From owner-freebsd-security Sun Jun 17 1:45:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 696DA37B408 for ; Sun, 17 Jun 2001 01:45:08 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.22 #1) id 15BYBB-00041k-00; Sun, 17 Jun 2001 10:45:09 +0200 From: Sheldon Hearn To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: Controlling imap access In-reply-to: Your message of "Fri, 15 Jun 2001 13:54:32 EST." Date: Sun, 17 Jun 2001 10:45:09 +0200 Message-ID: <15483.992767509@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 15 Jun 2001 13:54:32 EST, George.Giles@mcmail.vanderbilt.edu wrote: > Is there ia way using pam to have user authenticate for imap access, but be > unable to login ? You don't need PAM for this. Set the user's shell to /sbin/nologin. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 17 7:23: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 42A0637B405 for ; Sun, 17 Jun 2001 07:22:56 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from pantherdragon.org (rook.pantherdragon.org [206.29.168.147]) by spork.pantherdragon.org (Postfix) with ESMTP id 7EB08471C5; Sun, 17 Jun 2001 07:22:55 -0700 (PDT) Message-ID: <3B2CBD3C.7599AB7D@pantherdragon.org> Date: Sun, 17 Jun 2001 07:22:52 -0700 From: dmp X-Mailer: Mozilla 4.51 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Sheldon Hearn Cc: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org Subject: Re: Controlling imap access References: <15483.992767509@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sheldon Hearn wrote: > On Fri, 15 Jun 2001 13:54:32 EST, George.Giles@mcmail.vanderbilt.edu wrote: > > > Is there ia way using pam to have user authenticate for imap access, but be > > unable to login ? > > You don't need PAM for this. Set the user's shell to /sbin/nologin. It depends on the IMAP daemon. Some will disallow the user if their shell is /sbin/nologin. Better to use /nonexistent. You can or add something like /usr/bin/true to /etc/shells and use that, if the daemon is picky about the user having a valid shell. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 17 13:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by hub.freebsd.org (Postfix) with ESMTP id 28E3B37B403 for ; Sun, 17 Jun 2001 13:48:22 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010617204710.FCUO29984.mail3.home.nl@windows>; Sun, 17 Jun 2001 21:47:10 +0100 Message-ID: <013401c0f76e$cbc8c690$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" Cc: "Evren Yurtesen" , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com> <05b201c0f598$25819fa0$0900a8c0@windows> <3B2A3C9B.2B10A6BF@globalstar.com> Subject: Re: IPFW almost works now -> stateful rules Date: Sun, 17 Jun 2001 22:47:59 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > # Just pass ICMP > > > add 700 allow icmp from MY_IP to any out via ed0 > > > # Allow ping replies and requests, and various error messages > > > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > > > # Pass everything on private LAN (do we have another interface? > > > # Otherwise, these rules are dangerous) > > > add 1000 allow ip from 192.168.0.0/16 to any > Sorry. I should have mentioned I wrote those off the top of my head. > I didn't pull them from a working firewall, and I did not test them. You were almost correct, there was one error wich I have now ironed out. > Of course, if you used the exact rules above, your NAT problem is > probably very simple... I didn't put in a divert(4) rule. ;) I'd > slip in, > > add divert natd ip from any to any via ed0 > > Between the two '400' rules above (which I also misnumbered in my haste). I did that but it still didn't work. But that was'n the reason, there was a problem in rule #1000 & #1100, I figured it out and now it works perfectly. I wanna that everyone for their help. Spificly Crist Clark, he gave me help that made it work. I was working on it for days and read quit a bit of articles and it still didn't work as it should and now it does, thanks. For those interested, here's the final working ruleset: # Pass loopback traffic add 100 allow ip from any to any via lo0 # Protect loopback address add 200 deny log ip from 127.0.0.0/8 to any add 300 deny log ip from any to 127.0.0.0/8 # Block spoofs # add 400 deny log ip from EXTERNAL_IP to any in via ed0 # Enable NATD add 425 divert 8668 ip from any to any via ed0 # Check dynamic rules add 450 check-state # Make dynamic entries for all outgoing traffic add 500 allow log tcp from EXTERNAL_IP to any keep-state out add 600 allow log udp from EXTERNAL_IP to any keep-state out # Services we offer to the world add 650 allow log tcp from any to EXTERNAL_IP 22,5617,10000 keep-state in # Just pass ICMP add 700 allow log icmp from EXTERNAL_IP to any out # Allow ping replies and requests, and various error messages add 800 allow log icmp from any to EXTERNAL_IP in # icmptypes 0,3,8,11,12 # Pass everything on private LAN (do we have another interface? # Otherwise, these rules are dangerous) add 1000 allow log all from 192.168.0.0/16 to any add 1100 allow log all from any to 192.168.0.0/16 # Log the rejects that have fallen through add 65000 deny log ip from any to any Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 6:35: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 5429237B403; Mon, 18 Jun 2001 06:34:56 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f5IDYrF12484; Mon, 18 Jun 2001 14:34:54 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f5IDYrh04150; Mon, 18 Jun 2001 14:34:53 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200106181334.f5IDYrh04150@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Cy Schubert - ITSD Open Systems Group Cc: "default013 - subscriptions" , freebsd-security@FreeBSD.org, jedgar@fxp.org, brian@Awfulhak.org, freebsd-current@FreeBSD.org Subject: Re: trouble with glob patch (ftp exploit) In-Reply-To: Message from Cy Schubert - ITSD Open Systems Group of "Sat, 16 Jun 2001 00:12:56 PDT." <200106160713.f5G7DlI05467@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Jun 2001 14:34:53 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > In message , "default013 - > subscriptio > ns" writes: > > Hi, thanks for the tip, but I attempted the new instructions and got this > > error... > > It seemed like it went a bit farther but... > > > > [/usr/src/lib/libc]# make all install > > Warning: Object directory not changed from original /usr/src/lib/libc > > cc -pg -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBI > > NTERFACE_PRIVATE -DINET6 -DPOSIX_Mo > > cc: Internal compiler error: program cc1 got fatal signal 11 > > *** Error code 1 > > > > Stop in /usr/src/lib/libc. > > [/usr/src/lib/libc]# cd /usr/src/libexec/ftpd > > [/usr/src/libexec/ftpd]# make all install > > Warning: Object directory not changed from original /usr/src/libexec/ftpd > > cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -I/us > > r/src/libexec/ftpd/../../contrib-cc > > cc: Internal compiler error: program cc1 got fatal signal 11 > > *** Error code 1 > > > > Stop in /usr/src/libexec/ftpd. > > Looks like some kind of hardware problem; memory, CPU, MB. Also make > sure that your case is being sufficiently cooled and that the CPU fan > is not plugged with dust. I'm not convinced that this is the problem - not with -current at the moment anyway. I have a machine here that's been seeing sig 11 quite a bit during buildworld recently. I get them regularly (almost always during a buildworld on an empty /usr/obj), but if I boot from a kernel from May 23, a full buildworld works fine -- every time. Note that this is with an identical compiler etc (just a reboot with an old kernel). I haven't tried to track the problem down because of the relatively long period after May 25 when nothing worked... > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 7:30:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.amigo.net (smtp1.amigo.net [209.94.64.30]) by hub.freebsd.org (Postfix) with ESMTP id AB79E37B401; Mon, 18 Jun 2001 07:30:49 -0700 (PDT) (envelope-from randys@amigo.net) Received: from amigo.net (billing.amigo.net [209.94.67.250]) by smtp1.amigo.net (8.11.2/8.11.2) with ESMTP id f5IEVh495574; Mon, 18 Jun 2001 08:31:43 -0600 (MDT) (envelope-from randys@amigo.net) Message-ID: <3B2E10A1.5000302@amigo.net> Date: Mon, 18 Jun 2001 08:30:57 -0600 From: Randy Smith Organization: Amigo.Net User-Agent: Mozilla/5.0 (X11; U; FreeBSD 4.3-STABLE i386; en-US; rv:0.9.1+) Gecko/20010525 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-isp@freebsd.org Cc: freebsd-security@freebsd.org Subject: Require IPsec for NFS Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I have a server that I want to mirror. I'm using NFS to connect the primary server to the mirror. The mirror is the NFS server and the primary server is the only IP address allowd to connect to portmap in /etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I have IPsec setup between the hosts to authenticate the packets. That seems to prevent IP spoofing. I want to know if it is possible to require all NFS connections to use IPsec or will this setup a reasonable way to protect NFS? -- Randy Smith Amigo.Net Systems Administrator 1-719-589-6100 x 4185 http://www.amigo.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 8:10:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.amigo.net (smtp1.amigo.net [209.94.64.30]) by hub.freebsd.org (Postfix) with ESMTP id 39A6837B406; Mon, 18 Jun 2001 08:10:22 -0700 (PDT) (envelope-from randys@amigo.net) Received: from amigo.net (billing.amigo.net [209.94.67.250]) by smtp1.amigo.net (8.11.2/8.11.2) with ESMTP id f5IFBJ496711; Mon, 18 Jun 2001 09:11:19 -0600 (MDT) (envelope-from randys@amigo.net) Message-ID: <3B2E19E9.9020100@amigo.net> Date: Mon, 18 Jun 2001 09:10:33 -0600 From: Randy Smith Organization: Amigo.Net User-Agent: Mozilla/5.0 (X11; U; FreeBSD 4.3-STABLE i386; en-US; rv:0.9.1+) Gecko/20010525 X-Accept-Language: en-us MIME-Version: 1.0 To: anderson@centtech.com Cc: freebsd-isp , freebsd-security Subject: Re: Require IPsec for NFS References: <3B2E10A1.5000302@amigo.net> <3B2E14DA.C2819177@centtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson wrote: > When adding your spd's, you can restrict to port numbers and ip > addresses. > Check out 'man setkey, and look for 'dst_range'. That should get you > started. I'm currently setup to encrypt all traffic between the two hosts. I want to make sure that if a cracker gets past the protection from hosts.allow, he still has to deal with the IPsec to hijack/screw with the connection. Thanks for the response. Randy > > Eric > > > Randy Smith wrote: > >>Hi all, >> >>I have a server that I want to mirror. I'm using NFS to connect the >>primary server to the mirror. The mirror is the NFS server and the >>primary server is the only IP address allowd to connect to portmap in >>/etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I >>have IPsec setup between the hosts to authenticate the packets. That >>seems to prevent IP spoofing. >> >>I want to know if it is possible to require all NFS connections to use >>IPsec or will this setup a reasonable way to protect NFS? >> >>-- >>Randy Smith >>Amigo.Net Systems Administrator >>1-719-589-6100 x 4185 >>http://www.amigo.net/ >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 10:24:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 46BB837B403 for ; Mon, 18 Jun 2001 10:24:43 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA20680; Mon, 18 Jun 2001 10:24:26 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda20678; Mon Jun 18 10:24:14 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5IHO8g60669; Mon, 18 Jun 2001 10:24:08 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpds60614; Mon Jun 18 10:23:29 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5IHM4T15927; Mon, 18 Jun 2001 10:22:04 -0700 (PDT) Message-Id: <200106181722.f5IHM4T15927@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdW15920; Mon Jun 18 10:21:06 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Sam Leffler" Cc: "Cy Schubert - ITSD Open Systems Group" , "Sheldon Hearn" , freebsd-security@FreeBSD.ORG Subject: Re: tripwire In-reply-to: Your message of "Wed, 13 Jun 2001 08:25:22 PDT." <0a6301c0f41d$0fb78c10$24a6d4d1@melange> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 18 Jun 2001 10:21:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tripwire has released the source on sourceforge. In discussions with TripwireSecurity, when my employer purchased the commercial version I was told that their intention was to release the source because it might generate more interest in the commercial product. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message <0a6301c0f41d$0fb78c10$24a6d4d1@melange>, "Sam Leffler" writes: > I thought 2.3.1 was proprietary and source was not available. I'd never > have run it in linux emulation mode if I'd located the source... > > Sam > > ----- Original Message ----- > From: "Cy Schubert - ITSD Open Systems Group" > To: "Sheldon Hearn" > Cc: "Sam Leffler" ; > Sent: Wednesday, June 13, 2001 6:22 AM > Subject: Re: tripwire > > > > In message <68633.992422998@axl.seasidesoftware.co.za>, Sheldon Hearn > > writes: > > > > > > > > > On Tue, 12 Jun 2001 21:44:37 MST, "Sam Leffler" wrote: > > > > > > > Do folks use tripwire or is there a preferred alternative? The LGPL > Linux > > > > 2.2.1 version works fine in compatibility mode under 4.3-R (after a > little > > > > tweaking to get it installed). > > > > > > You can use a native version, as built from the ports tree: > > > > > > /path/to/ports/tripwire > > > /path/to/ports/tripwire-131 > > > > > > It works very well for many people. Reading the accompanying > > > documentation is worthwhile. > > > > I'm currently working on a tripwire-231 port. It compiles and runs on > > FreeBSD using native FreeBSD binaries. I'm about 30% complete on a > > FreeBSD-specific policy file. The policy file shipped with the source > > is RedHat-specific: Many binaries that exist on RedHat do not exist on > > FreeBSD and vice versa. Also many binaries on RedHat that reside in > > /bin, /sbin, and /lib reside in /usr/bin, /usr/sbin, and /usr/lib. I > > must say that I'm discovering some of the esoteric bits and pieces of > > both RedHat and FreeBSD in the translation process. > > > > If people want, I could shortcut the whole process by creating a > > generic policy file similar to the generic nature of the tripwire-131 > > policy file. This would give us a tripwire-231 port now and an updated > > tripwire-231 port with a FreeBSD-specific policy file later when I've > > completed building the FreeBSD policy file. If people see value in > > this, I will do it. > > > > > > Regards, Phone: (250)387-8437 > > Cy Schubert Fax: (250)387-5766 > > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > > Open Systems Group, ITSD, ISTA > > Province of BC > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 10:50:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 980A937B403; Mon, 18 Jun 2001 10:50:14 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id JAA29485; Mon, 18 Jun 2001 09:49:18 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma029481; Mon, 18 Jun 01 09:48:57 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA24949; Mon, 18 Jun 2001 09:48:57 -0500 (CDT) Message-ID: <3B2E14DA.C2819177@centtech.com> Date: Mon, 18 Jun 2001 09:48:58 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Randy Smith Cc: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: Require IPsec for NFS References: <3B2E10A1.5000302@amigo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org When adding your spd's, you can restrict to port numbers and ip addresses. Check out 'man setkey, and look for 'dst_range'. That should get you started. Eric Randy Smith wrote: > > Hi all, > > I have a server that I want to mirror. I'm using NFS to connect the > primary server to the mirror. The mirror is the NFS server and the > primary server is the only IP address allowd to connect to portmap in > /etc/hosts.allow. In order to prevent IP spoof attacts against NFS, I > have IPsec setup between the hosts to authenticate the packets. That > seems to prevent IP spoofing. > > I want to know if it is possible to require all NFS connections to use > IPsec or will this setup a reasonable way to protect NFS? > > -- > Randy Smith > Amigo.Net Systems Administrator > 1-719-589-6100 x 4185 > http://www.amigo.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 11:34:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from newton.pconline.com (newton.pconline.com [206.145.48.1]) by hub.freebsd.org (Postfix) with ESMTP id 7FFB837B403 for ; Mon, 18 Jun 2001 11:34:21 -0700 (PDT) (envelope-from chris@pconline.com) Received: from localhost (chris@localhost) by newton.pconline.com (8.8.5/8.8.5) with SMTP id NAA20808 for ; Mon, 18 Jun 2001 13:34:13 -0500 Date: Mon, 18 Jun 2001 13:34:13 -0500 (CDT) From: Chris Kesler To: freebsd-security@FreeBSD.ORG Subject: ipnat.conf oddity Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is my current ipnat.conf file. map vx0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1025:65000 map vx0 192.168.1.0/24 -> 0/32 Notice that the address to the right of the -> is 0. I discovered by accident that this configuration works on my system. I'm using ipnat and ipf on 4.3-RELEASE. I couldn't find any docs describing why this config works. I have a cable modem connection, and the DHCP-assigned IP address changes once in a while. I wonder if this is a feature intended to allow me to continue to forward packets after my address changes. Or is it a bad idea to run the box this way? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 11:41: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 5755737B401 for ; Mon, 18 Jun 2001 11:40:59 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 4FD6E1360C; Mon, 18 Jun 2001 14:40:58 -0400 (EDT) Date: Mon, 18 Jun 2001 14:40:58 -0400 From: Chris Faulhaber To: Chris Kesler Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat.conf oddity Message-ID: <20010618144057.B72197@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Chris Kesler , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3lcZGd9BuhuYXNfi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@pconline.com on Mon, Jun 18, 2001 at 01:34:13PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3lcZGd9BuhuYXNfi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 18, 2001 at 01:34:13PM -0500, Chris Kesler wrote: > This is my current ipnat.conf file. >=20 > map vx0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1025:65000 > map vx0 192.168.1.0/24 -> 0/32 >=20 > Notice that the address to the right of the -> is 0. I discovered by > accident that this configuration works on my system. I'm using ipnat and > ipf on 4.3-RELEASE. >=20 > I couldn't find any docs describing why this config works. I have a cable > modem connection, and the DHCP-assigned IP address changes once in a > while. I wonder if this is a feature intended to allow me to continue to > forward packets after my address changes. Or is it a bad idea to run the > box this way? >=20 See http://www.obfuscation.org/ipf/ipf-howto.txt --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --3lcZGd9BuhuYXNfi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjsuSzkACgkQObaG4P6BelCyIACbBSXo+kVAGORGF/kXB5nIf3Yf OcUAniNwthzYsqAVsCIacHt2W+Bip3Rx =EHKT -----END PGP SIGNATURE----- --3lcZGd9BuhuYXNfi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 11:41:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 0E09137B403 for ; Mon, 18 Jun 2001 11:41:19 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 7D7DCBA56; Mon, 18 Jun 2001 13:41:16 -0500 (CDT) Message-ID: <001301c0f826$37aec460$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Chris Kesler" , References: Subject: Re: ipnat.conf oddity Date: Mon, 18 Jun 2001 13:40:56 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I believe it is intended to be that way. It takes the address of the interface you specified. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Chris Kesler" To: Sent: Monday, June 18, 2001 1:34 PM Subject: ipnat.conf oddity > This is my current ipnat.conf file. > > map vx0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1025:65000 > map vx0 192.168.1.0/24 -> 0/32 > > Notice that the address to the right of the -> is 0. I discovered by > accident that this configuration works on my system. I'm using ipnat and > ipf on 4.3-RELEASE. > > I couldn't find any docs describing why this config works. I have a cable > modem connection, and the DHCP-assigned IP address changes once in a > while. I wonder if this is a feature intended to allow me to continue to > forward packets after my address changes. Or is it a bad idea to run the > box this way? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 12:23:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 04A2B37B401 for ; Mon, 18 Jun 2001 12:23:10 -0700 (PDT) (envelope-from jdicioccio@epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 18 Jun 2001 12:23:08 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D996@goofy.epylon.lan> From: Jason DiCioccio To: 'Sheldon Hearn' , George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: RE: Controlling imap access Date: Mon, 18 Jun 2001 12:23:00 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use cyrus+sasl.. separate user db for imap/pop3/smtp AUTH Cheers, - -JD- - -----Original Message----- From: Sheldon Hearn [mailto:sheldonh@starjuice.net] Sent: Sunday, June 17, 2001 1:45 AM To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: Controlling imap access On Fri, 15 Jun 2001 13:54:32 EST, George.Giles@mcmail.vanderbilt.edu wrote: > Is there ia way using pam to have user authenticate for imap > access, but be unable to login ? You don't need PAM for this. Set the user's shell to /sbin/nologin. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOy5V4lCmU62pemyaEQJLHwCgoYUqX2fDtkcLgVYjE1y+anvKtZEAoO/H DGbEslFTnAghJq3UElz7MNtt =Ks9X -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 18 12:49:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 005A737B401; Mon, 18 Jun 2001 12:49:55 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GF55QF00.7IO; Mon, 18 Jun 2001 12:49:27 -0700 Message-ID: <3B2E5B60.9405FDE3@globalstar.com> Date: Mon, 18 Jun 2001 12:49:52 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Brad Huntting Cc: Dima Dorfman , freebsd-gnats-submit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: misc/28188: Cron is being started to early in /etc/rc (potential security hole) References: <200106162306.f5GN6Xx45201@hunkular.glarp.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brad Huntting wrote: > > > But you are right of course, the most secure way to go is raise > > securelevel as early as possible in the boot sequence (although > > off of the top of my head, I can't think of anything besides cron(8) > > that would run non-"trusted" code).