhcp5212.wdc.colltech.com [10.20.5.212]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id NAA23159; Thu, 4 Jan 2001 13:30:05 -0600 Message-ID: <3A54CF3C.98CA7BF@colltech.com> Date: Thu, 04 Jan 2001 14:30:04 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Guy Helmer , freebsd-security@freebsd.org, freebsd-audit@freebsd.org Subject: Re: ftpd and anonymous setup (modified ftpd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Guy Helmer wrote: > Does this do what I think it does -- it appears if I login as a "ro" user, > then login again as a different (not "ro") user, the session will still be > "ro"? Granted, this doesn't happen often, but it seems to violate POLA... Yes, this is the way it works given this patch (it's also explicitly mentioned in the patch to the man page). If you reset the read-only setting here, you need to make a different flag for login.conf read-only caps and the -r read-only setting (since -r is daemon wide and should never be modified at run-time). If people think the POLA effect will be significant enough, I suppose I can rewrite the patch to do that instead. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 12:30:31 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 12:30:28 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id 04A7237B404; Thu, 4 Jan 2001 12:30:28 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id OAA20572; Thu, 4 Jan 2001 14:30:27 -0600 Received: from colltech.com (dhcp5212.wdc.colltech.com [10.20.5.212]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id OAA00648; Thu, 4 Jan 2001 14:30:26 -0600 Message-ID: <3A54DD5F.866B2FE2@colltech.com> Date: Thu, 04 Jan 2001 15:30:24 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Guy Helmer , freebsd-security@FreeBSD.ORG, freebsd-audit@FreeBSD.ORG Subject: Re: ftpd and anonymous setup (modified ftpd) References: <3A54CF3C.98CA7BF@colltech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, since I've had more free time than I expected today, I went ahead and fixed the patch to conserve POLA. Instead of spamming it one more time, those interested can get it from http://vtopus.cs.vt.edu/~dhagan/freebsd/ftpd.patch Daniel Daniel Hagan wrote: [snip] > I suppose I can rewrite the patch to do that instead. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 17:21:29 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 17:21:25 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from www3.infolink.com.br (www3.infolink.com.br [200.255.108.4]) by hub.freebsd.org (Postfix) with ESMTP id ABA6A37B400 for ; Thu, 4 Jan 2001 17:21:24 -0800 (PST) Received: from diala11 (unverified [200.255.108.11]) by www3.infolink.com.br (Vircom SMTPRS 4.2.181) with SMTP id for ; Thu, 4 Jan 2001 23:21:22 -0300 Message-ID: <002501c076b5$d0c0d370$0b6cffc8@infolink.com.br> From: "Antonio Carlos Pina" To: References: <3a50d8b7.3a6d.0@uninet.com.br> <4.3.0.20010102182437.02274f00@pop.free.fr> <001601c075ff$62929de0$8250b5c8@isiteleinformatica.com.br> <20010104183449.A1274@bsd.hu> Subject: (was IPSTEALTH - transparent router) Dummynet and ALTQ Date: Thu, 4 Jan 2001 23:21:22 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4029.2901 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4029.2901 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear, Would you mind telling us why you're moving from Dummynet to ALTQ ? The reason is I've heard a zillion times that "ALTQ is a terrible piece of software". I've never used it and I've been thinking about give it a try. Feel free to write me directly or use freebsd-stable, since I feel this talk is off-topic here. Thank you, Antonio Carlos Pina > We are using both IPFilter and ipfw. (ipfw for DUMMYNET and IPFilter for > packet filtering. But we are going to replace DUMMYNET with ALTQ) > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jan 4 18:13:44 2001 From owner-freebsd-security@FreeBSD.ORG Thu Jan 4 18:13:41 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 420A037B400 for ; Thu, 4 Jan 2001 18:13:40 -0800 (PST) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2650.21) id ; Thu, 4 Jan 2001 18:13:39 -0800 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA024357@goofy.epylon.lan> From: Jason DiCioccio To: 'Antonio Carlos Pina' , freebsd-security@freebsd.org Subject: RE: (was IPSTEALTH - transparent router) Dummynet and ALTQ Date: Thu, 4 Jan 2001 18:13:39 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C076BD.1E45B438" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C076BD.1E45B438 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could anyone deliver me to a page with some details and/or comparison between dummynet and altq? I am interested in exactly what it does/doesn't do if that information is available :).. Cheers! - -JD- - ------- Jason DiCioccio Evil Genius Unix BOFH mailto:jasond@epylon.com 415-593-2761 Direct & Fax 415-593-2900 Main Epylon Corporation 645 Harrison Street, Suite 200 San Francisco, CA 94107 www.epylon.com BSD is for people who love Unix - Linux is for people who hate Microsoft - -----Original Message----- From: Antonio Carlos Pina [mailto:apina@infolink.com.br] Sent: Thursday, January 04, 2001 5:21 PM To: freebsd-security@freebsd.org Subject: (was IPSTEALTH - transparent router) Dummynet and ALTQ Dear, Would you mind telling us why you're moving from Dummynet to ALTQ ? The reason is I've heard a zillion times that "ALTQ is a terrible piece of software". I've never used it and I've been thinking about give it a try. Feel free to write me directly or use freebsd-stable, since I feel this talk is off-topic here. Thank you, Antonio Carlos Pina > We are using both IPFilter and ipfw. (ipfw for DUMMYNET and > IPFilter for packet filtering. But we are going to replace > DUMMYNET with ALTQ)=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOlUuHFCmU62pemyaEQIKcwCg6hYQw/QfyyGct1Z06EWEi02XiE4AoIYG xLljDIN1AF7a2GJpgKFqB5ZQ =3DklVF -----END PGP SIGNATURE----- =D6 ------_=_NextPart_000_01C076BD.1E45B438 Content-Type: application/octet-stream; name="Jason DiCioccio.vcf" Content-Disposition: attachment; filename="Jason DiCioccio.vcf" BEGIN:VCARD VERSION:2.1 N:DiCioccio;Jason FN:Jason DiCioccio ORG:epylon.com;operations TITLE:UNIX ADMIN ADR;WORK:;;645 Harrison St;San Francisco;CA;94107;usa LABEL;WORK;ENCODING=QUOTED-PRINTABLE:645 Harrison St=0D=0ASan Francisco, CA 94107=0D=0Ausa EMAIL;PREF;INTERNET:Jason.DiCioccio@Epylon.com REV:19990105T135529Z END:VCARD ------_=_NextPart_000_01C076BD.1E45B438-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 4:47:15 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 04:47:12 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (mg136-026.ricochet.net [204.179.136.26]) by hub.freebsd.org (Postfix) with ESMTP id 6040C37B400 for ; Fri, 5 Jan 2001 04:47:09 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id EAA00386; Fri, 5 Jan 2001 04:46:41 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101051246.EAA00386@spammie.svbug.com> Date: Fri, 5 Jan 2001 04:46:40 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: A Review of: ssh and my meat loaf!! To: tech@openbsd.org Cc: tech-security@netbsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: jessem@spammie.svbug.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 2001-01-05 Well opentrax@email.com (aka Jessem.) how did talk go? ---- Were you laughing stock? I could not tell. ---- Did you ramble on? I tried not to, but I suspect that at times -some- of my points did not carry effectively. ---- Did your lack of expertise become more than obvious in talk? Well I'm not a security expert and I'm not an encryption expert, and I stated that clearly in the talk. Beyond that, my points remain within the knowledge that could be understandable by all that attended. The small crowd was diverse, but educate, and at times some would chime in with my points. ---- Wasn't there a heckler or two? Yes, there was, always, someone that did try to abstract a point into something else. Did that person have a valid point? Perhaps, but if that person did not make a point within 2 or 3 sentences, I cut them off and continued my talk. This was rude, to say the least. However, one person actually tried to suggest that I presented NO alternatvies to SSH. Even from my notes, it can be seen that that is NOT the case. ---- In that case, were your suggestions for an alternative BETTER than SSH? NO. Plainly, simply, no. In relative terms, a solution does not need to be better to be the correct solution. As an example, I could cut meat loaf with a LASER beam, but that does not make it "better". One could argue that the LASER is more precise, wastes less meat, and even could split the atoms more evenly, but that still does not make it better than my knife. One at this point could argue, I'm suggesting an old fashion solution, and that I should use a LASER beam. However, I'm using the knife at some expense. Mainly, I now require power, the power company and a wall outlet to cut my meat loaf. For want of a nail, I could continue in a vicous circle about the "correct" or "better" alternative, but have I solved my original problem..... Did I really have the problem I thought? Couldn't I just forego the knife and eat the damm meat loaf with my hands..... I am hungry. :-) ---- Well, Jesse some people think you are still a moron, on drugs, or are trolling for a rise from some people? Hmm... I guess they are really going to be pissed off that I called Ron Rivest a liar, and noted that Bruce Schneier corrected himself in "SECRETS and LIES", by saying in the preface, "The error of 'Applied Cryptography' is that I didn't talk at all about the context. I talked about cryptography as if it were The Answer(tm). I was pretty naive." ...."A colleague once told me that the world was full of bad security systems designed by people who read 'Applied Cryptography'." My complete notes will be posted to the website in 5 calendar days. The URL is: http://www.svbug.com/past/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 10: 4:12 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 10:04:05 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 8641637B400; Fri, 5 Jan 2001 10:03:49 -0800 (PST) Received: from wp2 (wp2.office.ipform.ru [192.168.0.12] (may be forged)) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id f05I3D834106; Fri, 5 Jan 2001 21:03:14 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <000b01c07741$c85272c0$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: "Odhiambo Washington" Cc: , References: <001101c07727$b7040de0$0c00a8c0@ipform.ru> <20010105185756.A73265@poeza.iconnect.co.ke> Subject: Re: Building a local network on switches (ANTISNIFFER measures) Date: Fri, 5 Jan 2001 21:03:11 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Somebody said, that there is way to fool but floodding it with weird arpa entries and the switch will fall back into hub mode. I wonder if it is true for all hubs and if I can use non SNMP controllable hub. SNMP controillable ones ARE WAY TOO EXPENSIVE, about 500$ per piece, and i need to substitute 8 hubs, that's at least 4000$. Unreal. So, will i be fine with that CNET CNSH 800 siwtching hub or security costs more? Regards, Artem ----- Original Message ----- From: "Odhiambo Washington" To: "Artem Koutchine" Sent: Friday, January 05, 2001 6:57 PM Subject: Re: Building a local network on switches (ANTISNIFFER measures) > * Artem Koutchine [20010105 17:57]: writing on the subject 'Building a local network on switches (ANTISNIFFER measures)' > Artem> Hello! > Artem> > Artem> We have a sniffer problem in our quite distributed network, because it is > Artem> built using hubs. We trying to replace them with switches and as an > Artem> experiment got outselves a CNET PowerSwitch CNSH-800 switching hub. > Artem> However, it does not have any kind of programmatic control and learnes MAC > Artem> addresses itself. I wonder if it is the right thing to use? Could its > Artem> security be > > I am not sure if it is a security loophole. > > Artem> compromised? How (is MAC address spooffing possilble?)? If this switch is > Artem> not the right thing, then which switch is (for reasonable price)? > > I know MAC address spoofing is possible but again how does someone start > guessing a MAC address if they are outside your net? > > Artem> > Artem> Regards, > Artem> Artem Koutchine > Artem> > Artem> > Artem> > Artem> > Artem> To Unsubscribe: send mail to majordomo@FreeBSD.org > Artem> with "unsubscribe freebsd-questions" in the body of the message > > -Wash > > -- > Odhiambo Washington Inter-Connect Ltd., > wash@iconnect.co.ke 5th Flr Furaha Plaza > Tel: 254 11 222604 Nkrumah Rd., > Fax: 254 11 222636 PO Box 83613 MOMBASA, KE. > > To live a pure unselfish life, one must count nothing as one's own in the > midst of abundance. -Buddha > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 10:48:14 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 10:48:11 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id E99E537B402 for ; Fri, 5 Jan 2001 10:48:09 -0800 (PST) Received: (qmail 63191 invoked by uid 1001); 5 Jan 2001 18:48:08 +0000 (GMT) To: matrix@ipform.ru Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Building a local network on switches (ANTISNIFFER measures) From: sthaug@nethelp.no In-Reply-To: Your message of "Fri, 5 Jan 2001 21:03:11 +0300" References: <000b01c07741$c85272c0$0c00a8c0@ipform.ru> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Fri, 05 Jan 2001 19:48:08 +0100 Message-ID: <63189.978720488@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Somebody said, that there is way to fool but floodding it with weird > arpa entries and the switch will fall back into hub mode. I wonder if it > is true for all hubs and if I can use non SNMP controllable hub. Think about how a hub works (or for that matter a switch). It has a MAC address table of a certain finite size. If you send packets with a MAC address which is not in the address table, the packet must be transmitted on all ports (except the one it arrived on). MAC addresses are learned as packets are received. Thus in many cases you can force transmission on all ports by flooding the hub or switch with lots of fake MAC addresses, thus flushing the real MAC addresses from the table. (A switch may have a MAC address table per port - but the original argument still holds.) Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 11:29:26 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 11:28:39 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from HELLAWEB.COM (nickschuetz.dsl.visi.com [208.42.94.19]) by hub.freebsd.org (Postfix) with ESMTP id 81B8A37B400; Fri, 5 Jan 2001 11:28:37 -0800 (PST) Received: from schuetzn ([209.181.237.141]) by HELLAWEB.COM (8.9.3/8.9.3) with SMTP id NAA29246; Fri, 5 Jan 2001 13:28:03 -0600 (CST) (envelope-from hellaenergy@hellaweb.com) From: "Wonderful One" To: "FreeBSD Security" , "FreeBSD Questions" Subject: Sftp Port Date: Fri, 5 Jan 2001 13:23:14 -0600 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000C_01C0771A.A8C5E350" X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4029.2901 Importance: High Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000C_01C0771A.A8C5E350 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Hello FreeBSD-Security, Who here has installed sftp from the FreeBSD port and had success? I have tried and all I seem to get are problems. What I did was download the sftp.tar and then copied the pub/FreeBSD/branches/-current/ports/ftp/sftp into /usr/ports/ftp. Then I cd’ed in to /usr/ports/ftp/sftp and typed make. Here is what happens: make >> .tar.gz doesn't seem to exist on this system. >> Attempting to fetch from ftp://ftp.xbill.org/pub/sftp/. grep: /usr/ports/ftp/sftp/files/md5: No such file or directory fetch: pub/sftp/.tar.gz: cannot get remote modification time fetch: ftp://ftp.xbill.org/pub/sftp/.tar.gz: FTP error: fetch: File unavailable (e.g., file not found, no access) >> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. grep: /usr/ports/ftp/sftp/files/md5: No such file or directory fetch: pub/FreeBSD/ports/distfiles/.tar.gz: cannot get remote modification time fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.tar.gz: FTP error: fetch: File unavailable (e.g., file not found, no access) >> Couldn't fetch it - please try to retrieve this >> port manually into /usr/ports/distfiles/ and try again. *** Error code 1 Stop in /usr/ports/ftp/sftp. *** Error code 1 Stop in /usr/ports/ftp/sftp. *** Error code 1 Stop in /usr/ports/ftp/sftp. *** Error code 1 Stop in /usr/ports/ftp/sftp. *** Error code 1 Stop in /usr/ports/ftp/sftp. *** Error code 1 Stop in /usr/ports/ftp/sftp. *** Error code 1 Stop in /usr/ports/ftp/sftp. And here is the blasted makefile that came with the FreeBSD port: more Makefile # New ports collection makefile for: sftp # Date created: 30 December 1999 # Whom: Cy Shubert # # $FreeBSD: ports/ftp/sftp/Makefile,v 1.9 2000/10/08 00:58:54 asami Exp $ # PORTNAME= sftp PORTVERSION= 0.9.6 CATEGORIES= ftp security MASTER_SITES= ftp://ftp.xbill.org/pub/sftp/ MAINTAINER= Cy.Schubert@uumail.gov.bc.ca .include .if ${OSVERSION} < 400014 RUN_DEPENDS= ssh:${PORTSDIR}/security/openssh .endif RESTRICTED= "Calls external cryptographic routines." GNU_CONFIGURE= yes CONFIGURE_ARGS= --enable-remotepath=${PREFIX}/libexec MAN1= secftp.1 PLIST= ${WRKDIR}/.PLIST do-install: ${INSTALL_PROGRAM} ${WRKSRC}/sftp ${PREFIX}/bin/secftp ${LN} -s ${PREFIX}/bin/secftp ${PREFIX}/bin/rsftp ${INSTALL_PROGRAM} ${WRKSRC}/sftpserv ${PREFIX}/libexec/sftpserv ${INSTALL_MAN} ${WRKSRC}/sftp.1 ${PREFIX}/man/man1/secftp.1 ${CP} ${PKGDIR}/pkg-plist.in ${PLIST}.unsorted @if [ ! -f ${PREFIX}/bin/sftp ]; then \ ${ECHO} "No other sftp found, linking sftp to secftp"; \ ${LN} -s ${PREFIX}/bin/secftp ${PREFIX}/bin/sftp; \ ${LN} -s ${PREFIX}/man/man1/secftp.1.gz ${PREFIX}/man/man1/sftp.1.gz; \ ${ECHO} bin/sftp >> ${PLIST}.unsorted; \ ${ECHO} man/man1/sftp.1.gz >> ${PLIST}.unsorted; \ else \ ${ECHO} "Other sftp found, not linking sftp to secftp"; \ fi @sort -u ${PLIST}.unsorted > ${PLIST} .include What is a brother to do? Hellaenergy ------=_NextPart_000_000C_01C0771A.A8C5E350 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello = FreeBSD-Security,

 <= /p>

Who here has installed sftp from the FreeBSD = port and had success? I have tried and all I seem to get are problems. What I did = was download the sftp.tar and then copied the = pub/FreeBSD/branches/-current/ports/ftp/sftp into /usr/ports/ftp. Then I cd’ed in to /usr/ports/ftp/sftp and = typed make. Here is what happens:

 

make

>> .tar.gz doesn't seem to exist on this = system.

>> Attempting to fetch from = ftp://ftp.xbill.org/pub/sftp/.

grep: /usr/ports/ftp/sftp/files/md5: No such file or = directory

fetch: pub/sftp/.tar.gz: cannot get remote modification = time

fetch: ftp://ftp.xbill.org/pub/sftp/.tar.gz: FTP = error:

fetch: File unavailable (e.g., file not found, no = access)

>> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.

grep: /usr/ports/ftp/sftp/files/md5: No such file or = directory

fetch: pub/FreeBSD/ports/distfiles/.tar.gz: cannot get remote modification time

fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.tar.gz: = FTP error:

fetch: File unavailable (e.g., file not found, no = access)

>> Couldn't fetch it - please try to retrieve = this

>> port manually into /usr/ports/distfiles/ and try = again.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

*** Error code 1

 

Stop in /usr/ports/ftp/sftp.

 

 

And here is the blasted makefile that came with = the FreeBSD port:

 

more Makefile

# New ports collection makefile for:    sftp

# Date created:         30 December = 1999

# Whom:           &n= bsp;     Cy Shubert = <Cy.Shubert@uumail.gov.bc.ca>

#

# $FreeBSD: ports/ftp/sftp/Makefile,v 1.9 2000/10/08 00:58:54 = asami Exp $

#

 

PORTNAME=3D   =     sftp<= /p>

PORTVERSION=3D    0.9.6

CATEGORIES=3D     ftp security

MASTER_SITES=3D   ftp://ftp.xbill.org/pub/sftp/

 

MAINTAINER=3D     Cy.Schubert@uumail.gov.bc.ca

 

.include = <bsd.port.pre.mk>

 

.if ${OSVERSION} < 400014

RUN_DEPENDS=3D    ssh:${PORTSDIR}/security/openssh

.endif

 

RESTRICTED=3D     "Calls external cryptographic = routines."

 

GNU_CONFIGURE=3D  = yes

CONFIGURE_ARGS=3D = --enable-remotepath=3D${PREFIX}/libexec

 

MAN1=3D           secftp.1

 

PLIST=3D          ${WRKDIR}/.PLIST

 

do-install:

        = ${INSTALL_PROGRAM} ${WRKSRC}/sftp ${PREFIX}/bin/secftp

        ${LN} -s ${PREFIX}/bin/secftp = ${PREFIX}/bin/rsftp

        = ${INSTALL_PROGRAM} ${WRKSRC}/sftpserv = ${PREFIX}/libexec/sftpserv

        ${INSTALL_MAN} ${WRKSRC}/sftp.1 = ${PREFIX}/man/man1/secftp.1

        ${CP} ${PKGDIR}/pkg-plist.in = ${PLIST}.unsorted

        @if [ ! -f ${PREFIX}/bin/sftp ]; then \

           &n= bsp;    ${ECHO} "No other sftp found, linking sftp to secftp"; = \

           &n= bsp;    ${LN} -s ${PREFIX}/bin/secftp ${PREFIX}/bin/sftp; = \

      =           $= {LN} -s ${PREFIX}/man/man1/secftp.1.gz ${PREFIX}/man/man1/sftp.1.gz; = \

           &n= bsp;    ${ECHO} bin/sftp >> ${PLIST}.unsorted; = \

           &n= bsp;    ${ECHO} man/man1/sftp.1.gz >> ${PLIST}.unsorted; = \

        else = \

           &n= bsp;    ${ECHO} "Other sftp found, not linking sftp to secftp"; = \

        = fi

        @sort -u ${PLIST}.unsorted > ${PLIST}

 

.include = <bsd.port.post.mk>

 

 

What is a brother to = do?