[...] > > Sendmail (runs programs specified in .forward files), inetd (ftp, > telnet, etc) sshd (user shells), httpd (cgi-bin's).... Cron's > @reboot is just the easiest one to exploit. Right, those others would be some pretty tough races to win. But anyway, I had a look at the -STABLE rc scripts to see what is what. As for Dima's original question about the feasiblity, IMHO, it will take a lot of work to do this. Rearranging the current startup so that securelevel can be raised earlier, will _probably_ not be a huge problem. However, the for -STABLE, I would expect we would want to do _a lot_ of testing to verify rearranging something minor like the rc-scripts does not break anything before it goes prime time. That's the easy part. The harder part will be designing a new mechanism for local rc-scripts (hard as in "bikeshed alert"). It is quite feasible the local admin might have some scripts that need to run before securelevel is notched up, while most scripts do not. At present, all scripts in /usr/local/etc/rc.d, and the other local scripts, are run at once. Do we make a new directory for pre-securelevel scripts (won't break stuff, but might not appeal to many people's asthetics)? Have a naming convention in rc.d (different asthetic problems and possible back-compatibility issues)? Anyway, if we are to do this, this is how I would see partition things, Basic Startup (mounting filesystems, bringing up interfaces and network, etc.) Pre-Securelevel Daemons in Standard Startup Pre-Securelevel Daemons in Local Startup Raise Securelevel Post-Securelevel Daemons in Standard Startup Post-Securelevel Daemons in Local Startup I say "daemons" above since that is the most common thing, but it can be other code as well. One other thing that I noticed, the log_in_vain sysctl(8)s are not set until wa-ay at the end. I thought that this might be a problem since I presumed that the log_in_vain's were CTLFLAG_SECURE. However, they are not. Nor could I find any network related sysctl's that were. In fact, # cd /usr/src # fgrep -r 'CTLFLAG_SECURE' . ./sys/kern/kern_sysctl.c: ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0))) ./sys/sys/sysctl.h:#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */ # Am I not looking in the right place? I sure thought that there are some sysctl's that are locked at elevated securelevel. [Insert here the ususal disclaimer that securelevel(8) is lame and will someday be replaced by real MAC extensions to the OS so do not sweat the details of securelevel(8) too much.] -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 0:10:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe34.law12.hotmail.com [64.4.18.91]) by hub.freebsd.org (Postfix) with ESMTP id E6B5E37B403 for ; Tue, 19 Jun 2001 00:10:34 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 19 Jun 2001 00:10:34 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Subject: IPFW newbie Date: Tue, 19 Jun 2001 02:11:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 19 Jun 2001 07:10:34.0671 (UTC) FILETIME=[EF1773F0:01C0F88E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm about to compile IPFW into the kernel for the first time... and just had a quick question... also, if anyone has any tips I would appreciate it. (this is going to be used on a webserver that runs everything from apache to shoutcast...) I am going to compile it in using this option: options IPFIREWALL_VERBOSE_LIMIT=10 My question is, I connect to my box using an SSH session. The default for IPFW is not to accept connections correct? So after my machine reboots with these new rules in place, will I have to set the IPFW rules in place so that I can once again open an SSH session to it again? Or how does that work... Thanks Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 0:18:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 51B7137B407 for ; Tue, 19 Jun 2001 00:18:34 -0700 (PDT) (envelope-from neilf@mip.co.za) Received: from xyberpix.mip.co.za (xyberpix.mip.co.za [10.3.13.100]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA30526; Tue, 19 Jun 2001 09:18:13 +0200 (SAST) (envelope-from neilf@mip.co.za) From: Neil Fryer Organization: MIP Holdings To: "default013 - subscriptions" , "default013 - subscriptions" , Subject: Re: IPFW newbie Date: Tue, 19 Jun 2001 09:15:11 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain; charset="iso-8859-1" References: In-Reply-To: MIME-Version: 1.0 Message-Id: <0106190918132R.00481@xyberpix.mip.co.za> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 'ello again Ok, if you have a look at LINT, there's something in there that says add an entry to rc.conf, something along the lines of FIREWALL_TYPE=open, or something like that, and then when you reboot you'll be allowed access. You can then just remove this option when all your rules are in place. Alternatively, you could write some rules to allow you to ssh into your box, and save them in a script, and then in /etc/defaults/rc.conf, set the file for ipfw to read, and then voila! Cheers Neil Fryer neilf@mip.co.za On Tue, 19 Jun 2001, default013 - subscriptions wrote: > Hi, > > I'm about to compile IPFW into the kernel for the first time... and just had > a quick question... also, if anyone has any tips I would appreciate it. > (this is going to be used on a webserver that runs everything from apache to > shoutcast...) > > I am going to compile it in using this option: > options IPFIREWALL_VERBOSE_LIMIT=10 > > My question is, I connect to my box using an SSH session. The default for > IPFW is not to accept connections correct? So after my machine reboots with > these new rules in place, will I have to set the IPFW rules in place so that > I can once again open an SSH session to it again? Or how does that work... > > Thanks > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "Against stupidity, even the Gods struggle in vain." - Friedrich von Schiller To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 0:31:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe37.law12.hotmail.com [64.4.18.94]) by hub.freebsd.org (Postfix) with ESMTP id 66BFC37B406 for ; Tue, 19 Jun 2001 00:31:52 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 19 Jun 2001 00:31:52 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Subject: question about glob patch (ftp exploit) Date: Tue, 19 Jun 2001 02:32:21 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 19 Jun 2001 07:31:52.0155 (UTC) FILETIME=[E8880AB0:01C0F891] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi again, (thanks for the help with the last one, one more... :) Okay, I attempted to setup the patch for the glob ftp exploit and it failed when I tried to make/install it... I got various responses regarding why this happened, and the one that makes the most sense to me is that it will probably work if I just make buildworld instead. My question is... I am on a FreeBSD 4.1 box... does the output of this patching look normal? I would have assumed it to patch a bit cleaner... I'm just a little afraid that maybe the patch didn't take right for some reason... (I did follow the current instructions from the security advisory. Thanks again. [/usr/src]# patch -p < /usr/home/default/patches/glob.4.x.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: include/glob.h |=================================================================== |RCS file: /home/ncvs/src/include/glob.h,v |--- include/glob.h 1998/02/25 02:15:59 1.3 |+++ include/glob.h 2001/03/21 14:33:56 1.3.6.1 -------------------------- Patching file include/glob.h using Plan A... Hunk #1 succeeded at 77. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/gen/glob.c |=================================================================== |RCS file: /home/ncvs/src/lib/libc/gen/glob.c,v |--- lib/libc/gen/glob.c 1998/02/20 07:54:56 1.11 |+++ lib/libc/gen/glob.c 2001/04/07 21:00:20 -------------------------- Patching file lib/libc/gen/glob.c using Plan A... Hunk #1 succeeded at 129. Hunk #2 succeeded at 137. Hunk #3 succeeded at 158. Hunk #4 succeeded at 168. Hunk #5 succeeded at 197. Hunk #6 succeeded at 207. Hunk #7 succeeded at 233. Hunk #8 succeeded at 274. Hunk #9 succeeded at 321. Hunk #10 succeeded at 415. Hunk #11 succeeded at 480. Hunk #12 succeeded at 493. Hunk #13 succeeded at 508. Hunk #14 succeeded at 528. Hunk #15 succeeded at 552. Hunk #16 succeeded at 567. Hunk #17 succeeded at 606. Hunk #18 succeeded at 636. Hunk #19 succeeded at 674. Hunk #20 succeeded at 710. Hunk #21 succeeded at 791. Hunk #22 succeeded at 804. Hunk #23 succeeded at 823. Hunk #24 succeeded at 840. Hunk #25 succeeded at 860. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: libexec/ftpd/popen.c |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/popen.c,v |--- libexec/ftpd/popen.c 2000/09/20 09:57:58 1.18.2.1 |+++ libexec/ftpd/popen.c 2001/04/07 21:08:09 -------------------------- Patching file libexec/ftpd/popen.c using Plan A... Hunk #1 succeeded at 107. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v |--- libexec/ftpd/ftpd.c 2001/03/11 13:20:44 1.73 |+++ libexec/ftpd/ftpd.c 2001/03/19 19:11:00 -------------------------- Patching file libexec/ftpd/ftpd.c using Plan A... Hunk #1 succeeded at 186 (offset -3 lines). Hunk #2 succeeded at 2611 (offset -17 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpcmd.y,v |--- libexec/ftpd/ftpcmd.y 2001/04/16 22:20:26 1.23 |+++ libexec/ftpd/ftpcmd.y 2001/04/17 03:03:45 -------------------------- Patching file libexec/ftpd/ftpcmd.y using Plan A... Hunk #1 succeeded at 133 with fuzz 2 (offset -5 lines). Hunk #2 succeeded at 461 (offset -14 lines). Hunk #3 succeeded at 910 (offset -31 lines). Hunk #4 succeeded at 1008 (offset -33 lines). done To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 1:55:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11906.mail.yahoo.com (web11906.mail.yahoo.com [216.136.172.190]) by hub.freebsd.org (Postfix) with SMTP id 1C79737B401 for ; Tue, 19 Jun 2001 01:55:47 -0700 (PDT) (envelope-from h4rris_99@yahoo.com) Message-ID: <20010619085547.74733.qmail@web11906.mail.yahoo.com> Received: from [202.159.33.210] by web11906.mail.yahoo.com; Tue, 19 Jun 2001 01:55:47 PDT Date: Tue, 19 Jun 2001 01:55:47 -0700 (PDT) From: richard harris Subject: single user To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi... I prevent booting FreeBSD into the single user mode with this path: in /etc/ttys:# # This entry needed for asking password when init goes to single-usermode # If you want to be asked for password, change "secure" to "insecure"here console none unknown off secure but unfortunaly right now i'm forget my root password, so what can i do?????? __________________________________________________ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 2: 3:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 39E0D37B406 for ; Tue, 19 Jun 2001 02:03:13 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f5J93AI70759; Tue, 19 Jun 2001 15:03:11 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.4/8.11.4) id f5J93Ao61658; Tue, 19 Jun 2001 15:03:10 +0600 (YEKST) (envelope-from serg) Date: Tue, 19 Jun 2001 15:03:10 +0600 From: "Sergey N. Voronkov" To: richard harris Cc: security@FreeBSD.ORG Subject: Re: single user Message-ID: <20010619150310.A61639@sv.tech.sibitex.tmn.ru> References: <20010619085547.74733.qmail@web11906.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010619085547.74733.qmail@web11906.mail.yahoo.com>; from h4rris_99@yahoo.com on Tue, Jun 19, 2001 at 01:55:47AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 19, 2001 at 01:55:47AM -0700, richard harris wrote: > Hi... > I prevent booting FreeBSD into the single user mode > with this path: > > in /etc/ttys:# > # This entry needed for asking password when init goes > to single-usermode > # If you want to be asked for password, change > "secure" to "insecure"here > console none unknown off > secure > > but unfortunaly right now i'm forget my root password, > so what can i do?????? Hi! Boot from fixit disk (doesn't matter wich version you have). Mount your root partition (rw) and edit /etc/ttys. Bye, Serg N. Voronkov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 2: 7:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id AD26B37B401 for ; Tue, 19 Jun 2001 02:07:51 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15CHUL-000NxS-00; Tue, 19 Jun 2001 11:07:57 +0200 From: Sheldon Hearn To: richard harris Cc: security@freebsd.org Subject: Re: single user In-reply-to: Your message of "Tue, 19 Jun 2001 01:55:47 MST." <20010619085547.74733.qmail@web11906.mail.yahoo.com> Date: Tue, 19 Jun 2001 11:07:57 +0200 Message-ID: <92097.992941677@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Jun 2001 01:55:47 MST, richard harris wrote: > but unfortunaly right now i'm forget my root password, > so what can i do?????? You'll have to boot off stiffies or CDROM and edit the ttys files on your box's root filesystem. Marking the console secure effectively limits root access to those who a) have the root password and remote console or console access, or b) have console access. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 2:22:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id E5F8037B403 for ; Tue, 19 Jun 2001 02:22:42 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f5J9MdI72058; Tue, 19 Jun 2001 15:22:41 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.4/8.11.4) id f5J9Mc861743; Tue, 19 Jun 2001 15:22:38 +0600 (YEKST) (envelope-from serg) Date: Tue, 19 Jun 2001 15:22:38 +0600 From: "Sergey N. Voronkov" To: richard harris Cc: freebsd-security@freebsd.org Subject: Re: single user Message-ID: <20010619152238.A61703@sv.tech.sibitex.tmn.ru> References: <20010619150310.A61639@sv.tech.sibitex.tmn.ru> <20010619090728.18468.qmail@web11903.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010619090728.18468.qmail@web11903.mail.yahoo.com>; from h4rris_99@yahoo.com on Tue, Jun 19, 2001 at 02:07:28AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 19, 2001 at 02:07:28AM -0700, richard harris wrote: > > Boot from fixit disk (doesn't matter wich version > > you have). > > Mount your root partition (rw) and edit /etc/ttys. > > [skip] > But the problem is right now i can't come to root, so > what can i do to come my root (password root) > 1) Take a local copy of kern.flp, mfsroot.flp, fixit.flp (f.e. from: ftp://ftp.de.freebsd.org/pub/FreeBSD/releases/i386/4.3-RELEASE/floppies) 2) Make three disks (read README.TXT in directory above) 3) Boot from kernel & mfsroot floppies. (Previously setting your computer to boot from it, if have this option disabled by default) 4) Choose "Fixit" and insert fixit disk. 5) Mount your root partition using shell prompt (I don't remember exactly where you can get it... Try to use Alt-F?) Ex.: mount /dev/ad0s3a /mnt 6) Edit your /mnt/etc/ttys. 7) umount /mnt 8) Remove floppy and boot single user... 9) vipw ;-)) Best Regards, Sergey N. Voronkov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 2:41:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id BAE9537B403 for ; Tue, 19 Jun 2001 02:41:22 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 30794 invoked by uid 1000); 19 Jun 2001 09:41:42 -0000 Date: Tue, 19 Jun 2001 11:41:42 +0200 From: "Karsten W. Rohrbach" To: Chris Kesler Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat.conf oddity Message-ID: <20010619114142.C30037@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Chris Kesler , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="kVXhAStRUZ/+rrGn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@pconline.com on Mon, Jun 18, 2001 at 01:34:13PM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --kVXhAStRUZ/+rrGn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris Kesler(chris@pconline.com)@2001.06.18 13:34:13 +0000: > This is my current ipnat.conf file. >=20 > map vx0 192.168.1.0/24 -> 0/32 portmap tcp/udp 1025:65000 > map vx0 192.168.1.0/24 -> 0/32 >=20 > Notice that the address to the right of the -> is 0. I discovered by > accident that this configuration works on my system. I'm using ipnat and > ipf on 4.3-RELEASE. >=20 > I couldn't find any docs describing why this config works. I have a cable > modem connection, and the DHCP-assigned IP address changes once in a > while. I wonder if this is a feature intended to allow me to continue to > forward packets after my address changes. Or is it a bad idea to run the > box this way? i think it's exactly what you are looking for with a dialup connection. 0/0 expands to "world", the whole net, and 0/32 expands to the interface ip that might get configured dynamically, so this is probably what you want, since your ip address can change when your lease expires in dhcp. /k --=20 > Large cats can be dangerous, but a little pussy never hurt anyone. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --kVXhAStRUZ/+rrGn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Lx5WM0BPTilkv0YRArnYAKCtwfOwOvwESNyVJSO+IekiyKhiSACdE+AF xrBMieq7/UWDHwoVzN/a1vg= =pM6Q -----END PGP SIGNATURE----- --kVXhAStRUZ/+rrGn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 2:47:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id CB64B37B403 for ; Tue, 19 Jun 2001 02:47:08 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 30938 invoked by uid 1000); 19 Jun 2001 09:47:27 -0000 Date: Tue, 19 Jun 2001 11:47:27 +0200 From: "Karsten W. Rohrbach" To: default013 - subscriptions Cc: freebsd-security@freebsd.org Subject: Re: IPFW newbie Message-ID: <20010619114726.D30037@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , default013 - subscriptions , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EY/WZ/HvNxOox07X" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Tue, Jun 19, 2001 at 02:11:01AM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EY/WZ/HvNxOox07X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable how about=20 options IPFILTER options IPFILTER_LOG in the kernel config and ipfilter_enable=3DYES ipfilter_flags=3D"" ipmon_enable=3DYES in /etc/rc.conf and pass in quick on INT proto tcp from ADM to SRV port =3D 22 as the first rule in /etc/ipf.rules where INT =3D interface name (fxp0, tx0, ...) ADM =3D ip of the workstation you want to log in from SRV =3D ip of your server the firewall runs on this gives you a dumbfire non-lockout rule regardless of the rest of the filter rules... /k default013 - subscriptions(default013subscriptions@hotmail.com)@2001.06.19 = 02:11:01 +0000: > Hi, >=20 > I'm about to compile IPFW into the kernel for the first time... and just = had > a quick question... also, if anyone has any tips I would appreciate it. > (this is going to be used on a webserver that runs everything from apache= to > shoutcast...) >=20 > I am going to compile it in using this option: > options IPFIREWALL_VERBOSE_LIMIT=3D10 >=20 > My question is, I connect to my box using an SSH session. The default for > IPFW is not to accept connections correct? So after my machine reboots wi= th > these new rules in place, will I have to set the IPFW rules in place so t= hat > I can once again open an SSH session to it again? Or how does that work... >=20 > Thanks >=20 > Jordan >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > "The path of excess leads to the tower of wisdom." --W. Blake KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --EY/WZ/HvNxOox07X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Lx+uM0BPTilkv0YRAvMsAJwJ+kQBBUQHZE88Iunop0twkCZ+gQCfZ/Yu 9OdjHaCV5/KGiiAgtuU13Js= =iVXp -----END PGP SIGNATURE----- --EY/WZ/HvNxOox07X-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 2:56:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 4625037B401 for ; Tue, 19 Jun 2001 02:56:49 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id NAA41256; Tue, 19 Jun 2001 13:56:34 +0400 (MSD) Message-ID: <02f101c0f8a6$1fad6210$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "default013 - subscriptions" , Subject: Re: IPFW newbie Date: Tue, 19 Jun 2001 13:56:25 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The easiest way is: #echo 'firewall_enable="YES"' >>/etc/rc.conf #echo 'firewall_type="OPEN"' >>/etc/rc.conf after installing new kernel this will result in following set of rules (this is testted on 4.2, but should not differ for other versions): #ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any Now you can connect to your box via SSH and continue firewall setup. But WARNING! Learning ipfw without direct access to the server is, IMHO very unhealthy. IMHO, it sucks! I am IPFW newbie myself and had some sad experience with remote firewall setup ;-) . At least you must have remote reboot-knob, which does not relies on IP (like very very long broomstick mounted to RESET key :-) ). Good Luck! NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru -----Original Message----- From: default013 - subscriptions To: freebsd-security@FreeBSD.ORG Date: 19 èþíÿ 2001 ã. 11:11 Subject: IPFW newbie >Hi, > >I'm about to compile IPFW into the kernel for the first time... and just had >a quick question... also, if anyone has any tips I would appreciate it. >(this is going to be used on a webserver that runs everything from apache to >shoutcast...) > >I am going to compile it in using this option: >options IPFIREWALL_VERBOSE_LIMIT=10 > >My question is, I connect to my box using an SSH session. The default for >IPFW is not to accept connections correct? So after my machine reboots with >these new rules in place, will I have to set the IPFW rules in place so that >I can once again open an SSH session to it again? Or how does that work... > >Thanks > >Jordan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 4:11:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id C3BA337B408 for ; Tue, 19 Jun 2001 04:11:35 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 40629 invoked by uid 1000); 19 Jun 2001 11:10:02 -0000 Date: Tue, 19 Jun 2001 14:10:02 +0300 From: Peter Pentchev To: default013 - subscriptions Cc: freebsd-security@freebsd.org Subject: Re: question about glob patch (ftp exploit) Message-ID: <20010619141002.C40002@ringworld.oblivion.bg> Mail-Followup-To: default013 - subscriptions , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Tue, Jun 19, 2001 at 02:32:21AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 19, 2001 at 02:32:21AM -0500, default013 - subscriptions wrote: > Hi again, > > (thanks for the help with the last one, one more... :) > > Okay, I attempted to setup the patch for the glob ftp exploit and it failed > when I tried to make/install it... I got various responses regarding why > this happened, and the one that makes the most sense to me is that it will > probably work if I just make buildworld instead. > > My question is... I am on a FreeBSD 4.1 box... does the output of this > patching look normal? I would have assumed it to patch a bit cleaner... I'm > just a little afraid that maybe the patch didn't take right for some > reason... (I did follow the current instructions from the security advisory. > Thanks again. Since there were no rejected chunks, yes, it did patch cleanly. The offsets were the result of lines added/removed from the files in question between 4.1 and 4.3. There was even one chunk which applied with a 'fuzz' (one or more context line were not exactly the same), but apparently the rest of the context was the same, and the lines changed were exactly the same, so there's no cause for alarm. G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 6:50:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 7F6E037B407 for ; Tue, 19 Jun 2001 06:50:07 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id B67C2BA56; Tue, 19 Jun 2001 08:50:06 -0500 (CDT) Message-ID: <004701c0f8c6$bc14b2a0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "default013 - subscriptions" , References: Subject: Re: IPFW newbie Date: Tue, 19 Jun 2001 08:50:00 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You will want to override the rules in /etc/defaults/rc.conf so that your firewall is enabled. I then suggest you write your own firewall script (in /etc/rc.conf, firewall_script="/etc/my.firewall.script") and setup the rules you want. Read through the existing /etc/rc.firewall script and you will learn a lot. Then use the manpage for ipfw and you will learn a lot more. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "default013 - subscriptions" To: Sent: Tuesday, June 19, 2001 2:11 AM Subject: IPFW newbie > Hi, > > I'm about to compile IPFW into the kernel for the first time... and just had > a quick question... also, if anyone has any tips I would appreciate it. > (this is going to be used on a webserver that runs everything from apache to > shoutcast...) > > I am going to compile it in using this option: > options IPFIREWALL_VERBOSE_LIMIT=10 > > My question is, I connect to my box using an SSH session. The default for > IPFW is not to accept connections correct? So after my machine reboots with > these new rules in place, will I have to set the IPFW rules in place so that > I can once again open an SSH session to it again? Or how does that work... > > Thanks > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 7: 1:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx03.admiral.ne.jp (mx03.admiral.ne.jp [211.10.216.34]) by hub.freebsd.org (Postfix) with SMTP id 128BD37B401 for ; Tue, 19 Jun 2001 07:01:19 -0700 (PDT) (envelope-from yosino@cm24.net) Received: (qmail 2244 invoked from network); 19 Jun 2001 23:01:17 +0900 Received: from sagami131120.allnet.ne.jp (HELO sotec.soiyaa.com) (210.251.131.120) by mx03.admiral.ne.jp with SMTP; 19 Jun 2001 23:01:17 +0900 Date: Tue, 19 Jun 2001 23:05:46 +0000 From: yosino takahiro To: freebsd-security@FreeBSD.ORG Message-Id: <20010619230546.271b603c.yosino@cm24.net> Reply-To: yosino@cm24.net X-Mailer: Sylpheed version 0.4.66 (GTK+ 1.2.8; i386-unknown-freebsdelf4.2) Organization: SOIYAA Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 8e1c23fd unsubscribe freebsd-security yosino@cm24.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 7:49: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 8A2DE37B403 for ; Tue, 19 Jun 2001 07:48:58 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f5JEmoI35810; Tue, 19 Jun 2001 10:48:51 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 19 Jun 2001 10:48:50 -0400 (EDT) From: Matt Piechota To: richard harris Cc: Subject: Re: single user In-Reply-To: <20010619085547.74733.qmail@web11906.mail.yahoo.com> Message-ID: <20010619104734.O31675-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 19 Jun 2001, richard harris wrote: > in /etc/ttys:# > # This entry needed for asking password when init goes > to single-usermode > # If you want to be asked for password, change > "secure" to "insecure"here > console none unknown off > secure > > but unfortunaly right now i'm forget my root password, > so what can i do?????? Boot off of a FreeBSD CD/Floppy into rescue mode and mount up the partition. You can then edit /etc/master.passwd and such to fix root's password. -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 9:22:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id A8CE937B403 for ; Tue, 19 Jun 2001 09:22:27 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id MAA66100 for freebsd-security@FreeBSD.ORG; Tue, 19 Jun 2001 12:22:26 -0400 (EDT) (envelope-from str) Date: Tue, 19 Jun 2001 12:22:26 -0400 (EDT) From: Igor Roshchin Message-Id: <200106191622.MAA66100@giganda.komkon.org> To: freebsd-security@FreeBSD.ORG Subject: /etc/defaults/rc.conf (Was: IPFW newbie) In-Reply-To: <0106190918132R.00481@xyberpix.mip.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: "Thomas T. Veldhouse" > Subject: Re: IPFW newbie > Date: Tue, 19 Jun 2001 08:50:00 -0500 > > You will want to override the rules in /etc/defaults/rc.conf so that your > firewall is enabled. I then suggest you write your own firewall script (in > /etc/rc.conf, firewall_script="/etc/my.firewall.script") and setup the rules > you want. Read through the existing /etc/rc.firewall script and you will > learn a lot. Then use the manpage for ipfw and you will learn a lot more. > <..> > From: Neil Fryer > Subject: Re: IPFW newbie > Date: Tue, 19 Jun 2001 09:15:11 +0200 > <..> > > Alternatively, you could write some rules to allow you to ssh into your box, > and save them in a script, and then in /etc/defaults/rc.conf, set the file for > ipfw to read, and then voila! > <..> I am surprised to see that two people in a raw gave an advice, suggesting to edit /etc/defaults/rc.conf. IIRC, /etc/defaults was introduced as a nice instrument of having _default_ settings in one directory, and changes to it in a standard file in /etc. (Approach used on other systems (e.g. Irix) even earlier) IMHO, this makes it much easier to do system upgrades. So, IMHO, the Good Thing is to add lines from the files in /etc/defaults/* to the corresponding files in /etc/ . Below are the quotes from the man pages and the handbook recommending this style. rc.conf(5) says: The /etc/rc.conf file is included from the file /etc/defaults/rc.conf, which specifies the default settings for all the available options. Op- tions need only be specified in /etc/rc.conf when the system administra- tor wishes to override these defaults. Similarly the handbook says about /etc/defaults/make.conf: 19.4.2. Check /etc/make.conf Examine the files /etc/defaults/make.conf and /etc/make.conf. The first contains some default defines - most of which are commented out. To make use of them when you rebuild your system from source, add them to /etc/make.conf. Best, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 9:41:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 1302837B406 for ; Tue, 19 Jun 2001 09:41:14 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1026 invoked by uid 1000); 19 Jun 2001 16:39:41 -0000 Date: Tue, 19 Jun 2001 19:39:41 +0300 From: Peter Pentchev To: Igor Roshchin Cc: freebsd-security@FreeBSD.ORG Subject: Re: /etc/defaults/rc.conf (Was: IPFW newbie) Message-ID: <20010619193941.A944@ringworld.oblivion.bg> Mail-Followup-To: Igor Roshchin , freebsd-security@FreeBSD.ORG References: <0106190918132R.00481@xyberpix.mip.co.za> <200106191622.MAA66100@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106191622.MAA66100@giganda.komkon.org>; from str@giganda.komkon.org on Tue, Jun 19, 2001 at 12:22:26PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 19, 2001 at 12:22:26PM -0400, Igor Roshchin wrote: > > I am surprised to see that two people in a raw gave an advice, suggesting > to edit /etc/defaults/rc.conf. > IIRC, /etc/defaults was introduced as a nice instrument of having > _default_ settings in one directory, and changes to it in a standard file > in /etc. (Approach used on other systems (e.g. Irix) even earlier) > IMHO, this makes it much easier to do system upgrades. > > So, IMHO, the Good Thing is to add lines from the files in /etc/defaults/* > to the corresponding files in /etc/ . > Below are the quotes from the man pages and the handbook recommending > this style. Absolutely. Never touch anything in /etc/defaults. Whatever you want to change, change it in /etc. For this particular case, all that's needed is: echo 'firewall_enable="YES"' >> /etc/rc.conf echo 'firewall_type="open"' >> /etc/rc.conf Note the double '>' there - it tells the shell to add to that file if it exists, and not to replace it with just those lines. G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 11:13:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id C459A37B406 for ; Tue, 19 Jun 2001 11:13:42 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5u3.ericy.com [208.237.135.124]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f5JIDea07513; Tue, 19 Jun 2001 13:13:40 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5JIDdV22308; Tue, 19 Jun 2001 13:13:39 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5JIDcG12820; Tue, 19 Jun 2001 14:13:39 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 19 Jun 2001 14:13:37 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id NHB84TP4; Tue, 19 Jun 2001 14:13:30 -0400 From: "Antoine Beaupre (LMC)" To: Igor Roshchin Cc: freebsd-security@FreeBSD.ORG Message-ID: <3B2F9648.3030007@lmc.ericsson.se> Date: Tue, 19 Jun 2001 14:13:28 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Read-only /etc/defaults/* (was: Re: /etc/defaults/rc.conf (Was: IPFW newbie)) References: <200106191622.MAA66100@giganda.komkon.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Igor Roshchin wrote: > I am surprised to see that two people in a raw gave an advice, suggesting > to edit /etc/defaults/rc.conf. > IIRC, /etc/defaults was introduced as a nice instrument of having > _default_ settings in one directory, and changes to it in a standard file > in /etc. (Approach used on other systems (e.g. Irix) even earlier) > IMHO, this makes it much easier to do system upgrades. > > So, IMHO, the Good Thing is to add lines from the files in /etc/defaults/* > to the corresponding files in /etc/ . Yes, definitly. I think we should consider the possibility of having /etc/defaults/* files read-only to "encourage" this behavior. A. -- Antoine Beaupré LMC/K TCM team To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 13:45:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.ihlas.net.tr (mailhub.ihlas.net.tr [213.238.128.250]) by hub.freebsd.org (Postfix) with SMTP id AEFF237B401 for ; Tue, 19 Jun 2001 13:45:50 -0700 (PDT) (envelope-from selahattin@ihlas.com.tr) Received: (qmail 53991 invoked from network); 19 Jun 2001 20:46:08 -0000 Received: from unknown (HELO GMail.Ihlas.Com.Tr) (213.238.158.60) by smtp.ihlas.net.tr with SMTP; 19 Jun 2001 20:46:08 -0000 Received: from TORNADO ([10.21.15.200]) by GMail.Ihlas.Com.Tr with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id L0VY775X; Tue, 19 Jun 2001 23:45:43 +0300 Message-ID: <002001c0f900$c8b31670$c80f150a@tornado> From: "Serhat Selahattin Umar" To: Subject: How can i disable ctrl+alt+del keyboard function on freebsd 4.3 Date: Tue, 19 Jun 2001 23:45:16 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, How can i disable ctrl+alt+del keyboard function on freebsd 4.3 ? Thanks Serhat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 13:55:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from whiskey.klatsch.org (whiskey.klatsch.org [209.6.82.6]) by hub.freebsd.org (Postfix) with SMTP id A65B537B401 for ; Tue, 19 Jun 2001 13:55:32 -0700 (PDT) (envelope-from bene@klatsch.org) Received: (qmail 44011 invoked by uid 1001); 19 Jun 2001 20:55:14 -0000 Date: Tue, 19 Jun 2001 16:55:14 -0400 From: Ben Eisenbraun To: Serhat Selahattin Umar Cc: freebsd-security@FreeBSD.ORG Subject: Re: How can i disable ctrl+alt+del keyboard function on freebsd 4.3 Message-ID: <20010619165514.F13834@klatsch.org> References: <002001c0f900$c8b31670$c80f150a@tornado> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002001c0f900$c8b31670$c80f150a@tornado>; from selahattin@ihlas.com.tr on Tue, Jun 19, 2001 at 11:45:16PM +0300 X-Disclaimer: I'm the only one foolish enough to claim these opinions. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 19, 2001 at 11:45:16PM +0300, Serhat Selahattin Umar wrote: > > How can i disable ctrl+alt+del keyboard function on freebsd 4.3 ? from LINT: options SC_DISABLE_REBOOT # disable reboot key sequence -ben To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 13:57:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by hub.freebsd.org (Postfix) with ESMTP id 7FF2F37B403 for ; Tue, 19 Jun 2001 13:57:44 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 15CSZD-0001DA-00 for freebsd-security@FreeBSD.ORG; Tue, 19 Jun 2001 16:57:43 -0400 Date: Tue, 19 Jun 2001 16:57:43 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: How can i disable ctrl+alt+del keyboard function on freebsd 4.3 Message-ID: <20010619165743.D29312@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <002001c0f900$c8b31670$c80f150a@tornado> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002001c0f900$c8b31670$c80f150a@tornado>; from selahattin@ihlas.com.tr on Tue, Jun 19, 2001 at 11:45:16PM +0300 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Serhat Selahattin Umar probably said: > How can i disable ctrl+alt+del keyboard function on freebsd 4.3 ? Kernel option; options SC_DISABLE_REBOOT # disable reboot key sequence or edit the keymap to remove the binding. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 19 14:31:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id 6DF2637B406 for ; Tue, 19 Jun 2001 14:31:20 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id HAA04310; Wed, 20 Jun 2001 07:31:11 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37640) with ESMTP id <01K4ZCUJGE4GVLP5WQ@cim.alcatel.com.au>; Wed, 20 Jun 2001 07:31:10 +1000 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f5JLV9316922; Wed, 20 Jun 2001 07:31:09 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Wed, 20 Jun 2001 07:31:09 +1000 From: Peter Jeremy Subject: Re: How can i disable ctrl+alt+del keyboard function on freebsd 4.3 In-reply-to: <002001c0f900$c8b31670$c80f150a@tornado>; from selahattin@ihlas.com.tr on Tue, Jun 19, 2001 at 11:45:16PM +0300 To: Serhat Selahattin Umar Cc: freebsd-security@FreeBSD.ORG Mail-Followup-To: Serhat Selahattin Umar , freebsd-security@FreeBSD.ORG Message-id: <20010620073109.Q95583@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <002001c0f900$c8b31670$c80f150a@tornado> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-Jun-19 23:45:16 +0300, Serhat Selahattin Umar wrote: >How can i disable ctrl+alt+del keyboard function on freebsd 4.3 ? You have two choices: 1) Build/install/run a new kernel with "options SC_DISABLE_REBOOT" 2) Install a new keymap with CtrlAltDel mapped to something other than 'boot', 'halt' or 'pdwn'. See kbdmap(1), kbdmap(5) and /usr/share/syscons/keymaps/* for details. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 3:19: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.ihlas.net.tr (mailhub.ihlas.net.tr [213.238.128.250]) by hub.freebsd.org (Postfix) with SMTP id 89AB637B401 for ; Wed, 20 Jun 2001 03:18:53 -0700 (PDT) (envelope-from selahattin@ihlas.com.tr) Received: (qmail 37355 invoked from network); 20 Jun 2001 10:19:14 -0000 Received: from unknown (HELO GMail.Ihlas.Com.Tr) (213.238.158.60) by smtp.ihlas.net.tr with SMTP; 20 Jun 2001 10:19:14 -0000 Received: from TORNADO ([10.21.15.200]) by GMail.Ihlas.Com.Tr with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id L0VY8AJ3; Wed, 20 Jun 2001 13:18:44 +0300 Message-ID: <0b8901c0f972$5b0276d0$c80f150a@tornado> From: "Serhat Selahattin Umar" To: References: <002001c0f900$c8b31670$c80f150a@tornado> Subject: Re: How can i disable ctrl+alt+del keyboard function on freebsd 4.3 Date: Wed, 20 Jun 2001 13:18:15 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-9" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I added SC_DISABLE_REBOOT options to kernel config and recompiled the kernel, now ctrl+alt+del is disabled. thanks for all answers Serhat > Hi, > > How can i disable ctrl+alt+del keyboard function on freebsd 4.3 ? > > Thanks > Serhat > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 9:39: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f163.pav1.hotmail.com [64.4.31.163]) by hub.freebsd.org (Postfix) with ESMTP id 0328D37B406; Wed, 20 Jun 2001 09:39:01 -0700 (PDT) (envelope-from bsdforumen@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 20 Jun 2001 09:39:00 -0700 Received: from 212.30.183.2 by pv1fd.pav1.hotmail.msn.com with HTTP; Wed, 20 Jun 2001 16:39:00 GMT X-Originating-IP: [212.30.183.2] From: "Magdalinin Kirill" To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Subject: server stopped responding Date: Wed, 20 Jun 2001 20:39:00 +0400 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 20 Jun 2001 16:39:00.0281 (UTC) FILETIME=[82084A90:01C0F9A7] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I have 4.1 Release box that today suddenly stopped responding except for ping command. I could not connect to it via http, ssh, ftp or telnet. Then it was rebooted by our hosting enginer and then I found just a few clues in the logs. last shows that some_login ftp xxx.xxx.xxx.xxx Wed Jun 20 16:06 - crash(02:26) which was the last record before it was rebooted. no errors in /var/log/messages apache caught a couple of errors before it stopped responding: (54)Connection reset by peer: getsockname Does anyone have any explanations or ideas what it was? What else should I look for? Please, send copy to my email address. Thanks in advance, Kirill Magdalinin magcyril@hotmail.com _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 9:54:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.home.nl (mail4.home.nl [213.51.129.228]) by hub.freebsd.org (Postfix) with ESMTP id A492337B401 for ; Wed, 20 Jun 2001 09:54:30 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail4.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010620165500.QTKN407.mail4.home.nl@windows> for ; Wed, 20 Jun 2001 17:55:00 +0100 Message-ID: <040a01c0f9a9$a3f22ac0$0900a8c0@windows> From: "Marcel Dijk" Cc: References: Subject: should I upgrade Date: Wed, 20 Jun 2001 18:54:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, What are the criteria for upgrading my 4.2 to 4.3? Why should I or shouldn't I upgrade? TIA, Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 9:54:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.home.nl (mail4.home.nl [213.51.129.228]) by hub.freebsd.org (Postfix) with ESMTP id 2299937B406 for ; Wed, 20 Jun 2001 09:54:36 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail4.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010620165506.QTKS407.mail4.home.nl@windows> for ; Wed, 20 Jun 2001 17:55:06 +0100 Message-ID: <041001c0f9a9$a7827d70$0900a8c0@windows> From: "Marcel Dijk" Cc: References: Subject: should I upgrade Date: Wed, 20 Jun 2001 18:54:20 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, What are the criteria for upgrading my 4.2 to 4.3? Why should I or shouldn't I upgrade? TIA, Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 9:58:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 0636837B40C for ; Wed, 20 Jun 2001 09:58:24 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15ClJC-000BHY-00; Wed, 20 Jun 2001 18:58:26 +0200 From: Sheldon Hearn To: "Marcel Dijk" Cc: freebsd-security@freebsd.org Subject: Re: should I upgrade In-reply-to: Your message of "Wed, 20 Jun 2001 18:54:20 +0200." <041001c0f9a9$a7827d70$0900a8c0@windows> Date: Wed, 20 Jun 2001 18:58:26 +0200 Message-ID: <43371.993056306@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 20 Jun 2001 18:54:20 +0200, "Marcel Dijk" wrote: > What are the criteria for upgrading my 4.2 to 4.3? Why should I or shouldn't > I upgrade? See src/UPDATING from the 4.3-STABLE sources and check out the release notes for 4.3-RELEASE. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 10:17: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 1BABC37B401; Wed, 20 Jun 2001 10:16:53 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id OAA07317; Wed, 20 Jun 2001 14:17:17 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Wed, 20 Jun 2001 14:17:17 -0300 From: "Fernando P . Schapachnik" To: Magdalinin Kirill Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: server stopped responding Message-ID: <20010620141717.I25436@ns1.via-net-works.net.ar> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from bsdforumen@hotmail.com on Wed, Jun 20, 2001 at 08:39:00PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Magdalinin Kirill escribió: > Hello, > > I have 4.1 Release box that today suddenly stopped responding > except for ping command. I could not connect to it via http, > ssh, ftp or telnet. Then it was rebooted by our hosting enginer > and then I found just a few clues in the logs. > > last shows that > > some_login ftp xxx.xxx.xxx.xxx Wed Jun 20 16:06 - crash(02:26) Make sure you are up to date with patches, specially the glob-ftp one. This looks like it might be related. Good luck! Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 11: 5:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id E57FF37B409; Wed, 20 Jun 2001 11:05:46 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f5KI5jb13826; Wed, 20 Jun 2001 14:05:45 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010620135628.0226f450@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 20 Jun 2001 13:59:37 -0400 To: Robert , freebsd-stable@FreeBSD.ORG From: Mike Tancsa Subject: Re: Expiry Field Broken on ftp and ssh Cc: security@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20010620111103.02676080@marble.sentex.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There looks to be a PR about this from 1995, but I dont think its all accurate as I dont see this problem on RELENG_3. Does anyone know off hand where this got broken ? I am cc'ing the security as this is a security issue no ? ---Mike At 11:23 AM 6/20/01 -0400, Mike Tancsa wrote: >Hmmm, it seems to be that way for some time now :-( A snapshot I have >from May 21st is similarly hosed. > >For telnet, it works, however, ssh and ftp lets the account in unhindered. > > ---Mike > > > >At 11:13 AM 6/20/01 -0400, Robert wrote: >>It seems as if the expiry field no longer "Expires" accounts. >> >>Does anyone know what has happened? >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-stable" in the body of the message > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 11:11:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp24.singnet.com.sg (smtp24.singnet.com.sg [165.21.101.204]) by hub.freebsd.org (Postfix) with ESMTP id 8DBF837B401 for ; Wed, 20 Jun 2001 11:11:38 -0700 (PDT) (envelope-from spades@galaxynet.org) Received: from bryan (ad202.166.105.146.magix.com.sg [202.166.105.146]) by smtp24.singnet.com.sg (8.11.2/8.11.0) with SMTP id f5KIBXL29854 for ; Thu, 21 Jun 2001 02:11:33 +0800 Message-Id: <3.0.32.20010621022535.02718c34@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 21 Jun 2001 02:25:35 +0800 To: freebsd-security@freebsd.org From: Spades Subject: SRA login Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How can we disable 'root' from being able to telnet into via SRA login 4.3-S Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 14:23:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.fnal.gov (nova.fnal.gov [131.225.121.207]) by hub.freebsd.org (Postfix) with ESMTP id 5778637B401 for ; Wed, 20 Jun 2001 14:23:25 -0700 (PDT) (envelope-from zingelman@fnal.gov) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id QAA12693 for ; Wed, 20 Jun 2001 16:23:21 -0500 (CDT) X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs Date: Wed, 20 Jun 2001 16:23:21 -0500 (CDT) From: Tim Zingelman X-Sender: To: Subject: grep in /etc/security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On several of our 4.3-RELEASE machines, we have been getting the following in the security check output: x.y.z login failures: Binary file (standard input) matches I tracked this down to the output from this: catmsgs() { find $LOG -name 'messages.*' -mtime -2 | sort -t. -r -n +1 -2 | xargs zcat -f [ -f $LOG/messages ] && cat $LOG/messages } inside /etc/security, sometimes having embedded nulls. so later this: n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l) returns "Binary file (standard input) matches" instead of the matches. Adding -a to the grep, returns the expected matches. Has anyone else seen this? Should I submit a PR, or is there a good reason not to use 'grep -ai' here? - Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 15:13:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id ECC2537B412 for ; Wed, 20 Jun 2001 15:13:28 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5KMKNe19709 for freebsd-security@freebsd.org; Wed, 20 Jun 2001 15:20:23 -0700 (PDT) (envelope-from fasty) Date: Wed, 20 Jun 2001 15:20:23 -0700 From: faSty To: freebsd-security@freebsd.org Subject: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010620152023.C19358@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi there, I need help, I tried filter on Sendmail to reject or discard when it match "From:hahaha@sexyfun.net" seem not success stop these stupid virus email and it kept coming back repeat like every 2 or 3 days. Here the full email header. From MAILER-DAEMON Wed Jun 20 14:50:40 2001 Return-Path: Received: from oemcomputer (mewi1pool0-a3.midway.tds.net [208.166.196.132]) by i-sphere.com (8.11.3/8.11.3) with SMTP id f5KLoPT19225 for ; Wed, 20 Jun 2001 14:50:26 -0700 (PDT) Date: Wed, 20 Jun 2001 14:50:26 -0700 (PDT) Message-Id: <200106202150.f5KLoPT19225@i-sphere.com> From: Hahaha Subject: Snowhite and the Seven Dwarfs - The REAL story! MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VE1EZOLMJK92BC9UN" To: undisclosed-recipients:; Status: RO Content-Length: 31647 Lines: 422 -- /etc/mail/access -- From:hahaha@sexyfun.net DISCARD hahaha@sexyfun.net DISCARD -- end snip -- I searched www.google.com (search engine) find the solution for the FreeBSD sendmail's filter on hahaha@sexyfun.net. I found most talk about procmail but i looked the FreeBSD sendmail isnt run by procmail based. HELP! -trev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 15:35:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 5574037B403 for ; Wed, 20 Jun 2001 15:35:09 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f5KMZ7996887; Wed, 20 Jun 2001 15:35:07 -0700 (PDT) (envelope-from emechler) Date: Wed, 20 Jun 2001 15:35:07 -0700 From: Erick Mechler To: faSty Cc: freebsd-security@FreeBSD.ORG Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010620153507.P73138@techometer.net> References: <20010620152023.C19358@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010620152023.C19358@i-sphere.com>; from faSty on Wed, Jun 20, 2001 at 03:20:23PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You don't need the from. For example, try this: [emechler@lucifer ~]$ cat /etc/mail/access hahaha@sexyfun.net REJECT (you can't use DISCARD unless you've defined your discard mailer). REJECT works across the board. Also, you might want to try this if you don't like the generic error message REJECT will return: hahaha@sexyfun.net ERROR:"550: I don't want your stupid virus" If you want to use the access.db at all, you also need to make sure that you have the following in your .mc file: FEATURE(`access_db')dnl Read /usr/src/contrib/sendmail/cf/README for more information on any of the stuff I've mentioned. --Erick At Wed, Jun 20, 2001 at 03:20:23PM -0700, faSty said this: :: Hi there, :: :: I need help, I tried filter on Sendmail to reject or discard when it :: match "From:hahaha@sexyfun.net" seem not success stop these stupid virus email :: and it kept coming back repeat like every 2 or 3 days. :: :: Here the full email header. :: :: >From MAILER-DAEMON Wed Jun 20 14:50:40 2001 :: Return-Path: :: Received: from oemcomputer (mewi1pool0-a3.midway.tds.net [208.166.196.132]) :: by i-sphere.com (8.11.3/8.11.3) with SMTP id f5KLoPT19225 :: for ; Wed, 20 Jun 2001 14:50:26 -0700 (PDT) :: Date: Wed, 20 Jun 2001 14:50:26 -0700 (PDT) :: Message-Id: <200106202150.f5KLoPT19225@i-sphere.com> :: From: Hahaha :: Subject: Snowhite and the Seven Dwarfs - The REAL story! :: MIME-Version: 1.0 :: Content-Type: multipart/mixed; boundary="--VE1EZOLMJK92BC9UN" :: To: undisclosed-recipients:; :: Status: RO :: Content-Length: 31647 :: Lines: 422 :: :: :: :: -- /etc/mail/access -- :: :: From:hahaha@sexyfun.net DISCARD :: hahaha@sexyfun.net DISCARD :: :: -- end snip -- :: :: I searched www.google.com (search engine) find the solution for the FreeBSD :: sendmail's filter on hahaha@sexyfun.net. I found most talk about procmail :: but i looked the FreeBSD sendmail isnt run by procmail based. :: :: HELP! :: :: -trev :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 15:41: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 4D7A537B401 for ; Wed, 20 Jun 2001 15:41:00 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f5KMf6p21612; Thu, 21 Jun 2001 05:41:07 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id FAA17425; Thu, 21 Jun 2001 05:40:49 +0700 (ICT) Date: Thu, 21 Jun 2001 05:40:49 +0700 (ICT) Message-Id: <200106202240.FAA17425@bazooka.cs.ait.ac.th> To: spades@galaxynet.org Cc: freebsd-security@FreeBSD.ORG In-reply-to: <3.0.32.20010621022535.02718c34@smtp.magix.com.sg> (message from Spades on Thu, 21 Jun 2001 02:25:35 +0800) Subject: Re: SRA login Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >How can we disable 'root' from being able to telnet into >via SRA login 4.3-S In /etc/inetd.conf you have some option to specify to telnetd (-x?) to disable SRA. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 15:47:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 3887A37B401 for ; Wed, 20 Jun 2001 15:47:26 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id TAA21939; Wed, 20 Jun 2001 19:47:13 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Wed, 20 Jun 2001 19:47:13 -0300 From: "Fernando P . Schapachnik" To: Erick Mechler Cc: faSty , freebsd-security@FreeBSD.ORG Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010620194713.A18467@ns1.via-net-works.net.ar> References: <20010620152023.C19358@i-sphere.com> <20010620153507.P73138@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010620153507.P73138@techometer.net>; from emechler@techometer.net on Wed, Jun 20, 2001 at 03:35:07PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Erick Mechler escribió: > You don't need the from. For example, try this: > > [emechler@lucifer ~]$ cat /etc/mail/access > hahaha@sexyfun.net REJECT It won't work, as the virus uses hahaha@sexyfun.net INSIDE the message itself and sendmail checks the From field from the envelope, which in this case is probably <> (empty). I was about to report it as a bug to sendmail a few days ago, but then I thought there might be some option to change that behavior or some valid reason for sendmail to accept a empty mail from:. I haven't had time to research since then. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 15:47:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 1AB7B37B401 for ; Wed, 20 Jun 2001 15:47:50 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f5KMlxp21641; Thu, 21 Jun 2001 05:47:59 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id FAA17439; Thu, 21 Jun 2001 05:47:41 +0700 (ICT) Date: Thu, 21 Jun 2001 05:47:41 +0700 (ICT) Message-Id: <200106202247.FAA17439@bazooka.cs.ait.ac.th> To: fasty@i-sphere.com Cc: freebsd-security@FreeBSD.ORG In-reply-to: <20010620152023.C19358@i-sphere.com> (message from faSty on Wed, 20 Jun 2001 15:20:23 -0700) Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I need help, I tried filter on Sendmail to reject or discard when it >match "From:hahaha@sexyfun.net" seem not success stop these stupid virus email >and it kept coming back repeat like every 2 or 3 days. For detecting virus, you should only trust an antivirus added to sendmail. Address is not enought. I am not sure the sendmail version packaged with FreeBSD is uptodate either. You may need to reinstall it. Installing and configuring a mail gateway is one of the dirtiest thing on Internet. You have o spend some time understanding the whole thing, you cannot efficiently patch a bit here and a bit there. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 16:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by hub.freebsd.org (Postfix) with ESMTP id 3E8D637B403 for ; Wed, 20 Jun 2001 16:29:31 -0700 (PDT) (envelope-from bmw@borderware.com) From: "Bruce M. Walker" Message-Id: <200106202329.f5KNTPm07958@fusion.borderware.com> Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. In-Reply-To: <20010620194713.A18467@ns1.via-net-works.net.ar> from "Fernando P . Schapachnik" at "Jun 20, 2001 07:47:13 pm" To: "Fernando P . Schapachnik" Date: Wed, 20 Jun 2001 19:29:25 -0400 (EDT) Cc: Erick Mechler , faSty , freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando P . Schapachnik wrote: > [somebody previously wrote...] > > > > You don't need the from. For example, try this: Actually, you *do*. See below... > > [emechler@lucifer ~]$ cat /etc/mail/access > > hahaha@sexyfun.net REJECT > > It won't work, as the virus uses hahaha@sexyfun.net INSIDE the > message itself and sendmail checks the From field from the envelope, > which in this case is probably <> (empty). That's correct. However, new sendmails can specify header checks. For example, if you are running FreeBSD 4.3 read /usr/share/sendmail/cf/README and check around line 1859. This syntax is supposed to match mail-header From: (or To:) lines... From:spammer@some.dom REJECT To:friend.domain RELAY Don't forget to hash the map file after editing /etc/mail/access ! You should be able to simply say "make" in that folder. Or, makemap hash /etc/mail/access < /etc/mail/access > I was about to report it as a bug to sendmail a few days ago, but > then I thought there might be some option to change that behavior or > some valid reason for sendmail to accept a empty mail from: There are two very compelling reasons to accept empty envelope-from: 1. mailers send bounce and other internally-created error messages with an empty envelope-from. If you don't accept them, you will confuse users who will not see bounces. 2. the RFCs say so. See RFC2821 (and RFC821). Cheers! -bmw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 16:44: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 02FC337B406 for ; Wed, 20 Jun 2001 16:44:01 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5KNoln20844; Wed, 20 Jun 2001 16:50:47 -0700 (PDT) (envelope-from fasty) Date: Wed, 20 Jun 2001 16:50:47 -0700 From: faSty To: "Fernando P . Schapachnik" Cc: freebsd-security@freebsd.org Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010620165047.B20771@i-sphere.com> References: <20010620152023.C19358@i-sphere.com> <20010620153507.P73138@techometer.net> <20010620194713.A18467@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20010620194713.A18467@ns1.via-net-works.net.ar>; from fschapachnik@vianetworks.com.ar on Wed, Jun 20, 2001 at 07:47:13PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I agree, We should report to sendmail bug. -trev On Wed, Jun 20, 2001 at 07:47:13PM -0300, Fernando P . Schapachnik wrote: > En un mensaje anterior, Erick Mechler escribió: > > You don't need the from. For example, try this: > > > > [emechler@lucifer ~]$ cat /etc/mail/access > > hahaha@sexyfun.net REJECT > > It won't work, as the virus uses hahaha@sexyfun.net INSIDE the > message itself and sendmail checks the From field from the envelope, > which in this case is probably <> (empty). > > I was about to report it as a bug to sendmail a few days ago, but > then I thought there might be some option to change that behavior or > some valid reason for sendmail to accept a empty mail from:. I > haven't had time to research since then. > > Regards. > > > Fernando P. Schapachnik > Planificación de red y tecnología > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Tel.: (54-11) 4323-3381 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 16:46:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 3457737B406 for ; Wed, 20 Jun 2001 16:46:47 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5KNrZv20865; Wed, 20 Jun 2001 16:53:35 -0700 (PDT) (envelope-from fasty) Date: Wed, 20 Jun 2001 16:53:35 -0700 From: faSty To: "Bruce M. Walker" Cc: freebsd-security@freebsd.org Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010620165335.C20771@i-sphere.com> References: <20010620194713.A18467@ns1.via-net-works.net.ar> <200106202329.f5KNTPm07958@fusion.borderware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106202329.f5KNTPm07958@fusion.borderware.com>; from bmw@borderware.com on Wed, Jun 20, 2001 at 07:29:25PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I did used "From:hahaha@sexyfun.net" and still fails reject it. -trev On Wed, Jun 20, 2001 at 07:29:25PM -0400, Bruce M. Walker wrote: > Fernando P . Schapachnik wrote: > > [somebody previously wrote...] > > > > > > You don't need the from. For example, try this: > > Actually, you *do*. See below... > > > > > [emechler@lucifer ~]$ cat /etc/mail/access > > > hahaha@sexyfun.net REJECT > > > > It won't work, as the virus uses hahaha@sexyfun.net INSIDE the > > message itself and sendmail checks the From field from the envelope, > > which in this case is probably <> (empty). > > That's correct. > > However, new sendmails can specify header checks. For example, if you > are running FreeBSD 4.3 read /usr/share/sendmail/cf/README and check > around line 1859. > > This syntax is supposed to match mail-header From: (or To:) lines... > > From:spammer@some.dom REJECT > To:friend.domain RELAY > > > Don't forget to hash the map file after editing /etc/mail/access ! > You should be able to simply say "make" in that folder. Or, > > makemap hash /etc/mail/access < /etc/mail/access > > > > I was about to report it as a bug to sendmail a few days ago, but > > then I thought there might be some option to change that behavior or > > some valid reason for sendmail to accept a empty mail from: > > There are two very compelling reasons to accept empty envelope-from: > > 1. mailers send bounce and other internally-created error messages > with an empty envelope-from. If you don't accept them, you > will confuse users who will not see bounces. > > 2. the RFCs say so. See RFC2821 (and RFC821). > > > Cheers! > > -bmw > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 16:50:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mgateway.borderware.com (mgateway.borderware.com [207.236.65.231]) by hub.freebsd.org (Postfix) with ESMTP id 4508A37B403 for ; Wed, 20 Jun 2001 16:50:52 -0700 (PDT) (envelope-from bmw@borderware.com) From: "Bruce M. Walker" Message-Id: <200106202350.f5KNopS18245@fusion.borderware.com> Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. In-Reply-To: <200106202329.f5KNTPm07958@fusion.borderware.com> from "Bruce M. Walker" at "Jun 20, 2001 07:29:25 pm" To: freebsd-security@FreeBSD.ORG Date: Wed, 20 Jun 2001 19:50:51 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gah! Bad form to reply to my own msg, but I gave bad advice... Bruce M. Walker wrote: > > This syntax is supposed to match mail-header From: (or To:) lines... > > From:spammer@some.dom REJECT > To:friend.domain RELAY I'm way wrong! That just makes the match *specific* to envelope-from or -to, not internal mail headers. To add header checks in sendmail, see section "Header Checks" in /usr/share/sendmail/cf/README. It would look like this: LOCAL_RULESETS HFrom: $>CheckFrom SCheckFrom R< hahaha @ sexyfun . net > $#error $: 550 No spam. R$* $@ OK (This is untested!) That's why most people are using Procmail to handle these cases. Here's a hint: install Postfix in place of sendmail. You'll find the header-checks capability is extensive. Stopping this virus is pretty trivial. -bmw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 18:18:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from famine.OCF.Berkeley.EDU (famine.OCF.Berkeley.EDU [128.32.191.92]) by hub.freebsd.org (Postfix) with ESMTP id 1338D37B406 for ; Wed, 20 Jun 2001 18:18:34 -0700 (PDT) (envelope-from malcolm@ocf.berkeley.edu) Received: from localhost (malcolm@localhost) by famine.OCF.Berkeley.EDU (8.9.3/8.9.3) with ESMTP id SAA23570 for ; Wed, 20 Jun 2001 18:18:33 -0700 (PDT) X-Authentication-Warning: famine.OCF.Berkeley.EDU: malcolm owned process doing -bs Date: Wed, 20 Jun 2001 18:18:33 -0700 (PDT) From: Malcolm To: Subject: IPFilter and security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi folks, What do we think about installing IPFilter on non-gateway boxes and using it to block all incoming traffic except for whatever ports we want to use on our server (e.g., http, ftp)? Thanks, Malcolm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 21: 5:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id DDEC537B401 for ; Wed, 20 Jun 2001 21:05:40 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f5L45dI84149; Thu, 21 Jun 2001 10:05:39 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.4/8.11.4) id f5L45dv67737; Thu, 21 Jun 2001 10:05:39 +0600 (YEKST) (envelope-from serg) Date: Thu, 21 Jun 2001 10:05:38 +0600 From: "Sergey N. Voronkov" To: Malcolm Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010621100538.A67676@sv.tech.sibitex.tmn.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from malcolm@ocf.berkeley.edu on Wed, Jun 20, 2001 at 06:18:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > Hi folks, > What do we think about installing IPFilter on non-gateway boxes > and using it to block all incoming traffic except for whatever ports > we want to use on our server (e.g., http, ftp)? > Hi! Go and use it! I have it installed on my servers to limit usage of some services to only local network (such as a rdump. hosts.allow is also set to block unwanted connections. I'm gouing to be realy paranoid one :-). Also "keep state" options helps to reduse some realy stupid traffic - like a scans on TCP/53 (SA flag set). Bye, Serg N. Voronkov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 21:51:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id B90F837B406 for ; Wed, 20 Jun 2001 21:51:51 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.143.178.Dial1.SanJose1.Level3.net [209.247.143.178]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA19844; Wed, 20 Jun 2001 21:51:41 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.3/8.11.3) id f5L4r0I00848; Wed, 20 Jun 2001 21:53:00 -0700 (PDT) (envelope-from cjc) Date: Wed, 20 Jun 2001 21:53:00 -0700 From: "Crist J. Clark" To: Malcolm Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010620215300.C740@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from malcolm@ocf.berkeley.edu on Wed, Jun 20, 2001 at 06:18:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > Hi folks, > What do we think about installing IPFilter on non-gateway boxes > and using it to block all incoming traffic except for whatever ports > we want to use on our server (e.g., http, ftp)? Well, "we" (OK, just me) think that it depends entirely on the purpose of the box and your local security policies. There is no "right" answer. But some two things to consider: If you have locked down services on a box and then firewall but allow access to these services, what are you protecting? What does the firewall actually do to hamper a remote attacker? It really does not add anything. However, closing up all services is not as easy as it sounds and a firewall is an extra layer of protection against mistakes in locking them down. IMHO, unless the box is security critical, the administrative costs of all of the firewalling probably exceeds the security gain for resisting external attack. However, a firewall in this situation might protect you more from _local_ users. That is, local users cannot start listening daemons on high ports on their own. Again, depending on the site policy, this may be good or bad. If policy is that users are trusted and _should_ be able to do things like that, firewalling is bad. OTOH, if users are less trusted and policy forbids these things, firewalling is the best way to stop it. $0.02 for ya'. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 21:57:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from harrier.mail.pas.earthlink.net (harrier.mail.pas.earthlink.net [207.217.121.12]) by hub.freebsd.org (Postfix) with ESMTP id 3901037B401 for ; Wed, 20 Jun 2001 21:57:14 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.143.178.Dial1.SanJose1.Level3.net [209.247.143.178]) by harrier.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id VAA20154; Wed, 20 Jun 2001 21:57:10 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.3/8.11.3) id f5L4wUU00861; Wed, 20 Jun 2001 21:58:30 -0700 (PDT) (envelope-from cjc) Date: Wed, 20 Jun 2001 21:58:30 -0700 From: "Crist J. Clark" To: Tim Zingelman Cc: freebsd-security@FreeBSD.ORG Subject: Re: grep in /etc/security Message-ID: <20010620215830.D740@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from zingelman@fnal.gov on Wed, Jun 20, 2001 at 04:23:21PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 04:23:21PM -0500, Tim Zingelman wrote: > On several of our 4.3-RELEASE machines, we have been getting the following > in the security check output: > > x.y.z login failures: > Binary file (standard input) matches [snip] > n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | wc -l) > > returns "Binary file (standard input) matches" instead of the matches. > > Adding -a to the grep, returns the expected matches. > > Has anyone else seen this? Should I submit a PR, or is there a good > reason not to use 'grep -ai' here? Good catch. We assume that the 'messages' files contain only text. This is usually the case, but as all of the people who post messages they get in their logs when people shoot Linux RPC program exploits have shown, non-text characters can sneak in there. I'll take care of this if someone else hasn't already. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 23:38: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 7D88037B403 for ; Wed, 20 Jun 2001 23:37:53 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id KAA96243; Thu, 21 Jun 2001 10:37:38 +0400 (MSD) Message-ID: <008c01c0fa1c$a92f94f0$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: "faSty" , Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Date: Thu, 21 Jun 2001 10:37:34 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----Original Message----- From: faSty To: freebsd-security@FreeBSD.ORG Date: 21 èþíÿ 2001 ã. 2:14 Subject: need help filter this stupid virus. Sendmail didnt stop this. >Hi there, > > I need help, I tried filter on Sendmail to reject or discard when it >match "From:hahaha@sexyfun.net" seem not success stop these stupid virus email >and it kept coming back repeat like every 2 or 3 days. > >Here the full email header. >-- end snip -- > >I searched www.google.com (search engine) find the solution for the FreeBSD >sendmail's filter on hahaha@sexyfun.net. I found most talk about procmail >but i looked the FreeBSD sendmail isnt run by procmail based. I have met such problems recently and tried to use procmail. It is not installed by default, so you should go to /usr/ports/mail/procmail and "make" it. AFAIK default sendmail.cf file uses mail(1) and mail.local(8) to bring mail to end-user. Thus you have to change your sendmail.cf file directly (vi /etc/sendmail.cf) or using m4. I am not so familiar with .cf file fromat, so I used the second way. I changed my main .mc site as follows: #diff mysite.procmail.mc mysite.local.mc 17c17 < MAILER(procmail)dnl --- > MAILER(local)dnl 21c21 < FEATURE(local_procmail)dnl --- > FEATURE(local_lmtp)dnl Then I created my own /etc/procmailrc file using guidelines from http://www.impsec.org/email-tools/procmail-security.html - I think you should read this document about email security. Everything seems to work, but I strongly recommend you to start changing default settings ASAP. I will not go deeply in installation process, because it is not the subject of this thread, but if you are interested in using procmail as "email-fierewall" on FreeBSD, you can always contact me by e-mail. Hope my post has helped you. Good Luck! NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru > >HELP! > >-trev > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 23:50: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from web14810.mail.yahoo.com (web14810.mail.yahoo.com [216.136.224.231]) by hub.freebsd.org (Postfix) with SMTP id E693C37B401 for ; Wed, 20 Jun 2001 23:50:03 -0700 (PDT) (envelope-from a_trans2001@yahoo.com) Message-ID: <20010621065003.21247.qmail@web14810.mail.yahoo.com> Received: from [24.248.85.196] by web14810.mail.yahoo.com; Wed, 20 Jun 2001 23:50:03 PDT Date: Wed, 20 Jun 2001 23:50:03 -0700 (PDT) From: La Place Subject: Re: IPFilter and security To: freebsd-security@freebsd.org In-Reply-To: <20010620215300.C740@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can use ipf to do egress filtering, kinda a good thing for your network ;). only allow src/dst IPs that you want, reducing spoofed traffic and wasted bandwidth. it is always good to do egress filtering ;)..even @ ur host. bruce\ --- "Crist J. Clark" wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. > > $0.02 for ya'. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 23:51: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from web14810.mail.yahoo.com (web14810.mail.yahoo.com [216.136.224.231]) by hub.freebsd.org (Postfix) with SMTP id 0BC1737B406 for ; Wed, 20 Jun 2001 23:51:05 -0700 (PDT) (envelope-from a_trans2001@yahoo.com) Message-ID: <20010621065105.21408.qmail@web14810.mail.yahoo.com> Received: from [24.248.85.196] by web14810.mail.yahoo.com; Wed, 20 Jun 2001 23:51:05 PDT Date: Wed, 20 Jun 2001 23:51:05 -0700 (PDT) From: La Place Subject: Re: IPFilter and security To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can use ipf to do egress filtering, kinda a good thing for your network ;). only allow src/dst IPs that you want, reducing spoofed traffic and wasted bandwidth. it is always good to do egress filtering ;)..even @ ur host. bruce\ --- "Crist J. Clark" wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. > > $0.02 for ya'. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 20 23:52: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe41.law12.hotmail.com [64.4.18.98]) by hub.freebsd.org (Postfix) with ESMTP id 1B7AB37B401 for ; Wed, 20 Jun 2001 23:52:01 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 20 Jun 2001 23:52:00 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Subject: quick natd question Date: Thu, 21 Jun 2001 01:52:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 21 Jun 2001 06:52:00.0849 (UTC) FILETIME=[AC073410:01C0FA1E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm about to setup ipfw for the first time and I've got a few pointers that involve natd. i dont know what natd is ... is someone could give a brief descripton of it it would be helpful... basically this is a standalone webserver, no router or anything... with one ethernet card... i just want to be able to block any ports besides the ones i use and block certain ip addresses... thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 0: 1: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.focalnetworks.net (alpha.focalnetworks.net [209.135.104.32]) by hub.freebsd.org (Postfix) with SMTP id A5EFF37B401 for ; Thu, 21 Jun 2001 00:01:00 -0700 (PDT) (envelope-from project10@alpha.focalnetworks.net) Received: (qmail 71190 invoked by uid 1000); 21 Jun 2001 07:03:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Jun 2001 07:03:43 -0000 Date: Thu, 21 Jun 2001 03:03:43 -0400 (EDT) From: Shawn Lussier To: default013 - subscriptions Cc: Subject: Re: quick natd question In-Reply-To: Message-ID: <20010621030238.F71176-100000@alpha.focalnetworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey there, 'natd' is a daemon to manage the translation of network addresses -- it does Network Address Translation. In your setup, this isn't necessary. For more information on natd, try 'man natd'. -Shawn On Thu, 21 Jun 2001, default013 - subscriptions wrote: > Hi, > > I'm about to setup ipfw for the first time and I've got a few pointers that > involve natd. i dont know what natd is ... is someone could give a brief > descripton of it it would be helpful... > > basically this is a standalone webserver, no router or anything... with one > ethernet card... i just want to be able to block any ports besides the ones > i use and block certain ip addresses... > > thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 0:11:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.high-tech-communications.com (mail.high-tech-communications.com [216.133.228.90]) by hub.freebsd.org (Postfix) with ESMTP id 2264237B403 for ; Thu, 21 Jun 2001 00:11:37 -0700 (PDT) (envelope-from content-management@mail.high-tech-communications.com) Received: (from content-management@localhost) by mail.high-tech-communications.com (8.11.2/8.11.2) id f5L7Jwl02711; Thu, 21 Jun 2001 00:19:58 -0700 Date: Thu, 21 Jun 2001 00:19:58 -0700 Message-Id: <200106210719.f5L7Jwl02711@mail.high-tech-communications.com> To: freebsd-security@FreeBSD.org From: Victor Black Subject: New web utility Content-Type: text/html; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org