 <= /p>

Hellaenergy

 

 

------=_NextPart_000_000C_01C0771A.A8C5E350-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 11:38:51 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 11:38:41 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id C52C337B400; Fri, 5 Jan 2001 11:38:40 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.0/8.11.0) id f05JcU359802; Fri, 5 Jan 2001 11:38:30 -0800 (PST) Date: Fri, 5 Jan 2001 11:38:29 -0800 From: Erick Mechler To: Wonderful One Cc: FreeBSD Security , FreeBSD Questions Subject: Re: Sftp Port Message-ID: <20010105113829.A59389@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from Wonderful One on Fri, Jan 05, 2001 at 01:23:14PM -0600 Sender: emechler@radix.cryptio.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When was the last time you did a cvsup of the ports tree? It appears to me that since you don't have the files/md5 for this port that you're still using the old ports layout. --Erick At Fri, Jan 05, 2001 at 01:23:14PM -0600, Wonderful One said this: :: Hello FreeBSD-Security, :: :: Who here has installed sftp from the FreeBSD port and had success? I have :: tried and all I seem to get are problems. What I did was download the :: sftp.tar and then copied the pub/FreeBSD/branches/-current/ports/ftp/sftp :: into /usr/ports/ftp. Then I cd’ed in to /usr/ports/ftp/sftp and typed make. :: Here is what happens: :: :: make :: >> .tar.gz doesn't seem to exist on this system. :: >> Attempting to fetch from ftp://ftp.xbill.org/pub/sftp/. :: grep: /usr/ports/ftp/sftp/files/md5: No such file or directory :: fetch: pub/sftp/.tar.gz: cannot get remote modification time :: fetch: ftp://ftp.xbill.org/pub/sftp/.tar.gz: FTP error: :: fetch: File unavailable (e.g., file not found, no access) :: >> Attempting to fetch from :: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. :: grep: /usr/ports/ftp/sftp/files/md5: No such file or directory :: fetch: pub/FreeBSD/ports/distfiles/.tar.gz: cannot get remote modification :: time :: fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.tar.gz: FTP error: :: fetch: File unavailable (e.g., file not found, no access) :: >> Couldn't fetch it - please try to retrieve this :: >> port manually into /usr/ports/distfiles/ and try again. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: *** Error code 1 :: :: Stop in /usr/ports/ftp/sftp. :: :: :: And here is the blasted makefile that came with the FreeBSD port: :: :: more Makefile :: # New ports collection makefile for: sftp :: # Date created: 30 December 1999 :: # Whom: Cy Shubert :: # :: # $FreeBSD: ports/ftp/sftp/Makefile,v 1.9 2000/10/08 00:58:54 asami Exp $ :: # :: :: PORTNAME= sftp :: PORTVERSION= 0.9.6 :: CATEGORIES= ftp security :: MASTER_SITES= ftp://ftp.xbill.org/pub/sftp/ :: :: MAINTAINER= Cy.Schubert@uumail.gov.bc.ca :: :: .include :: :: .if ${OSVERSION} < 400014 :: RUN_DEPENDS= ssh:${PORTSDIR}/security/openssh :: .endif :: :: RESTRICTED= "Calls external cryptographic routines." :: :: GNU_CONFIGURE= yes :: CONFIGURE_ARGS= --enable-remotepath=${PREFIX}/libexec :: :: MAN1= secftp.1 :: :: PLIST= ${WRKDIR}/.PLIST :: :: do-install: :: ${INSTALL_PROGRAM} ${WRKSRC}/sftp ${PREFIX}/bin/secftp :: ${LN} -s ${PREFIX}/bin/secftp ${PREFIX}/bin/rsftp :: ${INSTALL_PROGRAM} ${WRKSRC}/sftpserv ${PREFIX}/libexec/sftpserv :: ${INSTALL_MAN} ${WRKSRC}/sftp.1 ${PREFIX}/man/man1/secftp.1 :: ${CP} ${PKGDIR}/pkg-plist.in ${PLIST}.unsorted :: @if [ ! -f ${PREFIX}/bin/sftp ]; then \ :: ${ECHO} "No other sftp found, linking sftp to secftp"; \ :: ${LN} -s ${PREFIX}/bin/secftp ${PREFIX}/bin/sftp; \ :: ${LN} -s ${PREFIX}/man/man1/secftp.1.gz :: ${PREFIX}/man/man1/sftp.1.gz; \ :: ${ECHO} bin/sftp >> ${PLIST}.unsorted; \ :: ${ECHO} man/man1/sftp.1.gz >> ${PLIST}.unsorted; \ :: else \ :: ${ECHO} "Other sftp found, not linking sftp to secftp"; \ :: fi :: @sort -u ${PLIST}.unsorted > ${PLIST} :: :: .include :: :: :: What is a brother to do? :: :: Hellaenergy :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 11:52: 6 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 11:52:00 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 896CC37B400; Fri, 5 Jan 2001 11:51:42 -0800 (PST) Received: from wp2 (wp2.office.ipform.ru [192.168.0.12] (may be forged)) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id f05Jpb834270; Fri, 5 Jan 2001 22:51:39 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <000701c07750$eb585e60$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: Cc: Subject: Antisniffer measures (digest of posts) Date: Fri, 5 Jan 2001 22:51:36 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I have reread all the followups on the questions i posted in the mid december. first: 50% of the people said "SWITCH TO SWITCHES", 50% of the people said: "EVEN SWITCHES CANNOT HELP" Then mostly everytone started talking about SNMP controllable switches with hardcorded MAC addreses for each port. Then people started to talk about static ARP entries on the host. ONE (ONLY ONE) person mentioned encryption, but did not elaborate on that. Well, let me remind the situtation. I have a very heterogenic network: FreeBSD, Linux, Win9x, WinME, WInNT, WIn2000. Now they are all connected with hubs, which allows sniffer to run and obtain all the mail and web password easily. I need to stop it. Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is way too expensive. It will cost us about 4000$. So, as I see we two possible solutions and one probable soultion: POSSIBLE N1: Switches (NON SNMP contrlllable, which do not turn into hub when flooded with MAC addresses), hardcorder ARP entries on hosts for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host). QUESTIONS: Is it possible to do to hard code ARP entries in WINxxxxx? Is there such switch which does not fall back into hub mode when flooded with MACs? POSSIBLE N2: Install a little FBSD/LINUX based router indetad of each hub. Put a bunch of NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166 based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and twice as expensive and a simple switch) QUESTIONS: I wonder where do i get 8 IRQs for the NICs int the routing box. Will the box with 4PCIs and 4ISA NICs be able to hold on electricwise? PROBABLE: Some kind of tranparent IP encryprtion. QUESTIONS: What kind of IP encryption? Is it availbale for FBSD, Linux, WINxxxxx? I hope someone would help. Best regards, Artem Koutchine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12: 2:35 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:02:29 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 44D1037B402; Fri, 5 Jan 2001 12:02:29 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id NAA29203; Fri, 5 Jan 2001 13:02:20 -0700 (MST) Message-Id: <200101052002.NAA29203@faith.cs.utah.edu> Subject: Re: Antisniffer measures (digest of posts) To: matrix@ipform.ru (Artem Koutchine) Date: Fri, 5 Jan 2001 13:02:19 -0700 (MST) Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru> from "Artem Koutchine" at Jan 05, 2001 10:51:36 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: danderse@cs.utah.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Artem Koutchine once said: > > Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is > way too expensive. It will cost us about 4000$. Even a normal switch will help you out a fair bit against a lazy attacker. It's not perfect, but the steps they'll need to take to defeat the switch will make them more noticable. Don't let the fact that it's not a 100% solution prevent you from taking some simple steps to _improve_ security. Just don't rely on it alone. You can get decent switches quite cheaply these days. > POSSIBLE N1: > Switches (NON SNMP contrlllable, which do not turn into hub when flooded > with MAC addresses), hardcorder ARP entries on hosts > for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host). Good luck. Most switches are defeatable, especially without hardcoded MACs. It's NOT enough security if hosts on your network are compromised. > POSSIBLE N2: > Install a little FBSD/LINUX based router indetad of each hub. Put a bunch > of > NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166 > based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and > twice as expensive and a simple switch) Fails poorly. Switches are more reliable, run cooler, run more quietly, and easier to manage than a PC. Cheaper and faster, too. I wouldn't do this in a million years. Adds more hosts that can be compromised, too. You want a nice end-to-end solution. > QUESTIONS: > I wonder where do i get 8 IRQs for the NICs int the routing box. > Will the box with 4PCIs and 4ISA NICs be able to hold on electricwise? You'd need to use multiport ethernet cards, which are ~$400 for 4 ports. It's a bad idea. > PROBABLE: > Some kind of tranparent IP encryprtion. > > QUESTIONS: > What kind of IP encryption? > Is it availbale for FBSD, Linux, WINxxxxx? IPsec. IPsec. IPsec. FreeBSD, Linux, Win2k support it. Don't know about MacOS. Doubt it until OSX, but I could be wrong. This is the better solution. A final solution is simply to encrypt all sensitive traffic at the application layer. Use SSL for http/pop3/etc. Use SSH for remote access. Etc. Not perfect, but works. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:12: 0 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:11:57 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 1C6D437B404; Fri, 5 Jan 2001 12:11:52 -0800 (PST) Received: from wp2 (wp2.office.ipform.ru [192.168.0.12] (may be forged)) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id f05KBR834307; Fri, 5 Jan 2001 23:11:27 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <002f01c07753$af808400$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: "David G. Andersen" Cc: , References: <200101052002.NAA29203@faith.cs.utah.edu> Subject: Re: Antisniffer measures (digest of posts) Date: Fri, 5 Jan 2001 23:11:25 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > PROBABLE: > > Some kind of tranparent IP encryprtion. > > > > QUESTIONS: > > What kind of IP encryption? > > Is it availbale for FBSD, Linux, WINxxxxx? > > IPsec. IPsec. IPsec. FreeBSD, Linux, Win2k support it. Don't know > about MacOS. Doubt it until OSX, but I could be wrong. This is the > better solution. Well, then i need IPSec for WIn9x, NT 4.x and ME too. Is there? > A final solution is simply to encrypt all sensitive traffic at the > application layer. Use SSL for http/pop3/etc. Use SSH for remote > access. Etc. Not perfect, but works. Nope, dsniff breaks SSL and SSH1. Artem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:17:11 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:17:06 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from gifw.genroco.com (genroco.com [205.254.195.202]) by hub.freebsd.org (Postfix) with ESMTP id CFFF737B400; Fri, 5 Jan 2001 12:17:05 -0800 (PST) Received: from gi2.genroco.com (IDENT:root@gi2.genroco.com [192.133.120.3]) by gifw.genroco.com (8.9.3/8.9.3) with ESMTP id OAA09590; Fri, 5 Jan 2001 14:16:49 -0600 Received: from scot.genroco.com (scot.genroco.com [192.133.120.125]) by gi2.genroco.com (8.9.3/8.9.3) with SMTP id OAA06389; Fri, 5 Jan 2001 14:16:43 -0600 Message-ID: <02b801c07754$6ca0a740$7d7885c0@genroco.com> From: "Scot W. Hetzel" To: "Wonderful One" , "FreeBSD Security" , "FreeBSD Questions" References: Subject: Re: Sftp Port Date: Fri, 5 Jan 2001 14:16:42 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Wonderful One" > Who here has installed sftp from the FreeBSD port and had success? I have > tried and all I seem to get are problems. What I did was download the > sftp.tar and then copied the pub/FreeBSD/branches/-current/ports/ftp/sftp > into /usr/ports/ftp. Then I cd'ed in to /usr/ports/ftp/sftp and typed make. > Here is what happens: > > make > >> .tar.gz doesn't seem to exist on this system. > >> Attempting to fetch from ftp://ftp.xbill.org/pub/sftp/. > grep: /usr/ports/ftp/sftp/files/md5: No such file or directory > fetch: pub/sftp/.tar.gz: cannot get remote modification time Here's your problem, a few months back the ports tree changed. This requires you to at least update your /usr/ports/Mk/* files to compile the ports. Or as someone has mentioned, you will need to use cvsup to update your ports collection. Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:17:33 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:17:28 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 6110037B402; Fri, 5 Jan 2001 12:17:28 -0800 (PST) Received: from x86w2kw1 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Fri, 5 Jan 2001 12:17:27 -0800 Message-ID: <019301c07754$c9469c20$0101a8c0@development.local> From: "John Howie" To: "Artem Koutchine" , Cc: References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> Subject: Re: Antisniffer measures (digest of posts) Date: Fri, 5 Jan 2001 12:19:19 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Artem Koutchine" To: Cc: Sent: Friday, January 05, 2001 11:51 AM Subject: Antisniffer measures (digest of posts) > Hello! > > I have reread all the followups on the questions i posted in the mid > december. > > QUESTIONS: > Is it possible to do to hard code ARP entries in WINxxxxx? arp -s should do the trick - but you will need to ensure that the script containing the mappings is executed at system startup - drop me an email directly for more information. > QUESTIONS: > What kind of IP encryption? > Is it availbale for FBSD, Linux, WINxxxxx? > Windows 2000 supports IPSec as does FreeBSD. I cannot comment about support on Linux. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:20:35 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:20:30 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 027D837B400; Fri, 5 Jan 2001 12:20:30 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f05KKFr14811; Fri, 5 Jan 2001 12:20:15 -0800 (PST) Date: Fri, 5 Jan 2001 12:20:14 -0800 From: Alfred Perlstein To: Artem Koutchine Cc: "David G. Andersen" , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010105122014.H15744@fw.wintelcom.net> References: <200101052002.NAA29203@faith.cs.utah.edu> <002f01c07753$af808400$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002f01c07753$af808400$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Fri, Jan 05, 2001 at 11:11:25PM +0300 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Artem Koutchine [010105 12:12] wrote: > > > A final solution is simply to encrypt all sensitive traffic at the > > application layer. Use SSL for http/pop3/etc. Use SSH for remote > > access. Etc. Not perfect, but works. > > Nope, dsniff breaks SSL and SSH1. What's wrong with using SSH2? You can use port forwarding over remote localhost to do it: __ __ / \ / \ | \ / | \ \ / / _______\ /________ | win95 |X-----[ssh]-----X| server | ------- -------- ? As long as your users are somewhat intellegent about being wary of "sudden key changes" then they should be fine. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:24:10 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:24:07 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (unknown [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id 9A86A37B400; Fri, 5 Jan 2001 12:24:06 -0800 (PST) Received: from mail.iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38]) by clmboh1-smtp3.columbus.rr.com (8.9.3/8.9.3) with ESMTP id PAA05868; Fri, 5 Jan 2001 15:21:49 -0500 (EST) Sender: wmoran@clmboh1-smtp3.columbus.rr.com Message-ID: <3A562C77.8E67B7AE@mail.iowna.com> Date: Fri, 05 Jan 2001 15:20:07 -0500 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Artem Koutchine Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Artem Koutchine wrote: > Well, let me remind the situtation. I have a very heterogenic network: > FreeBSD, Linux, Win9x, WinME, WInNT, WIn2000. Now they are all > connected with hubs, which allows sniffer to run and obtain all the mail > and web password easily. I need to stop it. If you want to replace hubs with switches, you're going to need to replace EVERY ONE! I don't know how many that is for you. If it's only POP3 & HTML passwords you're worried about, why not switch your mail server to a secure auth protocol. I think APOP does this (not sure) and use HTTPS on any web pages that have passwords? -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:25:33 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:25:28 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 94A7037B400; Fri, 5 Jan 2001 12:25:27 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id NAA01074; Fri, 5 Jan 2001 13:25:14 -0700 (MST) Message-Id: <200101052025.NAA01074@faith.cs.utah.edu> Subject: Re: Antisniffer measures (digest of posts) To: matrix@ipform.ru (Artem Koutchine) Date: Fri, 5 Jan 2001 13:25:13 -0700 (MST) Cc: dga@pobox.com (David G. Andersen), security@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <002f01c07753$af808400$0c00a8c0@ipform.ru> from "Artem Koutchine" at Jan 05, 2001 11:11:25 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: danderse@cs.utah.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Artem Koutchine once said: > > > > IPsec. IPsec. IPsec. FreeBSD, Linux, Win2k support it. Don't know > > about MacOS. Doubt it until OSX, but I could be wrong. This is the > > better solution. > > Well, then i need IPSec for WIn9x, NT 4.x and ME too. Is there? I don't know. You're asking on the FreeBSD mailing lists. > > A final solution is simply to encrypt all sensitive traffic at the > > application layer. Use SSL for http/pop3/etc. Use SSH for remote > > access. Etc. Not perfect, but works. > > Nope, dsniff breaks SSL and SSH1. Dsniff helps break improperly used and configured SSL and SSH. As a blanket statement, what you said is incorrect. If you securely distribute the public keys of the other machines to /etc/ssh/ssh_known_hosts{2} and set StrictHostKeyChecking, you'll be fine, unless you have users who deliberately try to circumvent security. But that's a different problem entirely. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:26:46 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:26:42 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from osiris.ipform.ru (osiris.ipform.ru [212.158.165.98]) by hub.freebsd.org (Postfix) with ESMTP id 3474837B402; Fri, 5 Jan 2001 12:26:39 -0800 (PST) Received: from wp2 (wp2.office.ipform.ru [192.168.0.12] (may be forged)) by osiris.ipform.ru (8.11.1/8.11.1) with SMTP id f05KPk834331; Fri, 5 Jan 2001 23:25:47 +0300 (MSK) (envelope-from matrix@ipform.ru) Message-ID: <005601c07755$b0604ac0$0c00a8c0@ipform.ru> From: "Artem Koutchine" To: "Alfred Perlstein" Cc: "David G. Andersen" , , References: <200101052002.NAA29203@faith.cs.utah.edu> <002f01c07753$af808400$0c00a8c0@ipform.ru> <20010105122014.H15744@fw.wintelcom.net> Subject: Re: Antisniffer measures (digest of posts) Date: Fri, 5 Jan 2001 23:25:18 +0300 Organization: IP Form MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Alfred Perlstein" To: "Artem Koutchine" Cc: "David G. Andersen" ; ; Sent: Friday, January 05, 2001 11:20 PM Subject: Re: Antisniffer measures (digest of posts) > * Artem Koutchine [010105 12:12] wrote: > > > > > A final solution is simply to encrypt all sensitive traffic at the > > > application layer. Use SSL for http/pop3/etc. Use SSH for remote > > > access. Etc. Not perfect, but works. > > > > Nope, dsniff breaks SSL and SSH1. > > What's wrong with using SSH2? You can use port forwarding over > remote localhost to do it: Hmm.. How do i do that on a Win9x box? How do i make use SSH2 when connecting to a POP3/SMTP/HTTP? Artem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 12:30:17 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 12:30:12 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by hub.freebsd.org (Postfix) with ESMTP id 9F8AB37B400; Fri, 5 Jan 2001 12:30:11 -0800 (PST) Received: (from dan@localhost) by dan.emsphone.com (8.11.1/8.11.1) id f05KU0T08654; Fri, 5 Jan 2001 14:30:00 -0600 (CST) (envelope-from dan) Date: Fri, 5 Jan 2001 14:30:00 -0600 From: Dan Nelson To: Artem Koutchine Cc: "David G. Andersen" , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010105142959.A27186@dan.emsphone.com> References: <200101052002.NAA29203@faith.cs.utah.edu> <002f01c07753$af808400$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.13i In-Reply-To: <002f01c07753$af808400$0c00a8c0@ipform.ru>; from "Artem Koutchine" on Fri Jan 5 23:11:25 GMT 2001 X-OS: FreeBSD 5.0-CURRENT Sender: dan@dan.emsphone.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the last episode (Jan 05), Artem Koutchine said: > > Nope, dsniff breaks SSL and SSH1. > dsniff does *not* "break" SSL or SSH1. If you are silly enough to answer "yes" to the warning ssh spits out, you get what you deserve. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Agent forwarding is disabled to avoid attacks by corrupted servers. X11 forwarding is disabled to avoid attacks by corrupted servers. Are you sure you want to continue connecting (yes/no)? -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 15:46:39 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 15:46:31 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21]) by hub.freebsd.org (Postfix) with ESMTP id 0ABBC37B400; Fri, 5 Jan 2001 15:46:31 -0800 (PST) Received: from gte.net (evrtwa1-ar4-145-186.dsl.gtei.net [4.34.145.186]) by smtppop2pub.verizon.net with ESMTP ; id RAA80615783 Fri, 5 Jan 2001 17:45:48 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id PAA17567; Fri, 5 Jan 2001 15:46:01 -0800 (PST) (envelope-from res03db2@gte.net) Date: Fri, 5 Jan 2001 15:46:01 -0800 From: Robert Clark To: Artem Koutchine Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010105154601.A17529@darkstar.gte.net> References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Fri, Jan 05, 2001 at 10:51:36PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would look into the Intel Pro/100 S. (hardware assist 3DES 10/100 ethernet cards.) The intel site has info, but here is a site with a price listed: http://www.gotocol.com/inpro1brpcis.html This isn't necessarily better a better solution than ipsec via software, but it would not cause as much of a performance hit. I wonder if token ring suffers from this problem? 100VG? [RC] On Fri, Jan 05, 2001 at 10:51:36PM +0300, Artem Koutchine wrote: > Hello! > > I have reread all the followups on the questions i posted in the mid > december. > > first: > > 50% of the people said "SWITCH TO SWITCHES", 50% of the > people said: "EVEN SWITCHES CANNOT HELP" > > Then mostly everytone started talking about SNMP controllable > switches with hardcorded MAC addreses for each port. > > Then people started to talk about static ARP entries on the host. > > ONE (ONLY ONE) person mentioned encryption, but did not elaborate > on that. > > Well, let me remind the situtation. I have a very heterogenic network: > FreeBSD, Linux, Win9x, WinME, WInNT, WIn2000. Now they are all > connected with hubs, which allows sniffer to run and obtain all the mail > and web password easily. I need to stop it. > > Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is > way too expensive. It will cost us about 4000$. > > So, as I see we two possible solutions and one probable soultion: > > POSSIBLE N1: > Switches (NON SNMP contrlllable, which do not turn into hub when flooded > with MAC addresses), hardcorder ARP entries on hosts > for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host). > > QUESTIONS: > Is it possible to do to hard code ARP entries in WINxxxxx? > Is there such switch which does not fall back into hub mode when flooded > with > MACs? > > POSSIBLE N2: > Install a little FBSD/LINUX based router indetad of each hub. Put a bunch > of > NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166 > based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and > twice as expensive and a simple switch) > > QUESTIONS: > I wonder where do i get 8 IRQs for the NICs int the routing box. > Will the box with 4PCIs and 4ISA NICs be able to hold on electricwise? > > PROBABLE: > Some kind of tranparent IP encryprtion. > > QUESTIONS: > What kind of IP encryption? > Is it availbale for FBSD, Linux, WINxxxxx? > > > I hope someone would help. > > Best regards, > Artem Koutchine > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 15:54:29 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 15:54:25 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 6529037B400; Fri, 5 Jan 2001 15:54:25 -0800 (PST) Received: from x86w2kw1 - 216.103.48.12 by email.msn.com with Microsoft SMTPSVC; Fri, 5 Jan 2001 15:54:24 -0800 Message-ID: <01c501c07773$180d40c0$0101a8c0@development.local> From: "John Howie" To: "Robert Clark" , "Artem Koutchine" Cc: , References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> <20010105154601.A17529@darkstar.gte.net> Subject: Re: Antisniffer measures (digest of posts) Date: Fri, 5 Jan 2001 15:56:16 -0800 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Robert Clark" To: "Artem Koutchine" Cc: ; Sent: Friday, January 05, 2001 3:46 PM Subject: Re: Antisniffer measures (digest of posts) > I wonder if token ring suffers from this problem? 100VG? Token Ring is worst of all - all data must pass through every node on the ring. Token Bus is no more secure. 100VG offers no better protection than most switchable hubs. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 17:17:36 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 17:17:31 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mothra.ecs.csus.edu (mothra.ecs.csus.edu [130.86.76.220]) by hub.freebsd.org (Postfix) with ESMTP id 9371637B404; Fri, 5 Jan 2001 17:17:31 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mothra.ecs.csus.edu (8.11.1/8.11.1) with ESMTP id f061Gd001393; Fri, 5 Jan 2001 17:16:39 -0800 (PST) (envelope-from joseph@randomnetworks.com) Date: Fri, 5 Jan 2001 17:16:39 -0800 (PST) From: Joseph Scott X-X-Sender: To: Artem Koutchine Cc: Alfred Perlstein , "David G. Andersen" , , Subject: Re: Antisniffer measures (digest of posts) In-Reply-To: <005601c07755$b0604ac0$0c00a8c0@ipform.