I noticed your email address on a list serve related to technology and web development.  With your permission, we
would like to send you information regarding new web tools and utilities based on your interests.  Please click the
following link and opt-in to our product updates and e-newsletter, click here: http://216.133.228.90/

Cordially,

Victor Black
High-Tech-Communications.com

If you would like to be removed from our database, please click here: http://216.133.228.90/remove.cgi

 

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 0:30:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200]) by hub.freebsd.org (Postfix) with ESMTP id A61BD37B401 for ; Thu, 21 Jun 2001 00:30:30 -0700 (PDT) (envelope-from ingram@vc-protect.net) Received: from [195.20.224.208] (helo=mrvdom01.schlund.de) by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #2) id 15Cyv7-0005uY-00 for freebsd-security@freebsd.org; Thu, 21 Jun 2001 09:30:29 +0200 Received: from [213.68.209.4] (helo=d01pc174) by mrvdom01.schlund.de with smtp (Exim 2.12 #2) id 15CytT-0007Da-00 for freebsd-security@freebsd.org; Thu, 21 Jun 2001 09:28:47 +0200 Message-ID: <004201c0fa22$e5b880c0$ae02a8c0@d01pc174> From: "Gino Thomas" To: Subject: Increase Time_Wait for IPF? Date: Thu, 21 Jun 2001 09:22:15 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003F_01C0FA33.A9181DE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_003F_01C0FA33.A9181DE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable greetings, i=B4ve heard that it is possible do increase the Time_Wait delay for = "keep state", is someone aware how? Since i use the keep state keyword = ipf drops many packets that run in a timeout, so i wanted to raise the = value a bit, if possible. regards gt ------=_NextPart_000_003F_01C0FA33.A9181DE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
greetings,
 
i=B4ve heard that it is possible do = increase the=20 Time_Wait delay for "keep state", is someone aware how? Since i use the = keep=20 state keyword ipf drops many packets that run in a timeout, so i = wanted to=20 raise the value a bit, if possible.
 
regards
gt
------=_NextPart_000_003F_01C0FA33.A9181DE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 0:35:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from falcon.ripn.net (falcon.ripn.net [194.190.145.10]) by hub.freebsd.org (Postfix) with ESMTP id E5F2037B403 for ; Thu, 21 Jun 2001 00:35:26 -0700 (PDT) (envelope-from abc@falcon.ripn.net) Received: (from abc@localhost) by falcon.ripn.net (8.11.3/8.11.3) id f5LBcHK69568; Thu, 21 Jun 2001 11:38:17 GMT (envelope-from abc) Content-Type: text/plain; charset="koi8-r" From: "Andrey V. Sokolov" Reply-To: abc@falcon.ripn.net Organization: RosNIIROS To: "Gino Thomas" , Subject: Re: Increase Time_Wait for IPF? Date: Thu, 21 Jun 2001 11:38:00 +0000 X-Mailer: KMail [version 1.2] References: <004201c0fa22$e5b880c0$ae02a8c0@d01pc174> In-Reply-To: <004201c0fa22$e5b880c0$ae02a8c0@d01pc174> MIME-Version: 1.0 Message-Id: <01062111380001.69450@falcon.ripn.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 21 June 2001 07:22, Gino Thomas wrote: Hi! Try sysctl net.inet.ipf.fr_tcpclosewait and set new value by sysctl -w > greetings, > > i?ve heard that it is possible do increase the Time_Wait delay for "keep > state", is someone aware how? Since i use the keep state keyword ipf drops > many packets that run in a timeout, so i wanted to raise the value a bit, > if possible. > > regards > gt -- Andrey V. Sokolov Russian Institute E-mail: abc@falcon.ripn.net for Phone: +7 095 333 4112 Public Networks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 2:35:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id E826837B407 for ; Thu, 21 Jun 2001 02:35:50 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 9946 invoked by uid 1000); 21 Jun 2001 09:34:17 -0000 Date: Thu, 21 Jun 2001 12:34:17 +0300 From: Peter Pentchev To: cjclark@alum.mit.edu Cc: Malcolm , freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security Message-ID: <20010621123417.D772@ringworld.oblivion.bg> Mail-Followup-To: cjclark@alum.mit.edu, Malcolm , freebsd-security@FreeBSD.ORG References: <20010620215300.C740@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010620215300.C740@blossom.cjclark.org>; from cristjc@earthlink.net on Wed, Jun 20, 2001 at 09:53:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 09:53:00PM -0700, Crist J. Clark wrote: > On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote: > > Hi folks, > > What do we think about installing IPFilter on non-gateway boxes > > and using it to block all incoming traffic except for whatever ports > > we want to use on our server (e.g., http, ftp)? > > Well, "we" (OK, just me) think that it depends entirely on the purpose > of the box and your local security policies. There is no "right" > answer. But some two things to consider: > > If you have locked down services on a box and then firewall but allow > access to these services, what are you protecting? What does the > firewall actually do to hamper a remote attacker? It really does not > add anything. However, closing up all services is not as easy as it > sounds and a firewall is an extra layer of protection against mistakes > in locking them down. IMHO, unless the box is security critical, the > administrative costs of all of the firewalling probably exceeds the > security gain for resisting external attack. > > However, a firewall in this situation might protect you more from > _local_ users. That is, local users cannot start listening daemons on > high ports on their own. Again, depending on the site policy, this may > be good or bad. If policy is that users are trusted and _should_ be > able to do things like that, firewalling is bad. OTOH, if users are > less trusted and policy forbids these things, firewalling is the best > way to stop it. Well, there is this little matter of never really being sure you've locked down services on a box.. A firewall might help if a remote user were to suddenly become a local user, in which case the arguments in your last paragraph hold :) G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 3:22:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from apmsun.mpei.ac.ru (apmsun.mpei.ac.ru [193.233.70.4]) by hub.freebsd.org (Postfix) with ESMTP id BFDE737B401 for ; Thu, 21 Jun 2001 03:22:09 -0700 (PDT) (envelope-from Ves@aep.mpei.ac.ru) Received: from aep.mpei.ac.ru (aep.mpei.ac.ru [193.233.70.67]) by apmsun.mpei.ac.ru (8.11.3/8.11.3) with SMTP id f5LALuj29762 for ; Thu, 21 Jun 2001 14:21:56 +0400 (MSD) Received: from 192.168.1.224 (aep215.mpei.ac.ru) by aep.mpei.ac.ru (5.x/SMI-SVR4) id AA11581; Thu, 21 Jun 2001 13:17:03 -0300 Date: Thu, 21 Jun 2001 14:18:13 +0400 From: Mike Veselov X-Mailer: The Bat! (v1.49) Personal Reply-To: Mike Veselov X-Priority: 3 (Normal) Message-Id: <15213025659.20010621141813@aep.mpei.ac.ru> To: freebsd-security@FreeBSD.ORG Subject: Natd and icmp packages Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I have a problem. Natd generates a message: "natd: failed to write packet back (Permission denied)". I saw that Natd tried to send icmp packages (answer) to some hosts. I think that Natd always tries to send icmp answer if it see package into internal network (unregistered addresses) from outside interface that has no entry in the internal table. How can I disable natd to send any icmp packages? I have another question about Natd. What does option "permanent link" mean? I didn't understand for what it need from manual pages. Many thanks, Mike Veselov. Ves@aep.mpei.ac.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 3:32: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx03.admiral.ne.jp (mx03.admiral.ne.jp [211.10.216.34]) by hub.freebsd.org (Postfix) with SMTP id 7479137B409 for ; Thu, 21 Jun 2001 03:32:03 -0700 (PDT) (envelope-from yosino@cm24.net) Received: (qmail 4358 invoked from network); 21 Jun 2001 19:32:02 +0900 Received: from sagami131123.allnet.ne.jp (HELO sotec.soiyaa.com) (210.251.131.123) by mx03.admiral.ne.jp with SMTP; 21 Jun 2001 19:32:02 +0900 Date: Thu, 21 Jun 2001 19:36:40 +0000 From: yosino takahiro To: freebsd-security@FreeBSD.ORG Message-Id: <20010621193640.77a67cbd.yosino@cm24.net> Reply-To: yosino@cm24.net X-Mailer: Sylpheed version 0.4.66 (GTK+ 1.2.8; i386-unknown-freebsdelf4.2) Organization: SOIYAA Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 5bdd89d0 subscribe freebsd-security yosino@cm24.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 5: 4:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by hub.freebsd.org (Postfix) with ESMTP id 56EB537B406 for ; Thu, 21 Jun 2001 05:04:13 -0700 (PDT) (envelope-from jb@jbacher.com) Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by ns.shawneelink.net (8.10.1/8.10.1) with ESMTP id f5LC3gV24393; Thu, 21 Jun 2001 07:03:42 -0500 (CDT) Date: Thu, 21 Jun 2001 07:03:42 -0500 (CDT) From: J Bacher X-Sender: jb@ns.shawneelink.net To: faSty Cc: "Fernando P . Schapachnik" , freebsd-security@FreeBSD.ORG Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. In-Reply-To: <20010620165047.B20771@i-sphere.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I agree, We should report to sendmail bug. >=20 > -trev You might first want to read the RFC regarding mail bounces. It is not a bug. > On Wed, Jun 20, 2001 at 07:47:13PM -0300, Fernando P . Schapachnik wrote: > > En un mensaje anterior, Erick Mechler escribi=F3: > > > You don't need the from. For example, try this: > > >=20 > > > [emechler@lucifer ~]$ cat /etc/mail/access > > > hahaha@sexyfun.net=09REJECT > >=20 > > It won't work, as the virus uses hahaha@sexyfun.net INSIDE the > > message itself and sendmail checks the From field from the envelope, > > which in this case is probably <> (empty). > >=20 > > I was about to report it as a bug to sendmail a few days ago, but > > then I thought there might be some option to change that behavior or > > some valid reason for sendmail to accept a empty mail from:. I > > haven't had time to research since then. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 5: 8:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 2600F37B401 for ; Thu, 21 Jun 2001 05:08:22 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from ibmka (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with SMTP id QAA12065 for ; Thu, 21 Jun 2001 16:08:18 +0400 (MSD) Message-ID: <015c01c0fa4a$da371220$0600a8c0@ibmka.internethelp.ru> From: "Nickolay A. Kritsky" To: Subject: IPFW logging Date: Thu, 21 Jun 2001 16:08:14 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all! I am puzzled with one little question: what logging facility does ipfw use and where should I patch it to make it log to some other log facility? I am newbie to UNIX syslogd and have another question: can I add another one log facility in system? Any help is very good. Sorry if I posted in the wrong list. Good Luck NKritsky - SysAdmin InternetHelp.Ru http://www.internethelp.ru e-mail: nkritsky@internethelp.ru PS: My system is FreeBSD 3.3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 6: 6:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [216.130.212.49]) by hub.freebsd.org (Postfix) with ESMTP id 16B6A37B412 for ; Thu, 21 Jun 2001 06:06:24 -0700 (PDT) (envelope-from joe@advancewebhosting.com) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.3/8.11.0) with ESMTP id f5LD7Kt77332; Thu, 21 Jun 2001 09:07:20 -0400 (EDT) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Thu, 21 Jun 2001 09:07:20 -0400 (EDT) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: Victor Black Cc: freebsd-security@FreeBSD.ORG Subject: Re: New web utility In-Reply-To: <200106210719.f5L7Jwl02711@mail.high-tech-communications.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org WoW!!! You can harvest email addresses.. Loser. On Thu, 21 Jun 2001, Victor Black wrote: > > > > > >

I noticed your email address on a list serve > related to technology and web development.  With your permission, > we
would like to send you information regarding new web tools and utilities > based on your interests.  Please click the
following link and opt-in to > our product updates and e-newsletter, click here: href="http://216.133.228.90/"> face=Arial>http://216.133.228.90/

face=Arial>Cordially,

Victor > Black
High-Tech-Communications.com

>

If you would like to be removed from our > database, please click here: href="http://216.133.228.90/remove.cgi"> face=Arial>http://216.133.228.90/remove.cgi

>

 

> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 6:31:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (virtual-voodoo.com [204.120.165.254]) by hub.freebsd.org (Postfix) with ESMTP id 8A77F37B401 for ; Thu, 21 Jun 2001 06:31:25 -0700 (PDT) (envelope-from steve@virtual-voodoo.com) Received: (from steve@localhost) by virtual-voodoo.com (8.11.4/8.11.3) id f5LDVJm52425; Thu, 21 Jun 2001 08:31:19 -0500 (EST) (envelope-from steve) Date: Thu, 21 Jun 2001 08:31:19 -0500 From: Steve Ames To: "Bruce M. Walker" Cc: freebsd-security@FreeBSD.ORG Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010621083119.A73302@virtual-voodoo.com> References: <200106202329.f5KNTPm07958@fusion.borderware.com> <200106202350.f5KNopS18245@fusion.borderware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106202350.f5KNopS18245@fusion.borderware.com>; from bmw@borderware.com on Wed, Jun 20, 2001 at 07:50:51PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.sendmail.net/lovefix.shtml http://www.sendmail.net/lovemorph.shtml On Wed, Jun 20, 2001 at 07:50:51PM -0400, Bruce M. Walker wrote: > Gah! Bad form to reply to my own msg, but I gave bad advice... > > Bruce M. Walker wrote: > > > > This syntax is supposed to match mail-header From: (or To:) lines... > > > > From:spammer@some.dom REJECT > > To:friend.domain RELAY > > I'm way wrong! That just makes the match *specific* to envelope-from > or -to, not internal mail headers. > > > To add header checks in sendmail, see section "Header Checks" in > /usr/share/sendmail/cf/README. It would look like this: > > LOCAL_RULESETS > HFrom: $>CheckFrom > > SCheckFrom > R< hahaha @ sexyfun . net > $#error $: 550 No spam. > R$* $@ OK > > (This is untested!) > > That's why most people are using Procmail to handle these cases. > > Here's a hint: install Postfix in place of sendmail. You'll find > the header-checks capability is extensive. Stopping this virus is > pretty trivial. > > -bmw > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 6:37: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 45ADD37B403 for ; Thu, 21 Jun 2001 06:37:02 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 22110 invoked by uid 1001); 21 Jun 2001 13:38:35 -0000 Message-ID: <20010621133835.22109.qmail@d170h113.resnet.uconn.edu> References: <20010620141717.I25436@ns1.via-net-works.net.ar> In-Reply-To: <20010620141717.I25436@ns1.via-net-works.net.ar> From: "Peter C. Lai" To: "Fernando P . Schapachnik" Cc: Magdalinin Kirill , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: server stopped responding Date: Thu, 21 Jun 2001 13:38:34 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando P . Schapachnik writes: > En un mensaje anterior, Magdalinin Kirill escribió: >> Hello, >> >> I have 4.1 Release box that today suddenly stopped responding >> except for ping command. I could not connect to it via http, >> ssh, ftp or telnet. Then it was rebooted by our hosting enginer >> and then I found just a few clues in the logs. >> >> last shows that >> >> some_login ftp xxx.xxx.xxx.xxx Wed Jun 20 16:06 - crash(02:26) > > Make sure you are up to date with patches, specially the glob-ftp > one. This looks like it might be related. > > Good luck! > > Fernando P. Schapachnik > Planificación de red y tecnología > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Tel.: (54-11) 4323-3381 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message were you able to login via the console? several things cause the system to stop responding to everything but ping including, but not limited to, the glob-DoS attack or anything that eats up all the CPU, or you ran out of ram/swap. ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 8:32:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 6694F37B401 for ; Thu, 21 Jun 2001 08:32:06 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-b019.otenet.gr [195.167.121.147]) by mailsrv.otenet.gr (8.11.1/8.11.1) with ESMTP id f5LFW1S17132; Thu, 21 Jun 2001 18:32:02 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.4/8.11.3) id f5LF8an11306; Thu, 21 Jun 2001 18:08:36 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 21 Jun 2001 18:08:35 +0300 From: Giorgos Keramidas To: faSty Cc: "Bruce M. Walker" , freebsd-security@FreeBSD.ORG Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010621180835.A11041@hades.hell.gr> References: <20010620194713.A18467@ns1.via-net-works.net.ar> <200106202329.f5KNTPm07958@fusion.borderware.com> <20010620165335.C20771@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010620165335.C20771@i-sphere.com>; from fasty@i-sphere.com on Wed, Jun 20, 2001 at 04:53:35PM -0700 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 20, 2001 at 04:53:35PM -0700, faSty wrote: > I did used "From:hahaha@sexyfun.net" and still fails reject it. > > -trev Instead of tweaking your sendmail rules, which is somewhat error prone (unless you reallyknow what you are doing), you could install procmail and use that as the local delivery agent. Then, a simple filter like: :0 H * From[: ].*hahaha@.*sex.*$ /dev/null put in the proper place (your /usr/local/etc/procmailrc) will filter out all mail that have either an envelope-from or a header-from address that matches your rules. The only problem I can see with this is that you might soon end up with a huge /usr/local/etc/procmailrc file, instead of a nicer /etc/mail/access file that blocks spammers. If you do want to use /etc/mail/access then you should probably do the extra works it takes to find from the mail headers, where the mail comes from. Then block the mail that comes from that host or domain or provider and contact the provider's mail admins informing them that you have blocked the entire domain because spammers use it to abuse your mail system. A nicely put and carefully worded telephone call, where you take care not to offend the mail admins themselves, will do wonders.. trust me. -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 9:11:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id D0D1D37B403 for ; Thu, 21 Jun 2001 09:11:47 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id E7CB8BAAC; Thu, 21 Jun 2001 11:11:43 -0500 (CDT) Message-ID: <00ba01c0fa6c$c914a800$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Giorgos Keramidas" Cc: References: <20010620194713.A18467@ns1.via-net-works.net.ar> <200106202329.f5KNTPm07958@fusion.borderware.com> <20010620165335.C20771@i-sphere.com> <20010621180835.A11041@hades.hell.gr> Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Date: Thu, 21 Jun 2001 11:11:08 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Or simply block everything from the pacific rim. Although there are some ligitimate people there :), almost ALL of the email I get from there is SPAM. So ... :0 * ^Received:.*\[200.51.* $HOME/mail/Spam :0 * ^Received:.*\[202.* $HOME/mail/Spam :0 * ^Received:.*\[203.* $HOME/mail/Spam :0 * ^Received:.*\[210.* $HOME/mail/Spam :0 * ^Received:.*\[211.* $HOME/mail/Spam :0 * ^Received:.*\[61.13.* $HOME/mail/Spam :0 * ^.*to be removed.* $HOME/mail/Spam The above rules catch a small group from South America and one other :) You wouldn't believe the amount of Spam that simply "goes away" with this -- and I have only sent 1 legitimate email into my spam box with these filters. Not too bad! To bad administrators in these areas don't get their acts together. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Giorgos Keramidas" To: "faSty" Cc: "Bruce M. Walker" ; Sent: Thursday, June 21, 2001 10:08 AM Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. > On Wed, Jun 20, 2001 at 04:53:35PM -0700, faSty wrote: > > > I did used "From:hahaha@sexyfun.net" and still fails reject it. > > > > -trev > > Instead of tweaking your sendmail rules, which is somewhat error prone > (unless you reallyknow what you are doing), you could install procmail > and use that as the local delivery agent. Then, a simple filter like: > > :0 H > * From[: ].*hahaha@.*sex.*$ > /dev/null > > put in the proper place (your /usr/local/etc/procmailrc) will filter > out all mail that have either an envelope-from or a header-from > address that matches your rules. > > The only problem I can see with this is that you might soon end > up with a huge /usr/local/etc/procmailrc file, instead of a nicer > /etc/mail/access file that blocks spammers. > > If you do want to use /etc/mail/access then you should probably do the > extra works it takes to find from the mail headers, where the mail > comes from. > > Then block the mail that comes from that host or domain or provider > and contact the provider's mail admins informing them that you have > blocked the entire domain because spammers use it to abuse your mail > system. A nicely put and carefully worded telephone call, where you > take care not to offend the mail admins themselves, will do wonders.. > trust me. > > -giorgos > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 12:58:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from asgard.inter.net.il (asgard.inter.net.il [192.114.186.12]) by hub.freebsd.org (Postfix) with ESMTP id 9993037B406 for ; Thu, 21 Jun 2001 12:58:25 -0700 (PDT) (envelope-from bk532@iname.com) Received: from bk532nb.local.net (diup-202-58.inter.net.il [213.8.202.58]) by asgard.inter.net.il (Mirapoint) with ESMTP id KLR80253; Thu, 21 Jun 2001 22:56:59 +0300 (IDT) Received: (from boris@localhost) by bk532nb.local.net (8.11.4/8.11.4) id f5LJssE09415; Thu, 21 Jun 2001 22:54:54 +0300 (IDT) (envelope-from boris) Date: Thu, 21 Jun 2001 22:54:54 +0300 From: Boris Karnaukh To: "Nickolay A. Kritsky" Cc: security@FreeBSD.ORG Subject: Re: IPFW logging Message-ID: <20010621225454.A9402@bk532nb.local.net> References: <015c01c0fa4a$da371220$0600a8c0@ibmka.internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <015c01c0fa4a$da371220$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Thu, Jun 21, 2001 at 04:08:14PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 21, 2001 at 04:08:14PM +0400, Nickolay A. Kritsky wrote: > Hi all! > I am puzzled with one little question: what logging facility does ipfw use and where should I patch it to make it log to some > other log facility? IPFW activity is logged by security logging facility and goes by default to /var/log/security. You can't change facility without patching ipfw source, but you can try to filter it's messages using syslog functionality using something like: !ipfw *.* /var/log/ipfw.log > I am newbie to UNIX syslogd and have another question: can I add another one log facility in system? > You can use one of local[0-7] facilities. They are specifically reserved for end user use. -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 13: 3: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id CA90137B406 for ; Thu, 21 Jun 2001 13:03:03 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5LK8eU31687; Thu, 21 Jun 2001 13:08:40 -0700 (PDT) (envelope-from fasty) Date: Thu, 21 Jun 2001 13:08:40 -0700 From: faSty To: Giorgos Keramidas Cc: freebsd-security@freebsd.org Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010621130840.I31428@i-sphere.com> References: <20010620194713.A18467@ns1.via-net-works.net.ar> <200106202329.f5KNTPm07958@fusion.borderware.com> <20010620165335.C20771@i-sphere.com> <20010621180835.A11041@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010621180835.A11041@hades.hell.gr>; from keramida@ceid.upatras.gr on Thu, Jun 21, 2001 at 06:08:35PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I still using /etc/mail/access, seems not work at all, and I will try it out with procmail filter today. thanks, -trev On Thu, Jun 21, 2001 at 06:08:35PM +0300, Giorgos Keramidas wrote: > On Wed, Jun 20, 2001 at 04:53:35PM -0700, faSty wrote: > > > I did used "From:hahaha@sexyfun.net" and still fails reject it. > > > > -trev > > Instead of tweaking your sendmail rules, which is somewhat error prone > (unless you reallyknow what you are doing), you could install procmail > and use that as the local delivery agent. Then, a simple filter like: > > :0 H > * From[: ].*hahaha@.*sex.*$ > /dev/null > > put in the proper place (your /usr/local/etc/procmailrc) will filter > out all mail that have either an envelope-from or a header-from > address that matches your rules. > > The only problem I can see with this is that you might soon end > up with a huge /usr/local/etc/procmailrc file, instead of a nicer > /etc/mail/access file that blocks spammers. > > If you do want to use /etc/mail/access then you should probably do the > extra works it takes to find from the mail headers, where the mail > comes from. > > Then block the mail that comes from that host or domain or provider > and contact the provider's mail admins informing them that you have > blocked the entire domain because spammers use it to abuse your mail > system. A nicely put and carefully worded telephone call, where you > take care not to offend the mail admins themselves, will do wonders.. > trust me. > > -giorgos > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 13: 4:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id A220037B403 for ; Thu, 21 Jun 2001 13:04:06 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id GAA03146; Fri, 22 Jun 2001 06:03:42 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 22 Jun 2001 06:03:42 +1000 (EST) From: Ian Smith To: "Thomas T. Veldhouse" Cc: Giorgos Keramidas , freebsd-security@FreeBSD.ORG Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. In-Reply-To: <00ba01c0fa6c$c914a800$3028680a@tgt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Thomas, I'd have replied only offlist, but looks like you'd have missed it .. On Thu, 21 Jun 2001, Thomas T. Veldhouse wrote: > Or simply block everything from the pacific rim. Although there are some > ligitimate people there :), almost ALL of the email I get from there is > SPAM. So ... [..] > * ^Received:.*\[203.* > $HOME/mail/Spam Well there goes most of Australia, among other 'all spammer' countries, [..] > The above rules catch a small group from South America and one other :) You > wouldn't believe the amount of Spam that simply "goes away" with this -- and > I have only sent 1 legitimate email into my spam box with these filters. > Not too bad! To bad administrators in these areas don't get their acts > together. If I refused mail from North American nets I'd lose 95% of my spam, but alas, this fine mailing list also :-) Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 13:15:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 6BF4D37B406 for ; Thu, 21 Jun 2001 13:15:37 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id A557BBAAC; Thu, 21 Jun 2001 15:15:35 -0500 (CDT) Message-ID: <01d301c0fa8e$d9f44be0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Ian Smith" Cc: References: Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Date: Thu, 21 Jun 2001 15:14:59 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have had Australian email and it wasn't blocked -- however, if it is, it just goes into my Spam folder and I do check the folder to make sure nothing legitimate was moved. Since I receive so little Australian email, it is not a big deal, I still won't miss it, it is just not in my INBOX. But, there is almost NO SPAM in my INBOX, which is by far the most important to me. I simply gave my simple SPAM ruleset and it works VERY will -- and it is the last set of rules processed, so all other rules (i.e. mailing list and virus rules) are processed first. Like I said, I think only ONE email has been misdirected to my SPAM folder, and I found it and read it. Almost all Australian email that I read comes from a mailing list such as this one, and those rules are processed first, so they won't end up in my Spam folder anyway. If you don't like the rules, don't use them, but no need to make a fuss over it. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Ian Smith" To: "Thomas T. Veldhouse" Cc: "Giorgos Keramidas" ; Sent: Thursday, June 21, 2001 3:03 PM Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. > Hi Thomas, > > I'd have replied only offlist, but looks like you'd have missed it .. > > On Thu, 21 Jun 2001, Thomas T. Veldhouse wrote: > > > Or simply block everything from the pacific rim. Although there are some > > ligitimate people there :), almost ALL of the email I get from there is > > SPAM. So ... > > [..] > > > * ^Received:.*\[203.* > > $HOME/mail/Spam > > Well there goes most of Australia, among other 'all spammer' countries, > > [..] > > > The above rules catch a small group from South America and one other :) You > > wouldn't believe the amount of Spam that simply "goes away" with this -- and > > I have only sent 1 legitimate email into my spam box with these filters. > > Not too bad! To bad administrators in these areas don't get their acts > > together. > > If I refused mail from North American nets I'd lose 95% of my spam, but > alas, this fine mailing list also :-) > > Cheers, Ian > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 13:40:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by hub.freebsd.org (Postfix) with ESMTP id 1BDBA37B401 for ; Thu, 21 Jun 2001 13:40:13 -0700 (PDT) (envelope-from jb@jbacher.com) Received: from JB (gate09.shawneelink.net [216.240.79.9]) by ns.shawneelink.net (8.10.1/8.10.1) with ESMTP id f5LKdiV16995; Thu, 21 Jun 2001 15:39:44 -0500 (CDT) Message-Id: <4.2.2.20010621153545.01b4e6f8@mail.jbacher.com> X-Sender: jb@mail.jbacher.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 21 Jun 2001 15:39:38 -0500 To: faSty From: J Bacher Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010621130840.I31428@i-sphere.com> References: <20010621180835.A11041@hades.hell.gr> <20010620194713.A18467@ns1.via-net-works.net.ar> <200106202329.f5KNTPm07958@fusion.borderware.com> <20010620165335.C20771@i-sphere.com> <20010621180835.A11041@hades.hell.gr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:08 PM 6/21/2001 -0700, you wrote: >Yes, I still using /etc/mail/access, seems not work at all, and I will try >it out with procmail filter today. If you are using Sendmail, append this to the very end of your sendmail.cf. It will block the hahaha virus. ###################################################################### # # Added to Block the Viruses # ###################################################################### # The format for the rule is # # RExactly the thing you want to quote # You just need enough of a pattern to match. # Instructional note: Follow these instructions exactly # The format for the rule is # # RExactly the thing you want to quote # # No quote marks, no tabs, absolutely nothing in # parentheses (like this, they're considered comments # and will be removed before they get to the rules). # After the exact thing, then a tab, and the $#error. # Note, the $* matches anything, so it's useful for # wildcarding. This also scans all messages with # Subject: headers and invokes a rule, so there is # a performance hit. HSubject: $>Check_Subject D{MPat1}Snowhite and the Seven Dwarfs - The REAL story! D{MMsg1}This message may contain the Snow White virus. SCheck_Subject R${MPat1} $* $#error $: 550 ${MMsg1} RRe: ${MPat1} $* $#error $: 550 ${MMsg1} >On Thu, Jun 21, 2001 at 06:08:35PM +0300, Giorgos Keramidas wrote: > > On Wed, Jun 20, 2001 at 04:53:35PM -0700, faSty wrote: > > > > > I did used "From:hahaha@sexyfun.net" and still fails reject it. > > > > > > -trev > > > > Instead of tweaking your sendmail rules, which is somewhat error prone > > (unless you reallyknow what you are doing), you could install procmail > > and use that as the local delivery agent. Then, a simple filter like: > > > > :0 H > > * From[: ].*hahaha@.*sex.*$ > > /dev/null > > > > put in the proper place (your /usr/local/etc/procmailrc) will filter > > out all mail that have either an envelope-from or a header-from > > address that matches your rules. > > > > The only problem I can see with this is that you might soon end > > up with a huge /usr/local/etc/procmailrc file, instead of a nicer > > /etc/mail/access file that blocks spammers. > > > > If you do want to use /etc/mail/access then you should probably do the > > extra works it takes to find from the mail headers, where the mail > > comes from. > > > > Then block the mail that comes from that host or domain or provider > > and contact the provider's mail admins informing them that you have > > blocked the entire domain because spammers use it to abuse your mail > > system. A nicely put and carefully worded telephone call, where you > > take care not to offend the mail admins themselves, will do wonders.. > > trust me. > > > > -giorgos > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 14: 4:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id EFFE837B401 for ; Thu, 21 Jun 2001 14:04:37 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5LLBd532515; Thu, 21 Jun 2001 14:11:39 -0700 (PDT) (envelope-from fasty) Date: Thu, 21 Jun 2001 14:11:39 -0700 From: faSty To: J Bacher Cc: freebsd-security@freebsd.org Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Message-ID: <20010621141139.N31428@i-sphere.com> References: <20010621180835.A11041@hades.hell.gr> <20010620194713.A18467@ns1.via-net-works.net.ar> <200106202329.f5KNTPm07958@fusion.borderware.com> <20010620165335.C20771@i-sphere.com> <20010621180835.A11041@hades.hell.gr> <20010621130840.I31428@i-sphere.com> <4.2.2.20010621153545.01b4e6f8@mail.jbacher.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.2.2.20010621153545.01b4e6f8@mail.jbacher.com>; from jb@jbacher.com on Thu, Jun 21, 2001 at 03:39:38PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It worked reject the hahaha@sexyfun.net with this small code. many thanks! -trev On Thu, Jun 21, 2001 at 03:39:38PM -0500, J Bacher wrote: > At 01:08 PM 6/21/2001 -0700, you wrote: > >Yes, I still using /etc/mail/access, seems not work at all, and I will try > >it out with procmail filter today. > > If you are using Sendmail, append this to the very end of your > sendmail.cf. It will block the hahaha virus. > > > > ###################################################################### > # > # Added to Block the Viruses > # > ###################################################################### > > # The format for the rule is > # > # RExactly the thing you want to quote > # You just need enough of a pattern to match. > # Instructional note: Follow these instructions exactly > # The format for the rule is > # > # RExactly the thing you want to quote > # > # No quote marks, no tabs, absolutely nothing in > # parentheses (like this, they're considered comments > # and will be removed before they get to the rules). > # After the exact thing, then a tab, and the $#error. > # Note, the $* matches anything, so it's useful for > # wildcarding. This also scans all messages with > # Subject: headers and invokes a rule, so there is > # a performance hit. > > > HSubject: $>Check_Subject > D{MPat1}Snowhite and the Seven Dwarfs - The REAL story! > D{MMsg1}This message may contain the Snow White virus. > SCheck_Subject > R${MPat1} $* $#error $: 550 ${MMsg1} > RRe: ${MPat1} $* $#error $: 550 ${MMsg1} > > > > > > >On Thu, Jun 21, 2001 at 06:08:35PM +0300, Giorgos Keramidas wrote: > > > On Wed, Jun 20, 2001 at 04:53:35PM -0700, faSty wrote: > > > > > > > I did used "From:hahaha@sexyfun.net" and still fails reject it. > > > > > > > > -trev > > > > > > Instead of tweaking your sendmail rules, which is somewhat error prone > > > (unless you reallyknow what you are doing), you could install procmail > > > and use that as the local delivery agent. Then, a simple filter like: > > > > > > :0 H > > > * From[: ].*hahaha@.*sex.*$ > > > /dev/null > > > > > > put in the proper place (your /usr/local/etc/procmailrc) will filter > > > out all mail that have either an envelope-from or a header-from > > > address that matches your rules. > > > > > > The only problem I can see with this is that you might soon end > > > up with a huge /usr/local/etc/procmailrc file, instead of a nicer > > > /etc/mail/access file that blocks spammers. > > > > > > If you do want to use /etc/mail/access then you should probably do the > > > extra works it takes to find from the mail headers, where the mail > > > comes from. > > > > > > Then block the mail that comes from that host or domain or provider > > > and contact the provider's mail admins informing them that you have > > > blocked the entire domain because spammers use it to abuse your mail > > > system. A nicely put and carefully worded telephone call, where you > > > take care not to offend the mail admins themselves, will do wonders.. > > > trust me. > > > > > > -giorgos > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 14:27: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id D33D537B406 for ; Thu, 21 Jun 2001 14:26:58 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GFA00KJITI5DA@mta5.rcsntx.swbell.net> for security@FreeBSD.ORG; Thu, 21 Jun 2001 16:10:54 -0500 (CDT) Date: Thu, 21 Jun 2001 16:11:27 -0500 From: Ryan Subject: login.conf and idletime To: security@FreeBSD.ORG Message-id: <000c01c0fa96$bca3be60$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: multipart/alternative; boundary="----=_NextPart_000_0009_01C0FA6C.D388E530" X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C0FA6C.D388E530 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable :idletime=3D10m:\ I have that in my login.conf. Does this feature not work with SSH? If this is not the proper way to = setup that up could someone help me out? cause it doesnt kick you if your idle for 10min. ryanpek@swbell.net ------=_NextPart_000_0009_01C0FA6C.D388E530 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
:idletime=3D10m:\
 
I have that in my = login.conf.
 
Does this feature not work with = SSH?  If this=20 is not the proper way to setup that up could someone help me = out?
 
cause it doesnt kick you if your = idle for=20 10min.
 
ryanpek@swbell.net
 
 
------=_NextPart_000_0009_01C0FA6C.D388E530-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 14:41: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 1093F37B401 for ; Thu, 21 Jun 2001 14:41:04 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id OAA02614; Thu, 21 Jun 2001 14:39:48 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02612; Thu Jun 21 14:39:31 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5LLdNU87027; Thu, 21 Jun 2001 14:39:23 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdP87022; Thu Jun 21 14:38:51 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5LLc3G02577; Thu, 21 Jun 2001 14:38:03 -0700 (PDT) Message-Id: <200106212138.f5LLc3G02577@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdfy2566; Thu Jun 21 14:37:25 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Olivier Nicole Cc: spades@galaxynet.org, freebsd-security@FreeBSD.ORG Subject: Re: SRA login In-reply-to: Your message of "Thu, 21 Jun 2001 05:40:49 +0700." <200106202240.FAA17425@bazooka.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 21 Jun 2001 14:37:25 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200106202240.FAA17425@bazooka.cs.ait.ac.th>, Olivier Nicole writes: > >How can we disable 'root' from being able to telnet into > >via SRA login 4.3-S > > In /etc/inetd.conf you have some option to specify to telnetd (-x?) to > disable SRA. Actually the options are; -a off -X sra Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 15: 7: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 3793737B403 for ; Thu, 21 Jun 2001 15:07:03 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) Date: Thu, 21 Jun 2001 18:06:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: security@FreeBSD.ORG Subject: RE: login.conf and idletime X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Message-Id: <20010621220703.3793737B403@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > :idletime=3D10m:\ > > I have that in my login.conf. > > Does this feature not work with SSH? If this is not the proper way to = > setup that up could someone help me out? > > cause it doesnt kick you if your idle for 10min. > > ryanpek@swbell.net > When I looked, a few weeks ago, I wasn't able to find idletime mentioned anywhere but the manpage. This agrees with some very old PR I found that says it was never implemented. As an alternative, consider: echo TMOUT=600 >> /etc/profile; echo set autologout=10 >> /etc/csh.login -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 15:13:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2883537B403 for ; Thu, 21 Jun 2001 15:13:56 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA02737; Thu, 21 Jun 2001 15:13:49 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda02735; Thu Jun 21 15:13:49 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5LMDi187315; Thu, 21 Jun 2001 15:13:44 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdQ87312; Thu Jun 21 15:13:06 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5LMD4402738; Thu, 21 Jun 2001 15:13:04 -0700 (PDT) Message-Id: <200106212213.f5LMD4402738@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdEy2733; Thu Jun 21 15:12:38 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Malcolm Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter and security In-reply-to: Your message of "Wed, 20 Jun 2001 18:18:33 PDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 21 Jun 2001 15:12:38 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , Malcolm writes: > Hi folks, > What do we think about installing IPFilter on non-gateway boxes > and using it to block all incoming traffic except for whatever ports > we want to use on our server (e.g., http, ftp)? I have a number of servers w/IPF installed for this purpose. That's the beauty of IPF: It can be used to protect a server or network. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 16:59:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id E3C6037B403; Thu, 21 Jun 2001 16:59:24 -0700 (PDT) (envelope-from js43064n@pace.edu) Received: from stmail.pace.edu (205.232.111.7:4580) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A8A5EB15@smtp.pace.edu>; Thu, 21 Jun 2001 19:59:25 -0400 Date: Thu, 21 Jun 2001 19:59:22 -0400 Message-Id: <200106211959.AA49807526@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: X-Sender: To: , , Subject: Kernel Panic X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I just wrote a little shell script that, on the machine I tested it on, crashed the box and forced a reboot. The contents of the script was: #!/bin/sh pine -i rm -rf $HOME/dead.letter Thats the whole script. I don't see how something like that could cause a kernel to crash. Would anyone mind trying to replicate this on a test box. If it's a security issue, i'll forward it to security when I get more information. -- Jonathan ______________________________________________ Jonathan M. Slivko Technical Support, Black Lotus Communications http://www.blacklotus.net -- check us out! ---------------------------------------------- ___________________________________________________________________ ___ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 17: 0:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id 2DFBE37B407 for ; Thu, 21 Jun 2001 17:00:54 -0700 (PDT) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.3/8.11.1) id f5M00pk22720 for ; Fri, 22 Jun 2001 10:00:51 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from unknown(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.1) id xma022712; Fri, 22 Jun 01 10:00:35 +1000 Received: (from anwsmh@localhost) by stan.aipo.gov.au (8.11.3/8.11.1) id f5M00Zl00818 for freebsd-security@FreeBSD.ORG; Fri, 22 Jun 2001 10:00:35 +1000 (EST) (envelope-from anwsmh) Date: Fri, 22 Jun 2001 10:00:35 +1000 From: Stanley Hopcroft To: freebsd-security@FreeBSD.ORG Subject: SSH and/or Kerberos experience Message-ID: <20010622100034.B788@IPAustralia.Gov.AU> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to ask for opinions or anecodotes on using SSH with Kerberos authentication with FreeBSD to provide access (but not necessarily root access) to a largish number of Unix boxes. The main difference I see between Kerberos and SSH is that Kerberos provides a single point of control for the authentication process: rights can be added or deleted in only one place. SSH, with RSA Authentication, on the other hand does not rely on smallish shared secrets and kerberised applications (definite no-no, since many of the boxes requiring access will be Windows), but requires that each box that is going to be accessed be updated with the public key of any box that is going to access it. This is obviously expensive and maybe impossible if many of the boxes interact (instead of perhaps hub and spokes). Therefore, I think that SSH with Kerberos authentication is the best way of providing arbitrary secure access without expensive (ie manual) key management. Please let me know if I am on the right track, and how effective Kerberos authentication with SSH is ? Is this what people do with large numbers of boxes ? Are there better ways (SSH auth by RADIUS ??) ? Thank you, Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ "We'll cross out that bridge when we come back to it later." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 17: 3:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 5115737B401; Thu, 21 Jun 2001 17:03:38 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.3) with ESMTP id f5M02v898886; Thu, 21 Jun 2001 19:02:57 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 21 Jun 2001 19:02:56 -0500 (CDT) From: Chris Byrnes To: Jonathan Slivko Cc: , , Subject: Re: Kernel Panic In-Reply-To: <200106211959.AA49807526@stmail.pace.edu> Message-ID: <20010621190113.J98838-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Uh, heh. How can you rm -rf $HOME/dead.letter while pine is open? Chris Byrnes - chris@JEAH.net JEAH Communications, LLC - "Fast. Dedicated." On Thu, 21 Jun 2001, Jonathan Slivko wrote: > Hello, > > I just wrote a little shell script that, on the machine I tested > it on, crashed the box and forced a reboot. The contents of the > script was: > > #!/bin/sh > pine -i > rm -rf $HOME/dead.letter > > Thats the whole script. I don't see how something like that could > cause a kernel to crash. Would anyone mind trying to replicate > this on a test box. If it's a security issue, i'll forward it to > security when I get more information. > > -- Jonathan > > ______________________________________________ > Jonathan M. Slivko > Technical Support, Black Lotus Communications > http://www.blacklotus.net -- check us out! > ---------------------------------------------- > > ___________________________________________________________________ > ___ > Sent via the Pace University Mail system at stmail.pace.edu > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 17: 7:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from vimfuego.saarinen.org (saarinen.org [203.79.82.14]) by hub.freebsd.org (Postfix) with ESMTP id 3A12637B401; Thu, 21 Jun 2001 17:07:28 -0700 (PDT) (envelope-from juha@saarinen.org) Received: from vimfuego.saarinen.org ([192.168.1.1]) by vimfuego.saarinen.org with esmtp (Exim 3.22 #1 (Red Hack)) id 15DETh-0008Qh-00; Fri, 22 Jun 2001 12:07:13 +1200 Date: Fri, 22 Jun 2001 12:07:13 +1200 (NZST) From: Juha Saarinen To: Chris Byrnes Cc: Jonathan Slivko , "freebsd-questions@FreeBSD.ORG" , "freebsd-stable@FreeBSD.ORG" , "freebsd-security@FreeBSD.ORG" Subject: Re: Kernel Panic In-Reply-To: <20010621190113.J98838-100000@awww.jeah.net> Message-ID: X-S: Always MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After you quit Pine? Anyway, no misbehaviour here, on a 4.2-Stable box. -- Regards, Juha PGP fingerprint: B7E1 CC52 5FCA 9756 B502 10C8 4CD8 B066 12F3 9544 On Thu, 21 Jun 2001, Chris Byrnes wrote: > Uh, heh. How can you rm -rf $HOME/dead.letter while pine is open? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 17: 8:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 5F9E737B403; Thu, 21 Jun 2001 17:08:32 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.3) with ESMTP id f5M07ui98988; Thu, 21 Jun 2001 19:07:56 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 21 Jun 2001 19:07:56 -0500 (CDT) From: Chris Byrnes To: Jonathan Slivko Cc: , , Subject: Re: Kernel Panic In-Reply-To: <20010621190113.J98838-100000@awww.jeah.net> Message-ID: <20010621190726.G98973-100000@awww.jeah.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bad form to reply to your own posts, I know, but uh, ignore that last post. :P Chris Byrnes - chris@JEAH.net JEAH Communications, LLC - "Fast. Dedicated." On Thu, 21 Jun 2001, Chris Byrnes wrote: > Uh, heh. How can you rm -rf $HOME/dead.letter while pine is open? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 17: 9:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id 8A81837B406; Thu, 21 Jun 2001 17:08:59 -0700 (PDT) (envelope-from js43064n@pace.edu) Received: from stmail.pace.edu (205.232.111.7:4667) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A8A5EBD1@smtp.pace.edu>; Thu, 21 Jun 2001 20:08:59 -0400 Date: Thu, 21 Jun 2001 20:08:57 -0400 Message-Id: <200106212008.AA488636554@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: X-Sender: To: Jonathan Slivko , Chris Byrnes Cc: , , Subject: Re: Kernel Panic X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It was supposed to run after pine had closed. -- Jonathan ______________________________________________ Jonathan M. Slivko Technical Support, Black Lotus Communications http://www.blacklotus.net -- check us out! ---------------------------------------------- ---------- Original Message ---------------------------------- From: Chris Byrnes Date: Thu, 21 Jun 2001 19:02:56 -0500 (CDT) >Uh, heh. How can you rm -rf $HOME/dead.letter while pine is open? > > >Chris Byrnes - chris@JEAH.net >JEAH Communications, LLC - "Fast. Dedicated." > >On Thu, 21 Jun 2001, Jonathan Slivko wrote: > >> Hello, >> >> I just wrote a little shell script that, on the machine I tested >> it on, crashed the box and forced a reboot. The contents of the >> script was: >> >> #!/bin/sh >> pine -i >> rm -rf $HOME/dead.letter >> >> Thats the whole script. I don't see how something like that could >> cause a kernel to crash. Would anyone mind trying to replicate >> this on a test box. If it's a security issue, i'll forward it to >> security when I get more information. >> >> -- Jonathan >> >> ______________________________________________ >> Jonathan M. Slivko >> Technical Support, Black Lotus Communications >> http://www.blacklotus.net -- check us out! >> ---------------------------------------------- >> >> ___________________________________________________________________ >> ___ >> Sent via the Pace University Mail system at stmail.pace.edu >> >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-stable" in the body of the message >> > > ___________________________________________________________________ ___ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 21 23:34:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id B6E2F37B401; Thu, 21 Jun 2001 23:34:04 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f5M6Y2l79146; Thu, 21 Jun 2001 23:34:02 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: , , , Subject: RE: Kernel Panic Date: Thu, 21 Jun 2001 23:34:02 -0700 Message-ID: <004a01c0fae5$539c9780$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <200106211959.AA49807526@stmail.pace.edu> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That absolutely will not crash a FreeBSD system that's not got other problems. However, what I think is going on here is that the system that you ran this on has buggy disk hardware. It's probably some IDE disk, right? I've got a system here that I've tried 5 different IDE paddle cards in, and on every one I've tried installing FreeBSD and doing different operations and within about 20 minutes I had crashed it and screweged the filesystem. I finally got so annoyed I dug up an old AHA1520 SCSI card and slapped a 1GB SCSI disk on it (the system isn't intended to be doing anything fancy) and it's been solid as a rock ever since. The best conclusion I have is that the ISA bus in the system has some clock speed error that doesen't affect the SCSI disk system. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan Slivko >Sent: Thursday, June 21, 2001 4:59 PM >To: freebsd-questions@FreeBSD.ORG; freebsd-stable@FreeBSD.ORG; >freebsd-security@FreeBSD.ORG >Subject: Kernel Panic > > >Hello, > >I just wrote a little shell script that, on the machine I tested >it on, crashed the box and forced a reboot. The contents of the >script was: > >#!/bin/sh >pine -i >rm -rf $HOME/dead.letter > >Thats the whole script. I don't see how something like that could >cause a kernel to crash. Would anyone mind trying to replicate >this on a test box. If it's a security issue, i'll forward it to >security when I get more information. > >-- Jonathan > >______________________________________________ >Jonathan M. Slivko >Technical Support, Black Lotus Communications >http://www.blacklotus.net -- check us out! >---------------------------------------------- > >___________________________________________________________________ >___ >Sent via the Pace University Mail system at stmail.pace.edu > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 0:28: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id DD90437B408 for ; Fri, 22 Jun 2001 00:28:01 -0700 (PDT) (envelope-from shelton@sentry.granch.com) Received: (from shelton@localhost) by sentry.granch.com (8.11.4/8.11.3) id f5M7RbF09559; Fri, 22 Jun 2001 14:27:37 +0700 (NOVST) (envelope-from shelton) Content-Type: text/plain; charset="koi8-r" From: "Rashid N. Achilov" Organization: Granch Ltd. To: faSty Subject: Re: need help filter this stupid virus. Sendmail didnt stop this. Date: Fri, 22 Jun 2001 14:27:37 +0700 X-Mailer: KMail [version 1.2] References: <20010620152023.C19358@i-sphere.com> In-Reply-To: <20010620152023.C19358@i-sphere.com> Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Message-Id: <01062214273702.09378@sentry.granch.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 21 June 2001 05:20, you wrote: > Hi there, > > I need help, I tried filter on Sendmail to reject or discard when it > match "From:hahaha@sexyfun.net" seem not success stop these stupid virus > email and it kept coming back repeat like every 2 or 3 days. > > Here the full email header. > > From MAILER-DAEMON Wed Jun 20 14:50:40 2001 > Return-Path: > Received: from oemcomputer (mewi1pool0-a3.midway.tds.net [208.166.196.132]) > by i-sphere.com (8.11.3/8.11.3) with SMTP id f5KLoPT19225 > for ; Wed, 20 Jun 2001 14:50:26 -0700 > (PDT) Date: Wed, 20 Jun 2001 14:50:26 -0700 (PDT) [...the way of the textripper...] IMHO, you should include in /etc/mail/access midway.tds.net, nor hahaha@sexyfun.net midway.tds.net REJECT -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton Granch Ltd. system administrator, e-mail: achilov@granch.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 2:31:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id E926737B409 for ; Fri, 22 Jun 2001 02:31:48 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15DNHw-0000bU-00; Fri, 22 Jun 2001 11:31:40 +0200 From: Sheldon Hearn To: Stanley Hopcroft Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH and/or Kerberos experience In-reply-to: Your message of "Fri, 22 Jun 2001 10:00:35 +1000." <20010622100034.B788@IPAustralia.Gov.AU> Date: Fri, 22 Jun 2001 11:31:40 +0200 Message-ID: <2323.993202300@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Jun 2001 10:00:35 +1000, Stanley Hopcroft wrote: > The main difference I see between Kerberos and SSH is that Kerberos > provides a single point of control for the authentication process: > rights can be added or deleted in only one place. Use both, in other words, Kerberized SSH. Kerberos scores you ticket-based authentication, while SSH scores you an encrypted session. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 5:38:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 3A94237B403 for ; Fri, 22 Jun 2001 05:38:53 -0700 (PDT) (envelope-from nectar@nectar.com) Received: by gw.nectar.com (Postfix, from userid 1001) id 93F40AF21D; Fri, 22 Jun 2001 07:38:52 -0500 (CDT) Date: Fri, 22 Jun 2001 07:38:52 -0500 From: "Jacques A. Vidrine" To: Sheldon Hearn Cc: Stanley Hopcroft , freebsd-security@FreeBSD.ORG Subject: Re: SSH and/or Kerberos experience Message-ID: <20010622073852.A8633@hellblazer.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Sheldon Hearn , Stanley Hopcroft , freebsd-security@FreeBSD.ORG References: <20010622100034.B788@IPAustralia.Gov.AU> <2323.993202300@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <2323.993202300@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Fri, Jun 22, 2001 at 11:31:40AM +0200 X-Url: http://www.nectar.com/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 22, 2001 at 11:31:40AM +0200, Sheldon Hearn wrote: > Use both, in other words, Kerberized SSH. Kerberos scores you > ticket-based authentication, while SSH scores you an encrypted session. Of course, Kerberized applications (e.g. TELNET) typically also use encryption of the data stream. Currently SSH offers more algorithms for this, though. Personally I use all three of Kerberized SSH, TELNET, and FTP, depending upon what I want to accomplish. I find SSH very convenient as an rsh/rcp replacement; I prefer TELNET's terminal handling; I find FTP best for large transfers and remote file management. Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 7:37:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from marble.sentex.ca (ns2.sentex.ca [199.212.134.2]) by hub.freebsd.org (Postfix) with ESMTP id E31F937B406 for ; Fri, 22 Jun 2001 07:37:25 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by marble.sentex.ca (8.11.1/8.11.1) with ESMTP id f5MEbPt76219 for ; Fri, 22 Jun 2001 10:37:25 -0400 (EDT) Message-Id: <5.1.0.14.0.20010622103016.03639890@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 22 Jun 2001 10:31:55 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: patch to fix expire security hole ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is this a possible fix for ftpd so that the expire field is checked ? ---Mike diff -u ftpd.c.orig ftpd.c --- ftpd.c.orig Fri Jun 22 10:29:02 2001 +++ ftpd.c Fri Jun 22 10:40:38 2001 @@ -1215,11 +1215,11 @@ #else rval = strcmp(pw->pw_passwd, crypt(passwd, pw->pw_passwd)); #endif +skip: /* The strcmp does not catch null passwords! */ if (*pw->pw_passwd == '\0' || (pw->pw_expire && time(NULL) >= pw->pw_expire)) rval = 1; /* failure */ -skip: /* * If rval == 1, the user failed the authentication check * above. If rval == 0, either PAM or local authentication To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 8:56:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id ACD0C37B401; Fri, 22 Jun 2001 08:56:07 -0700 (PDT) (envelope-from js43064n@pace.edu) Received: from stmail.pace.edu (205.232.111.7:3826) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A8A628C4@smtp.pace.edu>; Fri, 22 Jun 2001 11:56:06 -0400 Date: Fri, 22 Jun 2001 11:56:04 -0400 Message-Id: <200106221156.AA442106040@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: X-Sender: To: , , , , "Ted Mittelstaedt" Subject: RE: Kernel Panic X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think I see what caused the kernel to crash. What happened was this, I believe, is that since I didn't specify the regular pine binary, the script just loaded itself, thus throwing it into a loop. It's really a sad situation. -- Jonathan ______________________________________________ Jonathan M. Slivko Technical Support, Black Lotus Communications http://www.blacklotus.net -- check us out! ---------------------------------------------- ---------- Original Message ---------------------------------- From: "Ted Mittelstaedt" Date: Thu, 21 Jun 2001 23:34:02 -0700 >That absolutely will not crash a FreeBSD system that's not >got other problems. > >However, what I think is going on here is that the system that >you ran this on has buggy disk hardware. It's probably some >IDE disk, right? > >I've got a system here that I've tried 5 different IDE paddle >cards in, and on every one I've tried installing FreeBSD and >doing different operations and within about 20 minutes I >had crashed it and screweged the filesystem. > >I finally got so annoyed I dug up an old AHA1520 SCSI card >and slapped a 1GB SCSI disk on it (the system isn't intended >to be doing anything fancy) and it's been solid as a rock >ever since. The best conclusion I have is that the ISA bus >in the system has some clock speed error that doesen't affect >the SCSI disk system. > >Ted Mittelstaedt tedm@toybox.placo.com >Author of: The FreeBSD Corporate Networker's Guide >Book website: http://www.freebsd-corp-net-guide.com > > >>-----Original Message----- >>From: owner-freebsd-questions@FreeBSD.ORG >>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan Slivko >>Sent: Thursday, June 21, 2001 4:59 PM >>To: freebsd-questions@FreeBSD.ORG; freebsd-stable@FreeBSD.ORG; >>freebsd-security@FreeBSD.ORG >>Subject: Kernel Panic >> >> >>Hello, >> >>I just wrote a little shell script that, on the machine I tested >>it on, crashed the box and forced a reboot. The contents of the >>script was: >> >>#!