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 5 Jan 2001, Artem Koutchine wrote: # # ----- Original Message ----- # From: "Alfred Perlstein" # To: "Artem Koutchine" # Cc: "David G. Andersen" ; ; # # Sent: Friday, January 05, 2001 11:20 PM # Subject: Re: Antisniffer measures (digest of posts) # # # > * Artem Koutchine [010105 12:12] wrote: # > > # > > > A final solution is simply to encrypt all sensitive traffic at the # > > > application layer. Use SSL for http/pop3/etc. Use SSH for remote # > > > access. Etc. Not perfect, but works. # > > # > > Nope, dsniff breaks SSL and SSH1. # > # > What's wrong with using SSH2? You can use port forwarding over # > remote localhost to do it: # # Hmm.. How do i do that on a Win9x box? How do i make use SSH2 # when connecting to a POP3/SMTP/HTTP? You can get a very nice ssh windows client from : http://www.ssh.com/ Depending on what type of organization you work for you may have to pay for licenses. I use it at my office, works nicely. I've read through most of this thread and it sounds like something that would be helpful is to read up dealing with network security in general, IE, it's all about policy. If you don't have the ability to inflict consequences for breaking policy then it's likely that no amount/type of technology with fix everything 100%. I know it's hard to do, but more often than not, internal security boils down to a social solution more than a tech one. The policies should drive the technology, not the other way around. All of that being said, I believe you best bet is to require use of "more" secure protocols, IE, they don't send things in the clear. They will always be far from perfect, but they'll be a lot better than not using them at all. *********************************************************** * Joseph Scott The Office Of Water Programs * * joseph@randomnetworks.com joseph.scott@owp.csus.edu * *********************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 17:50:20 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 17:50:18 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 59D6B37B400 for ; Fri, 5 Jan 2001 17:50:18 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id UAA04922 for ; Fri, 5 Jan 2001 20:55:33 -0500 Reply-To: From: "Peter Brezny" To: Subject: changing kernsecurelevel Date: Fri, 5 Jan 2001 20:49:21 -0800 Message-ID: <001101c0779c$096cc260$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How can I change the sysctl kern.securelevel from 2 to -1 without rebooting the machine. I've run into problems installing new kernels with a kernelsecure level of 2, but so far, the only way I've figured out to change the kernel secure level is to modify rc.conf, changing the secure level and rebooting the machine. How do i accomplish this without a reboot, or, if i am going at it all wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? TIA Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 18: 7:33 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:07:31 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id BEEA337B402 for ; Fri, 5 Jan 2001 18:07:31 -0800 (PST) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id 7678E3E02; Fri, 5 Jan 2001 18:07:31 -0800 (PST) Received: from unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id 6FDC93C10A; Fri, 5 Jan 2001 18:07:31 -0800 (PST) To: peter@sysadmin-inc.com Cc: freebsd-security@freebsd.org Subject: Re: changing kernsecurelevel In-Reply-To: Message from "Peter Brezny" of "Fri, 05 Jan 2001 20:49:21 PST." <001101c0779c$096cc260$46010a0a@sysadmininc.com> Date: Fri, 05 Jan 2001 18:07:26 -0800 From: Dima Dorfman Message-Id: <20010106020731.7678E3E02@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > How can I change the sysctl kern.securelevel from 2 to -1 without rebooting > the machine. You can't. The whole point of securelevel is that it can *never* be lowered. > How do i accomplish this without a reboot, or, if i am going at it all > wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? You can't. If this is such a problem, don't raise the securelevel. Also take a look at http://www.freebsd.org/FAQ/admin.html#KERNEL-CHFLAG-FAILURE. Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 18:12:12 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:12:07 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtppop2pub.verizon.net (smtppop2pub.gte.net [206.46.170.21]) by hub.freebsd.org (Postfix) with ESMTP id 959DB37B400; Fri, 5 Jan 2001 18:12:06 -0800 (PST) Received: from gte.net (evrtwa1-ar4-145-186.dsl.gtei.net [4.34.145.186]) by smtppop2pub.verizon.net with ESMTP ; id UAA80575164 Fri, 5 Jan 2001 20:11:29 -0600 (CST) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id SAA17759; Fri, 5 Jan 2001 18:11:38 -0800 (PST) (envelope-from res03db2@gte.net) Date: Fri, 5 Jan 2001 18:11:36 -0800 From: Robert Clark To: John Howie Cc: Robert Clark , Artem Koutchine , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010105181136.B17723@darkstar.gte.net> References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> <20010105154601.A17529@darkstar.gte.net> <01c501c07773$180d40c0$0101a8c0@development.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <01c501c07773$180d40c0$0101a8c0@development.local>; from JHowie@msn.com on Fri, Jan 05, 2001 at 03:56:16PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know that ring networks see the traffic as it goes around, I was more interested in whether the respective NIC chipsets allow for permiscous mode. I seem to remember that its not a given that all network type hardware allows sniffing. FDDI? [RC] On Fri, Jan 05, 2001 at 03:56:16PM -0800, John Howie wrote: > > ----- Original Message ----- > From: "Robert Clark" > To: "Artem Koutchine" > Cc: ; > Sent: Friday, January 05, 2001 3:46 PM > Subject: Re: Antisniffer measures (digest of posts) > > > > I wonder if token ring suffers from this problem? 100VG? > > Token Ring is worst of all - all data must pass through every node on the > ring. Token Bus is no more secure. 100VG offers no better protection than > most switchable hubs. > > john... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 18:16:31 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:16:25 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id D572937B404; Fri, 5 Jan 2001 18:16:20 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id TAA23840; Fri, 5 Jan 2001 19:16:14 -0700 (MST) Message-Id: <200101060216.TAA23840@faith.cs.utah.edu> Subject: Re: Antisniffer measures (digest of posts) To: res03db2@gte.net (Robert Clark) Date: Fri, 5 Jan 2001 19:16:14 -0700 (MST) Cc: JHowie@msn.com (John Howie), res03db2@gte.net (Robert Clark), matrix@ipform.ru (Artem Koutchine), security@FreeBSD.ORG, questions@FreeBSD.ORG In-Reply-To: <20010105181136.B17723@darkstar.gte.net> from "Robert Clark" at Jan 05, 2001 06:11:36 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: danderse@cs.utah.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes to token ring, yes to FDDI. If the medium supports broadcast, the odds are good it supports some kind of sniffing, though it may take more or less work to access it depending on your hardware. I must say, though, that this is heading down the wrong line of questions, IMHO. Trying to find a network technology where the NICs are harder to throw into promiscuous mode is like building a glass outhouse and then trying to find nearsighted neighbors. If you want half measures, buy some cheap switches and go for it. If you want more than half measures, you can try the hardcoded MAC + mac security on the switches approach. If you want real security, use end-to-end encryption of some form. -Dave Lo and behold, Robert Clark once said: > > > > I know that ring networks see the traffic as it goes around, > I was more interested in whether the respective NIC chipsets > allow for permiscous mode. > > I seem to remember that its not a given that all network > type hardware allows sniffing. > > FDDI? > > [RC] > > > On Fri, Jan 05, 2001 at 03:56:16PM -0800, John Howie wrote: > > > > ----- Original Message ----- > > From: "Robert Clark" > > To: "Artem Koutchine" > > Cc: ; > > Sent: Friday, January 05, 2001 3:46 PM > > Subject: Re: Antisniffer measures (digest of posts) > > > > > > > I wonder if token ring suffers from this problem? 100VG? > > > > Token Ring is worst of all - all data must pass through every node on the > > ring. Token Bus is no more secure. 100VG offers no better protection than > > most switchable hubs. > > > > john... > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 18:20:49 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:20:47 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 7428E37B400 for ; Fri, 5 Jan 2001 18:20:47 -0800 (PST) Received: (from emechler@localhost) by radix.cryptio.net (8.11.0/8.11.0) id f062KeG62878; Fri, 5 Jan 2001 18:20:40 -0800 (PST) Date: Fri, 5 Jan 2001 18:20:40 -0800 From: Erick Mechler To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel Message-ID: <20010105182040.A62789@techometer.net> References: <001101c0779c$096cc260$46010a0a@sysadmininc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001101c0779c$096cc260$46010a0a@sysadmininc.com>; from Peter Brezny on Fri, Jan 05, 2001 at 08:49:21PM -0800 Sender: emechler@radix.cryptio.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You can't change the securelevel to anything lower without rebooting the machine, but you can raise it. If you could lower it using some userland command, it won't really be that secure, no? From the securelevel manpage: The kernel runs with four different levels of security. Any super-user process can raise the security level, but no process can lower it. The securelevel definitions are also on the same manpage. Regards, Erick At Fri, Jan 05, 2001 at 08:49:21PM -0800, Peter Brezny said this: :: How can I change the sysctl kern.securelevel from 2 to -1 without rebooting :: the machine. :: :: I've run into problems installing new kernels with a kernelsecure level of :: 2, but so far, the only way I've figured out to change the kernel secure :: level is to modify rc.conf, changing the secure level and rebooting the :: machine. :: :: How do i accomplish this without a reboot, or, if i am going at it all :: wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? :: :: TIA :: :: Peter Brezny :: SysAdmin Services Inc. :: :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 18:27:15 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:27:13 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail1.javanet.com (mail1.javanet.com [205.219.162.10]) by hub.freebsd.org (Postfix) with ESMTP id 2ED3B37B400 for ; Fri, 5 Jan 2001 18:27:09 -0800 (PST) Received: from wintermute.sekt7.org (146-115-75-83.c6-0.brl-ubr1.sbo-brl.ma.cable.rcn.com [146.115.75.83]) by mail1.javanet.com (8.9.3/8.9.2) with ESMTP id VAA10764; Fri, 5 Jan 2001 21:26:55 -0500 (EST) Date: Fri, 5 Jan 2001 21:30:22 -0500 (EST) From: Evan S X-Sender: kaworu@wintermute.sekt7 To: Erick Mechler Cc: Peter Brezny , freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel In-Reply-To: <20010105182040.A62789@techometer.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know this may seem crazy. But, I _want_ to be able to lower the secure level. What part of the soruce would I need to edit in order to fix this? I have some special circumstances.. I run a public root-access machine. Thanks, Evan Sarmiento (kaworu@sektor7.ath.cx) http://sekt7.org/es On Fri, 5 Jan 2001, Erick Mechler wrote: > You can't change the securelevel to anything lower without rebooting > the machine, but you can raise it. If you could lower it using some > userland command, it won't really be that secure, no? > > >From the securelevel manpage: > > The kernel runs with four different levels of security. Any super-user > process can raise the security level, but no process can lower it. > > The securelevel definitions are also on the same manpage. > > Regards, > Erick > > At Fri, Jan 05, 2001 at 08:49:21PM -0800, Peter Brezny said this: > :: How can I change the sysctl kern.securelevel from 2 to -1 without rebooting > :: the machine. > :: > :: I've run into problems installing new kernels with a kernelsecure level of > :: 2, but so far, the only way I've figured out to change the kernel secure > :: level is to modify rc.conf, changing the secure level and rebooting the > :: machine. > :: > :: How do i accomplish this without a reboot, or, if i am going at it all > :: wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? > :: > :: TIA > :: > :: Peter Brezny > :: SysAdmin Services Inc. > :: > :: > :: > :: To Unsubscribe: send mail to majordomo@FreeBSD.org > :: with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 18:32: 0 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:31:56 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 90B4937B400 for ; Fri, 5 Jan 2001 18:31:55 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id TAA24752; Fri, 5 Jan 2001 19:31:35 -0700 (MST) Message-Id: <200101060231.TAA24752@faith.cs.utah.edu> Subject: Re: changing kernsecurelevel To: kaworu@sektor7.ath.cx (Evan S) Date: Fri, 5 Jan 2001 19:31:35 -0700 (MST) Cc: emechler@techometer.net (Erick Mechler), peter@sysadmin-inc.com (Peter Brezny), freebsd-security@FreeBSD.ORG In-Reply-To: from "Evan S" at Jan 05, 2001 09:30:22 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: danderse@cs.utah.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Grep the source, luke. :) /usr/src/sys/kern/kern_mib.c if (level < securelevel) return (EPERM); If you remove these two lines, you'll demolish the point of securelevels.. er, you'll accomplish what you want. :-) -Dave Lo and behold, Evan S once said: > > I know this may seem crazy. But, I _want_ to be able to lower the secure > level. What part of the soruce would I need to edit in order to fix this? > > I have some special circumstances.. I run a public root-access machine. > > Thanks, > > Evan Sarmiento (kaworu@sektor7.ath.cx) > http://sekt7.org/es > > On Fri, 5 Jan 2001, Erick Mechler wrote: > > > You can't change the securelevel to anything lower without rebooting > > the machine, but you can raise it. If you could lower it using some > > userland command, it won't really be that secure, no? > > > > >From the securelevel manpage: > > > > The kernel runs with four different levels of security. Any super-user > > process can raise the security level, but no process can lower it. > > > > The securelevel definitions are also on the same manpage. > > > > Regards, > > Erick > > > > At Fri, Jan 05, 2001 at 08:49:21PM -0800, Peter Brezny said this: > > :: How can I change the sysctl kern.securelevel from 2 to -1 without rebooting > > :: the machine. > > :: > > :: I've run into problems installing new kernels with a kernelsecure level of > > :: 2, but so far, the only way I've figured out to change the kernel secure > > :: level is to modify rc.conf, changing the secure level and rebooting the > > :: machine. > > :: > > :: How do i accomplish this without a reboot, or, if i am going at it all > > :: wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? > > :: > > :: TIA > > :: > > :: Peter Brezny > > :: SysAdmin Services Inc. > > :: > > :: > > :: > > :: To Unsubscribe: send mail to majordomo@FreeBSD.org > > :: with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 19: 3: 6 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 19:03:02 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [216.227.178.18]) by hub.freebsd.org (Postfix) with ESMTP id 133BF37B400; Fri, 5 Jan 2001 19:03:01 -0800 (PST) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.1/8.11.1) with ESMTP id f0632kW32207; Fri, 5 Jan 2001 22:02:46 -0500 (EST) (envelope-from darren@nighttide.net) Date: Fri, 5 Jan 2001 22:02:46 -0500 (EST) From: Darren Henderson Sender: To: Artem Koutchine Cc: , Subject: Re: Antisniffer measures (digest of posts) In-Reply-To: <000701c07750$eb585e60$0c00a8c0@ipform.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 5 Jan 2001, Artem Koutchine wrote: > So, as I see we two possible solutions and one probable soultion: You missed one. If these machines are on your lan/wan then the users are somehow beholding to you. While not a technical solution, you should not over look a strong, easily understandable, clearly exposed, widely and repeatedly disseminated security policy paired with swift and decisive administrative consequences for breaching that policy. You shouldn't over look the technical possibilities but when the potential problem is on the inside it is nearly impossible to deal with it completely in that realm. Especially if you are dealing with fairly savy users as I believe you mentioned back in December. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 19:17: 1 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 19:16:59 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id BD8BE37B400 for ; Fri, 5 Jan 2001 19:16:58 -0800 (PST) Received: (qmail 13812 invoked by uid 0); 6 Jan 2001 03:16:57 -0000 Received: from pd950868a.dip.t-dialin.net (HELO speedy.gsinet) (217.80.134.138) by mail.gmx.net (mail08) with SMTP; 6 Jan 2001 03:16:57 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA20834 for security@FreeBSD.ORG; Fri, 5 Jan 2001 22:01:17 +0100 Date: Fri, 5 Jan 2001 22:01:17 +0100 From: Gerhard Sittig To: security@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010105220117.C253@speedy.gsinet> Mail-Followup-To: security@FreeBSD.ORG References: <200101052002.NAA29203@faith.cs.utah.edu> <002f01c07753$af808400$0c00a8c0@ipform.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <002f01c07753$af808400$0c00a8c0@ipform.ru>; from matrix@ipform.ru on Fri, Jan 05, 2001 at 11:11:25PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Jan 05, 2001 at 23:11 +0300, Artem Koutchine wrote: > > Well, then i need IPSec for WIn9x, NT 4.x and ME too. Is there? Ask one of the security related vendors of Windows software to offer VPN solutions. Mostly those who sell antivirus programs might have VPN solutions, too. Often they're even mixed together into one product. > > A final solution is simply to encrypt all sensitive traffic > > at the application layer. Use SSL for http/pop3/etc. Use > > SSH for remote access. Etc. Not perfect, but works. > > Nope, dsniff breaks SSL and SSH1. Nope. dsniff doesn't break any of these *mechanisms*. From what I got of the last discussions about it, it exploits _failures_ *users* make when thinking technology could solve human problems. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 19:32:24 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 19:32:21 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 3AFDF37B400 for ; Fri, 5 Jan 2001 19:32:21 -0800 (PST) Received: (qmail 14985 invoked by uid 1001); 6 Jan 2001 03:34:26 -0000 Date: Fri, 5 Jan 2001 22:34:26 -0500 From: Pete Fritchman To: Evan S Cc: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel Message-ID: <20010105223426.C14203@databits.net> References: <20010105182040.A62789@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kaworu@sektor7.ath.cx on Fri, Jan 05, 2001 at 09:30:22PM -0500 Sender: petef@hex.databits.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you really want to temporarily lower it for an install, you could change your /etc/rc.conf value, reboot, install, change /etc/rc.conf back, reboot. If you modified your source to allow lowering of sercurelevel and then still used it, you'd be destroying any hint of what securelevel does for you. -pete ++ 05/01/01 21:30 -0500 - Evan S: >I know this may seem crazy. But, I _want_ to be able to lower the secure >level. What part of the soruce would I need to edit in order to fix this? > >I have some special circumstances.. I run a public root-access machine. > >Thanks, > >Evan Sarmiento (kaworu@sektor7.ath.cx) >http://sekt7.org/es > >On Fri, 5 Jan 2001, Erick Mechler wrote: > >> You can't change the securelevel to anything lower without rebooting >> the machine, but you can raise it. If you could lower it using some >> userland command, it won't really be that secure, no? >> >> >From the securelevel manpage: >> >> The kernel runs with four different levels of security. Any super-user >> process can raise the security level, but no process can lower it. >> >> The securelevel definitions are also on the same manpage. >> >> Regards, >> Erick >> >> At Fri, Jan 05, 2001 at 08:49:21PM -0800, Peter Brezny said this: >> :: How can I change the sysctl kern.securelevel from 2 to -1 without rebooting >> :: the machine. >> :: >> :: I've run into problems installing new kernels with a kernelsecure level of >> :: 2, but so far, the only way I've figured out to change the kernel secure >> :: level is to modify rc.conf, changing the secure level and rebooting the >> :: machine. >> :: >> :: How do i accomplish this without a reboot, or, if i am going at it all >> :: wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? >> :: >> :: TIA >> :: >> :: Peter Brezny >> :: SysAdmin Services Inc. >> :: >> :: >> :: >> :: To Unsubscribe: send mail to majordomo@FreeBSD.org >> :: with "unsubscribe freebsd-security" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 20:15:13 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 20:15:11 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99]) by hub.freebsd.org (Postfix) with ESMTP id 45DBC37B400 for ; Fri, 5 Jan 2001 20:15:11 -0800 (PST) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id XAA08034; Fri, 5 Jan 2001 23:15:01 -0500 (EST) Date: Fri, 5 Jan 2001 23:15:00 -0500 (EST) From: To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel In-Reply-To: <001101c0779c$096cc260$46010a0a@sysadmininc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 5 Jan 2001, Peter Brezny wrote: > How can I change the sysctl kern.securelevel from 2 to -1 without rebooting > the machine. You cant :-) Hence the word "secure" level. If you could what would be the point of it? > I've run into problems installing new kernels with a kernelsecure level of > 2, but so far, the only way I've figured out to change the kernel secure > level is to modify rc.conf, changing the secure level and rebooting the > machine. You are correct. Once the system is booted into a securelevel whether its -1, 0, 1 , 2 or 3 it cant be lowered. Any root owned process can RAISE it but nothing can lower it. > How do i accomplish this without a reboot, or, if i am going at it all > wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? You can't. The kernel will not install because the chflags when installing a kernel always add the immutable flag to it. So if you run in SL 2 you cant overwrite the kernel in place unless you boot to a SL of -1 or 0. chflags set on a file or device cannot be changed or altered at all in SL 1+. Man init for more info on this. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 20:23:55 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 20:23:54 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id C7C1137B400 for ; Fri, 5 Jan 2001 20:23:53 -0800 (PST) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id 41A523E02; Fri, 5 Jan 2001 20:23:51 -0800 (PST) Received: from unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id 3AE333C10A; Fri, 5 Jan 2001 20:23:51 -0800 (PST) To: Evan S Cc: Erick Mechler , Peter Brezny , freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel In-Reply-To: Message from Evan S of "Fri, 05 Jan 2001 21:30:22 EST." Date: Fri, 05 Jan 2001 20:23:46 -0800 From: Dima Dorfman Message-Id: <20010106042351.41A523E02@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I know this may seem crazy. But, I _want_ to be able to lower the secure > level. What part of the soruce would I need to edit in order to fix this? Don't refer to it as fixing it, please, but you can use DDB to lower it if you want. I do this sometimes. For example: dima@hornet% sudo sysctl -w kern.securelevel=2 kern.securelevel: -1 -> 2 dima@hornet% Debugger("manual escape to debugger") Stopped at Debugger+0x34: movb $0,in_Debugger.396 db> w securelevel 0xffffffff securelevel 0x2 = 0xffffffff db> c /sbin/sysctl kern.securelevel kern.securelevel: -1 dima@hornet% If you're at a loss at what all of this does, I suggest you use one of the other methods that were presented to you. Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 21:18:23 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 21:18:16 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 12B9637B400; Fri, 5 Jan 2001 21:18:16 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14Elpp-0000Fr-00; Fri, 05 Jan 2001 22:24:09 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A56ABF8.90C9F0D8@softweyr.com> Date: Fri, 05 Jan 2001 22:24:08 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Artem Koutchine Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) References: <000701c07750$eb585e60$0c00a8c0@ipform.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Artem Koutchine wrote: > > Hello! > > I have reread all the followups on the questions i posted in the mid > december. > > first: > > 50% of the people said "SWITCH TO SWITCHES", 50% of the > people said: "EVEN SWITCHES CANNOT HELP" Switches won't solve your problem 100%. They will keep MOST of your traffic off the other users ethernet ports; only broadcast or multicast traffic will reach them. > Then mostly everytone started talking about SNMP controllable > switches with hardcorded MAC addreses for each port. SNMP is not the important part here; what you're looking for is a smart switch that allows you to control the behavior of the network. Some smart switches will allow you to configure exactly what MAC addresses are allowed on a port, other MAC addresses will be ignored. > Buying 500$ SNMP controllable switch is CRAZY. I will not do it. It is > way too expensive. It will cost us about 4000$. You don't say how many users you need to support. The HP4000M switch sells for $1800 and has 40 10/100 ports; it can be expanded to support another 40 10/100 ports in 5-port increments. On the other hand, the rest of us really don't give a damn what you will or won't do, or consider crazy. If you ask for help, then reject the answers, please do so politely. If it doesn't fit your budget, just say so and keep you psychological opinions to yourself. > So, as I see we two possible solutions and one probable soultion: > > POSSIBLE N1: > Switches (NON SNMP contrlllable, which do not turn into hub when flooded > with MAC addresses), hardcorder ARP entries on hosts > for router, DNS, MAIL, POP, corporate web (thanks hot it is the same host). > > QUESTIONS: > Is it possible to do to hard code ARP entries in WINxxxxx? I don't know, nor do I care. > Is there such switch which does not fall back into hub mode when flooded > with > MACs? A non-manageable switch that does this? No. What you're asking for is just now how Ethernet works. If you want users to not sniff your network, have it written into your acceptable use policy that they get fired, thrown out of school, or beaten to a bloody pulp (as appropriate) if they use a sniffer on your network. > POSSIBLE N2: > Install a little FBSD/LINUX based router indetad of each hub. Put a bunch > of > NIC in each. Put each host on a reparate NIC. Price: 100$ for the Pentium166 > based host+ 8nics x 20$=100+160=260$ (twice as cheap as SNMP switch and > twice as expensive and a simple switch) This is a really bad idea. Search the mailing list archives for "receive livelock" to learn why a generic PCI machine with lots of 100BaseTX interfaces is a lockup waiting to happen. > PROBABLE: > Some kind of tranparent IP encryprtion. > > QUESTIONS: > What kind of IP encryption? > Is it availbale for FBSD, Linux, WINxxxxx? For some definition of xxxxx, yes. For Win95, no. You could probably buy an add-on product for several different varieties of Wankers that are supposed to support IPsec. If you think that'll cost less than buying a switch, you're CRAZY. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 21:22:37 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 21:22:34 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id A8B3737B400; Fri, 5 Jan 2001 21:22:33 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14EluA-0000Fw-00; Fri, 05 Jan 2001 22:28:38 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A56AD06.BDD770B0@softweyr.com> Date: Fri, 05 Jan 2001 22:28:38 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: sthaug@nethelp.no Cc: matrix@ipform.ru, questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Building a local network on switches (ANTISNIFFER measures) References: <000b01c07741$c85272c0$0c00a8c0@ipform.ru> <63189.978720488@verdi.nethelp.no> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org sthaug@nethelp.no wrote: > > > Somebody said, that there is way to fool but floodding it with weird > > arpa entries and the switch will fall back into hub mode. I wonder if it > > is true for all hubs and if I can use non SNMP controllable hub. > > Think about how a hub works (or for that matter a switch). It has a > MAC address table of a certain finite size. If you send packets with > a MAC address which is not in the address table, the packet must be > transmitted on all ports (except the one it arrived on). Except some managed switches allow you to specify certain MAC addresses that are allowed on a given port. Packets received from other MAC addresses are dropped. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 5 23: 1:20 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 23:01:18 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 785E237B400 for ; Fri, 5 Jan 2001 23:01:16 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id SAA24121; Sat, 6 Jan 2001 18:00:43 +1100 (EST) From: Darren Reed Message-Id: <200101060700.SAA24121@caligula.anu.edu.au> Subject: Re: changing kernsecurelevel In-Reply-To: from Evan S at "Jan 5, 1 09:30:22 pm" To: kaworu@sektor7.ath.cx (Evan S) Date: Sat, 6 Jan 2001 18:00:43 +1100 (EST) Cc: emechler@techometer.net, peter@sysadmin-inc.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL39 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: avalon@caligula.anu.edu.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Evan S, sie said: > I know this may seem crazy. But, I _want_ to be able to lower the secure > level. What part of the soruce would I need to edit in order to fix this? This would break the semantics of what it's meant to provide in terms of protection. > I have some special circumstances.. I run a public root-access machine. If that's saying what I think it is... hahahahahaahahahahahahahahahahahahahahahaha Just set securelevel to -1 when you boot - it won't make any difference anyway :-) Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 8:41:45 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 08:41:43 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 07FE437B400 for ; Sat, 6 Jan 2001 08:41:43 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f06Gfe717140; Sat, 6 Jan 2001 11:41:40 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 6 Jan 2001 11:41:40 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Wintermute Cc: freebsd-security@freebsd.org Subject: Re: Access Control In-Reply-To: <4.3.1.2.20001231051923.00aa2d90@mail.c2032.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: robert@fledge.watson.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 31 Dec 2000, Wintermute wrote: > I was wondering if anyone here has had any experience with implementing > access control system(s) in FreeBSD. If anyone has any information > regarding their experience with ACLs, etc. under FreeBSD (i.e. TrustedBSD), > sharing that info would be very much appreciated! :) Most of the TrustedBSD work is still experimental -- that said, experimentation is welcome :-). The TrustedBSD patches require recent -CURRENT systems, as they rely on extended attributes, only available in -CURRENT. As such they're not ready for production use, although I've been using most of the features on my workstation and a server or two for the past few months, including ACLs and Capabilities. The ACL support currently lacks a POSIX.2c-compliant ACL setting tool, although it does include tools for settings ACLs in a non-compliant manner. If you're interested in contributing in that area, that would also be welcome. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 8:53:57 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 08:53:55 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 83D7237B400 for ; Sat, 6 Jan 2001 08:53:55 -0800 (PST) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id LAA94674; Sat, 6 Jan 2001 11:53:48 -0500 (EST) (envelope-from wollman) Date: Sat, 6 Jan 2001 11:53:48 -0500 (EST) From: Garrett Wollman Message-Id: <200101061653.LAA94674@khavrinen.lcs.mit.edu> To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel In-Reply-To: <200101060700.SAA24121@caligula.anu.edu.au> References: <200101060700.SAA24121@caligula.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > In some mail from Evan S, sie said: >> I know this may seem crazy. But, I _want_ to be able to lower the secure >> level. What part of the soruce would I need to edit in order to fix this? > This would break the semantics of what it's meant to provide in terms of > protection. It occurs to me that maybe what Evan is really looking for is the ability for jails to have their own separate securelevel settings. I hope everyone can see how they might be useful. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 9: 0:41 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 09:00:39 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail1.javanet.com (mail1.javanet.com [205.219.162.10]) by hub.freebsd.org (Postfix) with ESMTP id 551F737B400 for ; Sat, 6 Jan 2001 09:00:39 -0800 (PST) Received: from wintermute.sekt7.org (146-115-75-83.c6-0.brl-ubr1.sbo-brl.ma.cable.rcn.com [146.115.75.83]) by mail1.javanet.com (8.9.3/8.9.2) with ESMTP id MAA21670; Sat, 6 Jan 2001 12:00:30 -0500 (EST) Date: Sat, 6 Jan 2001 12:03:56 -0500 (EST) From: Evan S X-Sender: kaworu@wintermute.sekt7 To: Garrett Wollman Cc: Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel In-Reply-To: <200101061653.LAA94674@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That is exactly what I meant. I've posted that question before, and no one seemed to answer. So I contacted rwatson himself, and he told me how to go about fixing this dilema I have. Thanks a lot, Evan Sarmiento (kaworu@sektor7.ath.cx) http://sekt7.org/es On Sat, 6 Jan 2001, Garrett Wollman wrote: > < said: > > > In some mail from Evan S, sie said: > >> I know this may seem crazy. But, I _want_ to be able to lower the secure > >> level. What part of the soruce would I need to edit in order to fix this? > > > This would break the semantics of what it's meant to provide in terms of > > protection. > > It occurs to me that maybe what Evan is really looking for is the > ability for jails to have their own separate securelevel settings. I > hope everyone can see how they might be useful. > > -GAWollman > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > wollman@lcs.mit.edu | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 9:15:13 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 09:15:11 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from smtpout.kingston-internet.net (smtpout.kingston-internet.co.uk [212.50.161.69]) by hub.freebsd.org (Postfix) with ESMTP id C950C37B400 for ; Sat, 6 Jan 2001 09:15:10 -0800 (PST) Received: from dialup179.manuel.kingston-internet.net ([212.50.176.179] helo=pmason.karoo.co.uk) by smtpout.kingston-internet.net with smtp (Exim 2.12 #8) id 14Ewvn-0003C5-00 for freebsd-security@FreeBSD.ORG; Sat, 6 Jan 2001 17:15:03 +0000 Date: Sat, 6 Jan 2001 17:14:51 -0000 From: **1st Vamp** Reply-To: **1st Vamp** To: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel X-Mailer: AK-Mail 3.1 publicbeta2a [eng] (unregistered) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could you possibly post the reply to the list so that we all might prosper from the knowledge? - Vamp : That is exactly what I meant. I've posted that question before, and no one : seemed to answer. So I contacted rwatson himself, and he told me how to go : about fixing this dilema I have. : Thanks a lot, : Evan Sarmiento (kaworu@sektor7.ath.cx) : http://sekt7.org/es : On Sat, 6 Jan 2001, Garrett Wollman wrote: :> < said: :> :> > In some mail from Evan S, sie said: :> >> I know this may seem crazy. But, I _want_ to be able to lower the :> >> secure :> >> level. What part of the soruce would I need to edit in order to fix :> >> this? :> :> > This would break the semantics of what it's meant to provide in terms :> > of :> > protection. :> :> It occurs to me that maybe what Evan is really looking for is the :> ability for jails to have their own separate securelevel settings. I :> hope everyone can see how they might be useful. :> :> -GAWollman :> :> -- :> Garrett A. Wollman | O Siem / We are all family / O Siem / We're all :> the same :> wollman@lcs.mit.edu | O Siem / The fires of freedom :> Opinions not those of| Dance in the burning flame :> MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad :> Irschick :> :> :> To Unsubscribe: send mail to majordomo@FreeBSD.org :> with "unsubscribe freebsd-security" in the body of the message :> : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 10:42:17 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 10:42:11 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 9DF3037B400; Sat, 6 Jan 2001 10:42:10 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f06Ift718280; Sat, 6 Jan 2001 13:41:55 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 6 Jan 2001 13:41:54 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Wes Peters Cc: Artem Koutchine , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) In-Reply-To: <3A56ABF8.90C9F0D8@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: robert@fledge.watson.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm going to reply to Wes's message, but not necessarily specifically in response to his comments. I haven't had a chance to read all the messages in the thread yet, as I'm still catching up on back e-mail from my travel, but had a few comments to make that might or might not be relevant: - Ethernet switches generally don't help with sniffing problems, even with hard-coded MAC addresses, as they only provide link-layer protection. As has been pointed out, a variety of ARP-layer, IP-layer, and application-layer tricks can be employed to overcome link-layer switch limitations, including ARP spoofing, IP redirects and router message spoofing, in addition to DNS spoofing. - Limitations in SSH stem from the lack of an automated certification process, and from some clients that don't provide an interface for managing public key introduction or inconsistency reporting. In addition, all SSH clients I've used have problems differentiating service and transport namespaces, meaning that they are vulnerable to a variety of DNS and IP-spoofing based attacks. Most of these attacks can be addressed by integrating some form of certification into SSH (manual or automatic) using a signing or certificate mechanism, such as PGP-signed key fingerprints, integration into X.509 or DNSSEC cert hierarchies, or a key distribution service. However, the lack of a well-defined name->key binding mechanism presents a number of problems that must be resolved. I know of ongoing work to integrate DNSsec and OpenSSH at NAI Labs and (I believe) ISI. I assume other work has been done relating to X.509, but haven't seen it if so. The statements that the well-known dsniff man-in-the-middle attack stems entirely from user error is probably not correct -- clients don't provide even minimal key management functionality, many not even displaying fingerprints for new keys introduced, or not making correct use of name/IP->key mappings. That said, users who are careful and understand the implications of keying decisions made when using SSH will be safe from these attacks. End-to-end encryption is probably the answer to the problems seen by this user -- however, FreeBSD has relatively poor IPsec integration due to lack of IKE in the base system, making configuration and management of IPsec somewhat of a nightmare. And without DNSsec, DNS spoofing can provide a number of avenues for attack even with IPsec (especially if NFS is used). If you limit use of network protocols to properly pre-keyed and certified SSH and anonymous services (such as http), you should be fine in practice. Kerberos can also provide relatively comprehensive protection, if configured correctly and with integrity/privacy protection turned on when appropriate. For those seeking to remedy these problems, you might consider what would be involved in adding X.509 certificate support to SSH in the style of SSL, working with the OpenSSL project to provide an improved crypto-API with better algorithm abstractions, as well as work to improve the quality and integration of DNSsec implementations to help with deployment. Similarly, work to help the KAME project get their IKE daemon into production-quality condition would probably be widely welcomed and appreciated. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 11:13:30 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 11:13:28 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail1.javanet.com (mail1.javanet.com [205.219.162.10]) by hub.freebsd.org (Postfix) with ESMTP id C582F37B400 for ; Sat, 6 Jan 2001 11:13:27 -0800 (PST) Received: from wintermute.sekt7.org (146-115-75-83.c6-0.brl-ubr1.sbo-brl.ma.cable.rcn.com [146.115.75.83]) by mail1.javanet.com (8.9.3/8.9.2) with ESMTP id OAA05408 for ; Sat, 6 Jan 2001 14:13:26 -0500 (EST) Date: Sat, 6 Jan 2001 14:16:53 -0500 (EST) From: Evan S X-Sender: kaworu@wintermute.sekt7 To: freebsd-security@freebsd.org Subject: Re: A very quick Jail question (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Here is what rwatson said to me. :) Evan Sarmiento (kaworu@sektor7.ath.cx) http://sekt7.org/es ---------- Forwarded message ---------- Date: Sat, 6 Jan 2001 10:34:36 -0500 (EST) From: Robert Watson To: Evan S Subject: Re: A very quick Jail question On Thu, 4 Jan 2001, Evan S wrote: > I'm running a project called Openroot, where everyone gets root on a > FreeBSD 5.0-CURRENT computer, (http://www.open-root.org). It is run > inside of a Jail. I'm really a proto-hacker, I havn't made any patches, > or done much work for free software, but I think I know C very well, and > have been looking through some of the Jail source code. I actually logged into open-root a couple of times to look around, it seemed like a neat idea, although it also seemed that people were too willing to blow it away just because they could. > Here is my dilema: > I want users inside of the Jail to not be able to set system immutable > flags on any files. > I want the Jail to run in a different secure level than the host > If the host chflags schg a file in the Jail, a user in the jail cannot > chflags noschg it even though the Jail is running in secure level 0. > > What files would I begin looking at to implement this? Well, securelevels and jail() are really fairly independent creatures, and due to the nature of jail(), securelevels are not really all that necessary. The function of securelevel is to disable certain types of functionality when the securelevel variable is set appropriately; jail() works by disabling successful return of many suser() operations. As a result, jail() is almost always more restrictive than securelevel, in that it restricts most securelevel-restricted operations already. There may be a few isolated calls where jail() permits something unless securelevel is also set, but there shouldn't be many. The only one that comes to mind, actually, is the ability to open a device file -- jail() prevents the creation of new device files by processes in a jail, but doesn't prevent opening existing devices appearing in the jail's file system. securelevel actually limits the opening of devices that already exist. However, as long as you construct your jail properly, you shouldn't need to raise the global securelevel. What we should probably do is go through the kernel and audit all use of the securelevel variable, and determine whether or not those instances are all protected from use within jail(). If you want to take the lead on this, that would be great, as I'm a bit on the over-loaded side right now, and probably won't get to doing this for about a month (and your need appears more short-term than that). I'd be glad to discuss any findings or concerns you have, however. It might also be worth including the freebsd-security mailing list, since I think this would be an issue of interest to others also. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 12:47: 9 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 12:47:05 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from naughty.monkey.org (naughty.monkey.org [63.77.239.20]) by hub.freebsd.org (Postfix) with ESMTP id 295E537B400; Sat, 6 Jan 2001 12:47:05 -0800 (PST) Received: by naughty.monkey.org (Postfix, from userid 1001) id 1B75610860C; Sat, 6 Jan 2001 15:46:59 -0500 (EST) Date: Sat, 6 Jan 2001 15:46:58 -0500 From: Dug Song To: Robert Watson Cc: security@freebsd.org, questions@freebsd.org Subject: Re: Antisniffer measures (digest of posts) Message-ID: <20010106154658.Y898@naughty.monkey.org> References: <3A56ABF8.90C9F0D8@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rwatson@FreeBSD.ORG on Sat, Jan 06, 2001 at 01:41:54PM -0500 Sender: dugsong@naughty.monkey.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Jan 06, 2001 at 01:41:54PM -0500, Robert Watson wrote: > However, the lack of a well-defined name->key binding mechanism > presents a number of problems that must be resolved. I know of > ongoing work to integrate DNSsec and OpenSSH at NAI Labs and (I > believe) ISI. see http://www.cs.jhu.edu/~smang/sshproject.html > End-to-end encryption is probably the answer to the problems seen by this > user -- however, FreeBSD has relatively poor IPsec integration due to lack > of IKE in the base system, making configuration and management of IPsec > somewhat of a nightmare. monkey-in-the-middle attacks are certainly possible against IPsec's IKE as well, especially with the fervent push toward opportunistic encryption (resulting in "opportunistic" exploits :-) -d. p.s. thank you for the nice summary, Robert. this is a busy list! --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 12:55:19 2001 From owner-freebsd-security@FreeBSD.ORG Sat Jan 6 12:55:15 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from cg.nu (e106195.upc-e.chello.nl [213.93.106.195]) by hub.freebsd.org (Postfix) with ESMTP id 808EA37B400; Sat, 6 Jan 2001 12:55:15 -0800 (PST) Received: from kpnlep (unknown [10.10.1.8]) by cg.nu (Postfix) with SMTP id 8B61C1315D; Sat, 6 Jan 2001 21:55:13 +0100 (CET) From: "Henk Wevers" To: , Subject: Setup an IPSec VLAN with two cablemodem's Date: Sat, 6 Jan 2001 21:55:13 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I did not find enough information on how to connect two intranet's thru an secure IPSec connection. After a few hour's work i did find a working configuration. Hope this document could help somebody with making IPSec VLAN VPN connections. http://FreeBSD.cg.nu/ipsec.html Please give comment's i am new to IPSec. Henk Wevers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jan 6 22: 3:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id B45D337B400; Sat, 6 Jan 2001 22:03:06 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14F914-0000MW-00; Sat, 06 Jan 2001 23:09:18 -0700 Message-ID: <3A58080E.335DEC57@softweyr.com> Date: Sat, 06 Jan 2001 23:09:18 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Artem Koutchine , security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Antisniffer measures (digest of posts) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert Watson wrote: > > I'm going to reply to Wes's message, but not necessarily specifically in > response to his comments. I haven't had a chance to read all the messages > in the thread yet, as I'm still catching up on back e-mail from my travel, > but had a few comments to make that might or might not be relevant: > > - Ethernet switches generally don't help with sniffing problems, even with > hard-coded MAC addresses, as they only provide link-layer protection. > As has been pointed out, a variety of ARP-layer, IP-layer, and > application-layer tricks can be employed to overcome link-layer switch > limitations, including ARP spoofing, IP redirects and router message > spoofing, in addition to DNS spoofing. > > - Limitations in SSH stem from the lack of an automated certification > process, and from some clients that don't provide an interface for > managing public key introduction or inconsistency reporting. In > addition, all SSH clients I've used have problems differentiating > service and transport namespaces, meaning that they are vulnerable to a > variety of DNS and IP-spoofing based attacks. Most of these attacks > can be addressed by integrating some form of certification into SSH > (manual or automatic) using a signing or certificate mechanism, such > as PGP-signed key fingerprints, integration into X.509 or DNSSEC > cert hierarchies, or a key distribution service. However, the lack > of a well-defined name->key binding mechanism presents a number of > problems that must be resolved. I know of ongoing work to integrate > DNSsec and OpenSSH at NAI Labs and (I believe) ISI. I assume other > work has been done relating to X.509, but haven't seen it if so. The > statements that the well-known dsniff man-in-the-middle attack stems > entirely from user error is probably not correct -- clients don't > provide even minimal key management functionality, many not even > displaying fingerprints for new keys introduced, or not making correct > use of name/IP->key mappings. That said, users who are careful and > understand the implications of keying decisions made when using SSH > will be safe from these attacks. > > End-to-end encryption is probably the answer to the problems seen by this > user -- however, FreeBSD has relatively poor IPsec integration due to lack > of IKE in the base system, making configuration and management of IPsec > somewhat of a nightmare. And without DNSsec, DNS spoofing can provide a > number of avenues for attack even with IPsec (especially if NFS is used). > If you limit use of network protocols to properly pre-keyed and certified > SSH and anonymous services (such as http), you should be fine in practice. > Kerberos can also provide relatively comprehensive protection, if > configured correctly and with integrity/privacy protection turned on when > appropriate. > > For those seeking to remedy these problems, you might consider what would > be involved in adding X.509 certificate support to SSH in the style of > SSL, working with the OpenSSL project to provide an improved crypto-API > with better algorithm abstractions, as well as work to improve the quality > and integration of DNSsec implementations to help with deployment. > Similarly, work to help the KAME project get their IKE daemon into > production-quality condition would probably be widely welcomed and > appreciated. Or just provide us with a really good telnet-over-SSL client. An excellent summary, Robert. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message