/bin/sh >>pine -i >>rm -rf $HOME/dead.letter >> >>Thats the whole script. I don't see how something like that could >>cause a kernel to crash. Would anyone mind trying to replicate >>this on a test box. If it's a security issue, i'll forward it to >>security when I get more information. >> >>-- Jonathan >> >>______________________________________________ >>Jonathan M. Slivko >>Technical Support, Black Lotus Communications >>http://www.blacklotus.net -- check us out! >>---------------------------------------------- >> >>_________________________________________________________________ __ >>___ >>Sent via the Pace University Mail system at stmail.pace.edu >> >> >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-stable" in the body of the message > ___________________________________________________________________ ___ Sent via the Pace University Mail system at stmail.pace.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 11:32: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id A5B8A37B401 for ; Fri, 22 Jun 2001 11:31:59 -0700 (PDT) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 0F81F21C1; Fri, 22 Jun 2001 14:31:23 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3B338EFB.000039.73802@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_BSGCCI000M3NTT4D7TH0" To: freebsd-security@freebsd.org Subject: Letting scp through a firewall using ipfilter From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Fri, 22 Jun 2001 14:31:23 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_BSGCCI000M3NTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit I'm trying to get my firewall to allow scp through. It currently allows ssh in, but it appears that scp creates an outgoing connection from the remote machine back to the originating machine. Anyone know how to solve this problem? The firewall spits out: 22/06/2001 14:22:12.543474 xl1 @0:21 b 24.1.2.3,22 -> 216.1.2.3,1007 PR tcp len 20 10240 -AR IN When I try to: scp user@24.1.2.3:/usr/home/user/filename filename I'm using ipfilter. thanks -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_BSGCCI000M3NTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 11:44: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 2221E37B408 for ; Fri, 22 Jun 2001 11:44:04 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f5MIhpu21900; Fri, 22 Jun 2001 14:43:51 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 22 Jun 2001 14:43:48 -0400 (EDT) From: Rob Simmons To: Michael Richards Cc: Subject: Re: Letting scp through a firewall using ipfilter In-Reply-To: <3B338EFB.000039.73802@frodo.searchcanada.ca> Message-ID: <20010622144327.W18224-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Are you keeping state on the connection? Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 22 Jun 2001, Michael Richards wrote: > I'm trying to get my firewall to allow scp through. It currently > allows ssh in, but it appears that scp creates an outgoing connection > from the remote machine back to the originating machine. Anyone know > how to solve this problem? > > The firewall spits out: > 22/06/2001 14:22:12.543474 xl1 @0:21 b 24.1.2.3,22 -> 216.1.2.3,1007 > PR tcp len 20 10240 -AR IN > > When I try to: > scp user@24.1.2.3:/usr/home/user/filename filename > > I'm using ipfilter. > > thanks > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7M5Hnv8Bofna59hYRAzYwAJ9g4ZuVUIlRN9DdtNyXmavKo6N2cACfV3P4 547nmmMbMJmRGdjEhwqNHZk= =jc7W -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 11:46:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id F054F37B403 for ; Fri, 22 Jun 2001 11:46:08 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 95629 invoked from network); 22 Jun 2001 18:46:44 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 22 Jun 2001 18:46:44 -0000 Message-ID: <003a01c0fb4b$a165dba0$9865fea9@book> From: "alexus" To: , "Michael Richards" References: <3B338EFB.000039.73802@frodo.searchcanada.ca> Subject: Re: Letting scp through a firewall using ipfilter Date: Fri, 22 Jun 2001 14:46:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yyou don't need to do anything scp works through port 22 ----- Original Message ----- From: "Michael Richards" To: Sent: Friday, June 22, 2001 2:31 PM Subject: Letting scp through a firewall using ipfilter > I'm trying to get my firewall to allow scp through. It currently > allows ssh in, but it appears that scp creates an outgoing connection > from the remote machine back to the originating machine. Anyone know > how to solve this problem? > > The firewall spits out: > 22/06/2001 14:22:12.543474 xl1 @0:21 b 24.1.2.3,22 -> 216.1.2.3,1007 > PR tcp len 20 10240 -AR IN > > When I try to: > scp user@24.1.2.3:/usr/home/user/filename filename > > I'm using ipfilter. > > thanks > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 12:16:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2in.giga.net.tw (mail2in.giga.net.tw [203.133.1.16]) by hub.freebsd.org (Postfix) with ESMTP id 5F4EC37B409 for ; Fri, 22 Jun 2001 12:15:16 -0700 (PDT) (envelope-from e10233@ms60.url.com.tw) Received: from enter (u182-136.u203-203.giga.net.tw [203.203.182.136]) by mail2in.giga.net.tw (Postfix) with SMTP id 1536151967 for ; Sat, 23 Jun 2001 03:15:06 +0800 (CST) To: e10233@ms60.url.com.tw From: e10233@ms60.url.com.tw Subject: ¶W¸£¤O¤ß´¼¬ì§Þ Date: Sat, 23 Jun 2001 03:12:36 +0800 Message-Id: <37065.133751736109800.2395404@localhost> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=qdkosgjjkpjcglnk Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qdkosgjjkpjcglnk Content-Type: text/plain; charset=big5 Content-Transfer-Encoding: 8bit ¿Ë·RªºªB¤Í; ¦b¦¹´£¨Ñ2001¦~³Ì·s¸£¤O¶}µo§Þ³N «e¨¥: ®Ú¾Ú¬ì¾Ç¬ã¨sÅã¥Ü¡A§Ú­Ì¤HÃþ¤j¸£¥i§l¦¬°O¾Ð2000¸U¥»¹Ï®Ñ¤j·§10­Ó¹Ï®ÑÀ] ¤§¶q¡A¥u­n²ß±o¥¿½Tªº°O¾Ð¤èªk¡A¥²¯à±N§Ú­Ì¤j¸£µo´§²OºvºÉ­P¡A¹ï¤H¡A¨Æ ¡Aª«¥t¦³¤@µf¤£¦P¨¤«×¨£¸Ñ¡AÂǦ¹½Òµ{¦@¦P±´¯Á¤j¸£¤F¯«©_¡C ¡·"§Ú­Ìªº±M·~ §Ú­Ì¨ã¦³¥¿²Îªº­^°êMind Maps¤ß´¼Ã¸¹Ïªkªº±Â½ÒÃҮѡA±Ð±z¾Ç²ß­±¹ï21¥@¬ö ªºÄvª§¥²³Æªº§Þ¥©¡B±´¯ÁÁA¸Ñ§Ú­Ì¯«©_ªº¤j¸£¡A½Õ¾ã¾Ç²ßªº¹LÂo¾¹"¶W±j°O¾Ð" ¾Ç²ß¤ß´¼¹Ïªº³W«h¤Î¦p¦ó¹B¥Î¤ß´¼Ã¸¹Ï Mind Maps ªº¤èªk¥´³y¤@Áûª÷ÀY¸£¥Hªï±µ21¥@¬öªº¬D¾Ô¡B°l¨D¥þ¤è¦ì¦¨¥\ªº¤H¥Í¡C ¡·"§Ú­Ìªº¥Øªº ¬°±Ð¾É¥¿½Tªº¾Ç²ß°O¾Ð¤è¦¡¡A¨Ï©ÒŪªº¬ì¥Ø¥i§¹¥þªº°O¦í¤Î¹B¥Î¡A´î¤Ö¾Ç²ß¤§ ®À§é·P¡A¨Ã´£°ª§A¾Ç²ßªº¿³½ì¡C ¤HÃþªº¤j¸£¥u¥Î¨ì3%~6%©|¦³94%¥H¤W³£¨S°V½m¶}µo¨Ï¥Î¡C §Ú­Ì¹B¥Î¤@®M«e±Mªù°V½m±¡³ø¤H­ûªº¤èªk¡A²×¥Í¨ü¥ÎµL½a¡A¦p°O¡G ©m¦W¡B¹q¸Ü¡(«P¶i¤H»ÚÃö«Y¡^¡B­I³æ¦r¡B¾Ç»y¨¥¡B°O¤½¦¡¡B¾ú¥v¡B¦a²z µ¥.... ·Ó§Ú­Ì±Ð§Aªº¤èªk¡A¥u»Ý30%ªº®É¶¡¡A¹F¦¨¦Ê¤À¤§¦Êªº¥\®Ä¡A¥u­n¦³¤ß¦¨ªø¡A ±q10·³¡ã75·³¬Ò «OÃÒ¼W¥[2~15­¿¥H¤Wªº°O¾Ð¤O(°ò¦°V½m)¡C §A·Q¾Ö¦³¶W±j¹L¤Hªº°O¾Ð¶Ü¡H ¹B¥Î¶W±j°O¾Ð°V½m¡B¤ß´¼ ¹Ï°V½m¤ÎÀu¶Õ¸£ªi°V½m¡A ¥i¥HÅý§Aªº°O¾Ð¤O¥ß¨è´£¤É2~15­¿¡C§AÁÙ¦b¬Ý¶Ü¡H§OµS¿Ý»°§Ö¦æ°Ê.... Åwªï¦³§Ó°l¨D¥þ¤è¦ì¦¨¥\¤§¦U¬ÉªB¤ÍÄâ®a(ªB)±a²²(¤Í)°Ñ¥[ª÷ÀY¸£°ò¦°V½m ½Òµ{¡A¸Ô²Ó±¡§Î½Ð¤Wºô¬d¸ß: http://98.to/super2100 ©ÎÀH«Hªþ¥ó µ¹¦Û¤v·Q¤@­Ó¨Ó¤W½Òªº²z¥Ñ: ¥Î³}®Ñ§½ªº®É¶¡¤Î¶R¤@¥»®Ñªº¿ú¡A°Ñ¥[§Ú­ÌÁ|¿ìªº°ò¦½Òµ{¡A «OÃÒ±z°O¾Ð¤O´£¤É2-15­¿¡A(±z¦h¤[¨S¤W®Ñ§½¶R®Ñ¤F©O?)µ´¹ïÅý±zª«¶W©Ò­È¡C ¡@ §Ú­Ì±N¤£©w´Á¦b¥x¥_¡A®ç¶é ¡A·s¦Ë¡A­]®ß¡A¥x¤¤¡A°ª¶¯Á|¿ì¥Ü½d½Òµ{,Åwªï¨Ó¹q¹w¬ù °ª¶¯:7¤ë¥÷¶}½Ò¤é´Á¤À§O¬°:7/4¬P´Á¤T¡A7/13¬P´Á¤­¡A7/26¬P´Á¥| ¥x¤¤Á`¤½¥qTEL¡G04-23165310 FAX:04-23165315 ¬¢ÂŤp©j °ª¶¯¤À¤½¥qTEL¡G07-3861373 0955045803 ¬¢ÂÅ¥ý¥Í ¥þ¬Ù¨ä¥L¦a°Ï ½Ð¬¢ 0965-129085 ¥»°T®§¬O©e°Uµo°e¡A½Ð¤£­nª½±µ¦^ÂÐ¥»«H¡A¦pªG±z¤£·Q¦A±µ¦¬ ¥»°T®§¡A½Ð¦^«H¦Ü¥H¤U«H½cE-mail«H½c¡G:kaohsiung807@edirect168.com:: ¦p¦³¥´ÂZ±z¤§³B¡A½Ð¦h¦h¥]²[¡AÁÂÁ¡I¡I --qdkosgjjkpjcglnk Content-Type: text/html; name="¤W½Òµý.htm" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="¤W½Òµý.htm" PGh0bWw+DQoNCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBl IiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9YmlnNSI+DQo8dGl0bGU+t3O6 9K22OTwvdGl0bGU+DQo8bWV0YSBuYW1lPSJHRU5FUkFUT1IiIGNvbnRlbnQ9Ik1p Y3Jvc29mdCBGcm9udFBhZ2UgNC4wIj4NCjxtZXRhIG5hbWU9IlByb2dJZCIgY29u dGVudD0iRnJvbnRQYWdlLkVkaXRvci5Eb2N1bWVudCI+DQo8bWV0YSBuYW1lPSJN aWNyb3NvZnQgVGhlbWUiIGNvbnRlbnQ9Im5vbmUsIGRlZmF1bHQiPg0KPG1ldGEg bmFtZT0iTWljcm9zb2Z0IEJvcmRlciIgY29udGVudD0ibm9uZSwgZGVmYXVsdCI+ DQo8L2hlYWQ+DQoNCjxib2R5Pg0KDQo8cD690LFOprmq7a7mpkOmTCYjMjI2MjU7 vGer4bbHr3Wm3DA0LTIzMTY1MzE1pXikpMFgpL2lcbl3rPkspbukvaVxsU6md7HG pM6naaq+sPLCpr3StXuuybahqu27UKZVv6Slq6RXvdKmYcJJLLtQsXqxtayiqkGw yC7BwsHCIQ0KDQo8cD6hQA0KDQo8dGFibGUgYm9yZGVyPSIxIiB3aWR0aD0iMTAw JSIgaGVpZ2h0PSIyODAiPg0KICA8dHI+DQogICAgPHRkIHdpZHRoPSIzNCUiIGNv bHNwYW49IjIiIGhlaWdodD0iNDUiPjxzcGFuIHN0eWxlPSJGT05ULUZBTUlMWTog t3Oy06n6xek7IG1zby1hc2NpaS1mb250LWZhbWlseTogJ1RpbWVzIE5ldyBSb21h biciPqfarW6w0aVbpmHCSTogDQogICAgICA8L3NwYW4+PC90ZD4NCiAgICA8dGQg d2lkdGg9IjM5JSIgY29sc3Bhbj0iMiIgaGVpZ2h0PSI0NSI+PHNwYW4gc3R5bGU9 IkZPTlQtRkFNSUxZOiC3c7LTqfrF6SI+PGlucHV0IHR5cGU9ImNoZWNrYm94IiB2 YWx1ZT0iT04iIG5hbWU9IkMxIj48L3NwYW4+PGZvbnQgc2l6ZT0iMyI+PHNwYW4g c3R5bGU9IkZPTlQtRkFNSUxZOiC3c7LTqfrF6TsgbXNvLWFzY2lpLWZvbnQtZmFt aWx5OiAnVGltZXMgTmV3IFJvbWFuJyI+Jm5ic3A7pWu4ozwvc3Bhbj48L2ZvbnQ+ PGZvbnQgc2l6ZT0iMyI+PHNwYW4gc3R5bGU9IkxFVFRFUi1TUEFDSU5HOiAycHgi Pq7Er+CwVr1tPC9zcGFuPjxzcGFuIHN0eWxlPSJGT05ULUZBTUlMWTogt3Oy06n6 xek7IG1zby1hc2NpaS1mb250LWZhbWlseTogJ1RpbWVzIE5ldyBSb21hbiciPrDy wqa90rV7PC9zcGFuPjwvZm9udD6hQDwvdGQ+DQogICAgPHRkIHdpZHRoPSIyNyUi IHJvd3NwYW49IjYiIGhlaWdodD0iMjc0Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgIA0KICAgICAgPGZvbnQgc2l6ZT0iNSIgZmFjZT0itles 479Bssq2wiI+PGI+sKq2r7r0r7g8L2I+PC9mb250Pg0KICAgICAgPHA+PGZvbnQg Y29sb3I9IiNmZjAwMDAiPjxzcGFuIHN0eWxlPSJGT05ULUZBTUlMWTogt3Oy06n6 xek7IG1zby1iaWRpLWZvbnQtc2l6ZTogMTIuMHB0OyBtc28tYXNjaWktZm9udC1m YW1pbHk6IFRpbWVzIE5ldyBSb21hbiI+PGZvbnQgc2l6ZT0iMiI+pXilX6FBt3Om y6FBrue26aFBpXikpDwvZm9udD48L3NwYW4+PC9mb250PjxzcGFuIHN0eWxlPSJG T05ULUZBTUlMWTogt3Oy06n6xek7IG1zby1iaWRpLWZvbnQtc2l6ZTogMTIuMHB0 OyBtc28tYXNjaWktZm9udC1mYW1pbHk6IFRpbWVzIE5ldyBSb21hbiI+PGZvbnQg c2l6ZT0iMiI+PGZvbnQgY29sb3I9IiNmZjAwMDAiPqFBsKq2rzwvZm9udD6oQ7P1 PGZvbnQgY29sb3I9IiNmZjAwMDAiPq2tpEekUTwvZm9udD6kSKFBqEOsULTBpXW2 fTxmb250IGNvbG9yPSIjZmYwMDAwIj6kQKa4PC9mb250PqFBvdC0o6tluXes+aFB wcLBwqFJPC9mb250Pjwvc3Bhbj6hQDwvcD4NCiAgICA8L3RkPg0KICA8L3RyPg0K ICA8dHI+DQogICAgPHRkIHdpZHRoPSIzNCUiIGNvbHNwYW49IjIiIHJvd3NwYW49 IjIiIGhlaWdodD0iNDEiPjxzcGFuIHN0eWxlPSJGT05ULUZBTUlMWTogt3Oy06n6 xek7IG1zby1hc2NpaS1mb250LWZhbWlseTogJ1RpbWVzIE5ldyBSb21hbiciPqlt plc7PC9zcGFuPjwvdGQ+DQogICAgPHRkIHdpZHRoPSIxMyUiIGhlaWdodD0iMzUi IHJvd3NwYW49IjIiPjxzcGFuIHN0eWxlPSJGT05ULUZBTUlMWTogt3Oy06n6xek7 IG1zby1hc2NpaS1mb250LWZhbWlseTogJ1RpbWVzIE5ldyBSb21hbiciPsFwtbi5 cbjcOjwvc3Bhbj6hQKFAPC90ZD4NCiAgICA8dGQgd2lkdGg9IjI2JSIgaGVpZ2h0 PSIxNyI+oUA8L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkIHdpZHRoPSIy NiUiIGhlaWdodD0iMTgiPqFAPC90ZD4NCiAgPC90cj4NCiAgPHRyPg0KICAgIDx0 ZCB3aWR0aD0iNzMlIiBjb2xzcGFuPSI0IiBoZWlnaHQ9IjUxIj48c3BhbiBzdHls ZT0iRk9OVC1GQU1JTFk6ILdzstOp+sXpOyBtc28tYXNjaWktZm9udC1mYW1pbHk6 ICdUaW1lcyBOZXcgUm9tYW4nIj6m7ad9Ozwvc3Bhbj48L3RkPg0KICA8L3RyPg0K ICA8dHI+DQogICAgPHRkIHdpZHRoPSIxMSUiIHJvd3NwYW49IjIiIGhlaWdodD0i MTE5Ij48c3BhbiBzdHlsZT0iRk9OVC1GQU1JTFk6ILdzstOp+sXpOyBtc28tYXNj aWktZm9udC1mYW1pbHk6ICdUaW1lcyBOZXcgUm9tYW4nIj6kdadAqcq96Dwvc3Bh bj48L3RkPg0KICAgIDx0ZCB3aWR0aD0iMjMlIiBoZWlnaHQ9IjExMyIgcm93c3Bh bj0iMiI+PHNwYW4gc3R5bGU9IkZPTlQtRkFNSUxZOiC3c7LTqfrF6SI+PGlucHV0 IHR5cGU9ImNoZWNrYm94IiB2YWx1ZT0iT04iIG5hbWU9IkMxIj6+x6XNPGlucHV0 IHR5cGU9ImNoZWNrYm94IiB2YWx1ZT0iT04iIG5hbWU9IkMxIj6kvTxpbnB1dCB0 eXBlPSJjaGVja2JveCIgdmFsdWU9Ik9OIiBuYW1lPSJDMSI+PC9zcGFuPrDToUAN CiAgICAgIDxwPjxpbnB1dCB0eXBlPSJjaGVja2JveCIgdmFsdWU9Ik9OIiBuYW1l PSJDMSI+pHU8aW5wdXQgdHlwZT0iY2hlY2tib3giIHZhbHVlPSJPTiIgbmFtZT0i QzEiPjxpbnB1dCB0eXBlPSJjaGVja2JveCIgdmFsdWU9Ik9OIiBuYW1lPSJDMSI+ qkGwyLd+oUA8L3A+DQogICAgPC90ZD4NCiAgICA8dGQgd2lkdGg9IjEzJSIgaGVp Z2h0PSI1MiI+PHNwYW4gc3R5bGU9IkZPTlQtRkFNSUxZOiC3c7LTqfrF6TsgbXNv LWFzY2lpLWZvbnQtZmFtaWx5OiAnVGltZXMgTmV3IFJvbWFuJyI+pn7E1jo8L3Nw YW4+oUA8L3RkPg0KICAgIDx0ZCB3aWR0aD0iMjYlIiBoZWlnaHQ9IjUyIj48c3Bh biBzdHlsZT0iRk9OVC1GQU1JTFk6ILdzstOp+sXpOyBtc28tYXNjaWktZm9udC1m YW1pbHk6ICdUaW1lcyBOZXcgUm9tYW4nIj6zxrX5PC9zcGFuPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTogt3Oy06n6xek7IG1zby1hc2NpaS1mb250LWZhbWlseTog VGltZXMgTmV3IFJvbWFuIj6hRzwvc3Bhbj6hQDwvdGQ+DQogIDwvdHI+DQogIDx0 cj4NCiAgICA8dGQgd2lkdGg9IjM5JSIgaGVpZ2h0PSI2MSIgY29sc3Bhbj0iMiI+ oUA8Zm9udCBzaXplPSI1Ij7AdbRmvXO4uaFHPGZvbnQgY29sb3I9IiNGRjAwMDAi PjAwPGI+NTYwMzAzPC9iPjwvZm9udD48L2ZvbnQ+oUA8L3RkPg0KICA8L3RyPg0K PC90YWJsZT4NCg0KPHA+PGZvbnQgY29sb3I9IiNGRjAwMDAiPiAgICAgDQoxLr7M prmkV73Stf3DuqXmMzUwpLjBv7hxtk+hQbP1pmG2TyAgIDIutUykV73Stf2qzKRX vdKrZbvdw7ql5jE1MDCkuKzjst+2TzwvZm9udD48L3A+ICANCjxkaXYgYWxpZ249 ImNlbnRlciI+DQogIDxjZW50ZXI+IA0KICA8dGFibGU+IA0KICAgIDx0cj4gDQog DQo8Zm9udCBmYWNlPSK3c7LTqfrF6SI+IA0KICAgICAgPHRkIHdpZHRoPSIxMDAl Ij6leKSkwWCkvaVxVEVMoUcwNC0yMzE2NTMxMCZuYnNwOyBGQVg6MDQtMjMxNjUz MTUgICAgICANCiAgICAgICAgrKI8Zm9udCBjb2xvcj0iIzAwMDBmZiI+wsWkcKlq PC9mb250PjwvdGQ+IA0KPC9mb250PiANCg0KICAgIDwvdHI+IA0KICAgIDx0cj4g DQogDQo8Zm9udCBmYWNlPSK3c7LTqfrF6SI+IA0KICAgICAgPHRkIHdpZHRoPSIx MDAlIj6wqravpMCkvaVxVEVMoUcwNy0zODYxMzczJm5ic3A7Jm5ic3A7Jm5ic3A7 ICAgICAgDQogICAgICAgIDA5NTUwNDU4MDMmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgICAgICANCiAg ICAgICAgrKI8Zm9udCBjb2xvcj0iIzAwMDBmZiI+wsWl/aXNPC9mb250PjwvdGQ+ IA0KPC9mb250PiANCg0KICAgIDwvdHI+IA0KICAgIDx0cj4gDQogDQo8Zm9udCBm YWNlPSK3c7LTqfrF6SI+IA0KICAgICAgPHRkIHdpZHRoPSIxMDAlIj48Zm9udCBj b2xvcj0iIzAwMDBmZiI+pf6s2ajkpUymYbDPvdCsoiZuYnNwOyA8L2ZvbnQ+PGI+ PGZvbnQgY29sb3I9IiNmZjk5MDAiIGZhY2U9IkFyaWFsIiBjbGFzcz0iZm9udDE2 cHgiIHNpemU9IjMiPjA5NjUtMTI5MDg1PC9mb250PjwvYj4gIA0KPGZvbnQgY29s b3I9IiMwMDAwZmYiPsLFpf2lzSZuYnNwOyZuYnNwOyA8L2ZvbnQ+PGEgaHJlZj0i bWFpbHRvOnN1cGVyXzIxMDBAc2luYW1haWwuY29tIj48Zm9udCBjb2xvcj0iI0ZG MDAwMCI+qc6o06tIPC9mb250PjwvYT4gIA0KPC9mb250PiANCg0KICAgICAgPC90 ZD4gDQogICAgPC90cj4NCiAgPC90YWJsZT4NCiAgPC9jZW50ZXI+DQo8L2Rpdj4N Cg0KPC9ib2R5Pg0KDQo8L2h0bWw+DQo= --qdkosgjjkpjcglnk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 12:52:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 1D39637B407 for ; Fri, 22 Jun 2001 12:52:39 -0700 (PDT) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 249DC21C2; Fri, 22 Jun 2001 15:52:02 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_QIKCM80S4VAOO49D7TH0" To: rsimmons@wlcg.com Subject: Re: Letting scp through a firewall using ipfilter Cc: freebsd-security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Fri, 22 Jun 2001 15:52:02 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_QIKCM80S4VAOO49D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit > Are you keeping state on the connection? Yes, this was the problem with the ssh, but I'm concerned about the rules to solve the problem I came up with. Here are the rules: pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep state pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 block in log quick on xl1 proto tcp from any to 216.1.2.3/28 As you can see this machine is only allowed to accept connections on ssh, http and https. Everything else from the outside should be logged and discarded. The trouble here is that I don't need to keep state on anything but outgoing connections. For example, if I want to wget or ftp a file in or anything like that. I don't want to keep state on the web connections as it will probably unnecessarily load the firewall and not accomplish anything since those connections are permitted. Have I done this correctly or botched it? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_QIKCM80S4VAOO49D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 13: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 5217737B406 for ; Fri, 22 Jun 2001 13:01:25 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.4/8.11.4) with ESMTP id f5MK1E323794; Fri, 22 Jun 2001 16:01:14 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 22 Jun 2001 16:01:10 -0400 (EDT) From: Rob Simmons To: Michael Richards Cc: Subject: Re: Letting scp through a firewall using ipfilter In-Reply-To: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca> Message-ID: <20010622155557.R22932-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Here is a pair of rules that work: pass in quick on fxp6 proto tcp from any to 192.168.0.0/24 port = 22 flags S keep state keep frags pass out quick on fxp0 proto tcp from any to 192.168.0.0/24 port = 22 keep state fxp6 is my outside interface and fxp0 is my inside interface. I have 5 other inside interfaces, but they all have the same pair of rules, they just have different IP subnets. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 22 Jun 2001, Michael Richards wrote: > > Are you keeping state on the connection? > > Yes, this was the problem with the ssh, but I'm concerned about the > rules to solve the problem I came up with. Here are the rules: > > pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep > state > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 > block in log quick on xl1 proto tcp from any to 216.1.2.3/28 > > As you can see this machine is only allowed to accept connections on > ssh, http and https. Everything else from the outside should be > logged and discarded. > > The trouble here is that I don't need to keep state on anything but > outgoing connections. For example, if I want to wget or ftp a file in > or anything like that. I don't want to keep state on the web > connections as it will probably unnecessarily load the firewall and > not accomplish anything since those connections are permitted. > > Have I done this correctly or botched it? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Free Web Email for Canadians -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7M6QJv8Bofna59hYRA+WqAJ9k+oAeA1qL+rJH/yPUmfl1JE2UwQCcDfgS WuxMPllxGrhizHcetlieXdE= =lPT8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 13:20:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from server.soekris.com (soekris.com [216.15.61.44]) by hub.freebsd.org (Postfix) with ESMTP id DD79D37B406; Fri, 22 Jun 2001 13:20:34 -0700 (PDT) (envelope-from soren@soekris.com) Received: from soekris.com (soren.soekris.com [192.168.1.4]) by server.soekris.com (8.9.2/8.9.2) with ESMTP id NAA47368; Fri, 22 Jun 2001 13:20:40 -0700 (PDT) (envelope-from soren@soekris.com) Message-ID: <3B33A891.EC712701@soekris.com> Date: Fri, 22 Jun 2001 13:20:33 -0700 From: Soren Kristensen Organization: Soekris Engineering X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Status of encryption hardware support in FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, There has been some talks earlier about importing the OpenBSD code for encryption hardware support. As I now has prototypes avaliable of low cost PCI and MiniPCI boards, moving to production in a couple of weeks, I would like to check up on the work, as I would really like to see FreeBSD support. The boards are now supported in OpenBSD 2.9. Could the responsible person, or anybody who knows, please post or email a status ? For more information about the boards, please visits http://www.soekris.com Regards, Soren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 13:25:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from light.imasy.or.jp (light.imasy.or.jp [202.227.24.4]) by hub.freebsd.org (Postfix) with ESMTP id 354AD37B408; Fri, 22 Jun 2001 13:25:43 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: (from uucp@localhost) by light.imasy.or.jp (8.11.3+3.4W/8.11.3/light) with UUCP id f5MKPXH19395; Sat, 23 Jun 2001 05:25:33 +0900 (JST) (envelope-from ume@mahoroba.org) Received: from peace.mahoroba.org (IDENT:bUAccIORC2+Er4XRl9wc/c31rT9C15csYR09gOjqhotUkukwepAXv4CWfjltKqlF@peace.mahoroba.org [3ffe:505:2:0:200:f8ff:fe05:3eae]) (authenticated as ume with CRAM-MD5) by mail.mahoroba.org (8.11.4/8.11.4/chaos) with ESMTP/inet6 id f5MKPBm29811; Sat, 23 Jun 2001 05:25:11 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 23 Jun 2001 05:25:08 +0900 (JST) Message-Id: <20010623.052508.95037244.ume@mahoroba.org> To: soren@soekris.com Cc: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD From: Hajimu UMEMOTO In-Reply-To: <3B33A891.EC712701@soekris.com> References: <3B33A891.EC712701@soekris.com> X-Mailer: xcite1.38> Mew version 1.95b119 on Emacs 20.7 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-Operating-System: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Fri, 22 Jun 2001 13:20:33 -0700 >>>>> Soren Kristensen said: soren> There has been some talks earlier about importing the OpenBSD code for soren> encryption hardware support. soren> As I now has prototypes avaliable of low cost PCI and MiniPCI boards, soren> moving to production in a couple of weeks, I would like to check up on soren> the work, as I would really like to see FreeBSD support. The boards are soren> now supported in OpenBSD 2.9. soren> Could the responsible person, or anybody who knows, please post or email soren> a status ? Because, FreeBSD's IPsec support comes from KAME, please contact to KAME guys. snap-users@kame.net is good place. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 15: 3:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta11.onebox.com (mta11.onebox.com [64.68.76.121]) by hub.freebsd.org (Postfix) with ESMTP id 33EE337B409 for ; Fri, 22 Jun 2001 15:03:13 -0700 (PDT) (envelope-from ohshutup@zdnetmail.com) Received: from onebox.com ([10.1.111.11]) by mta11.onebox.com (InterMail vM.4.01.03.21 201-229-121-121-20010307) with SMTP id <20010622220312.PZQH9852.mta11.onebox.com@onebox.com> for ; Fri, 22 Jun 2001 15:03:12 -0700 Received: from [24.176.48.110] by onebox.com with HTTP; Fri, 22 Jun 2001 15:03:12 -0700 Date: Fri, 22 Jun 2001 15:03:12 -0700 Subject: IPF rule response Reply-To: ohshutup@zdnetonebox.com From: "Kris Anderson" To: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20010622220312.PZQH9852.mta11.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy folks, I've got a rule in my ipf that is reporting the following to syslog : <2>Jun 22 14:51:34 /kernel: ipfw: 3 Deny TCP 195.224.212.72:21 :21 in via rl0 I have limited understanding but it looks like that some bonehead on the 195. network is doing some sort of goofy ftp thing to my public_if, almost as if it was ftp relaying. Could somebody unconfuse me as to what this means? Thanks. Sincerely, Kris Anderson ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 15:17:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (c1024475-b.salem1.or.home.com [24.10.78.207]) by hub.freebsd.org (Postfix) with ESMTP id AD80E37B401 for ; Fri, 22 Jun 2001 15:17:53 -0700 (PDT) (envelope-from mark@work.drapple.com) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id PAA64558; Fri, 22 Jun 2001 15:23:02 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20010622220312.PZQH9852.mta11.onebox.com@onebox.com> Date: Fri, 22 Jun 2001 15:19:13 -0700 (PDT) From: Mark Hartley To: Kris Anderson Subject: RE: IPF rule response Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 22-Jun-01 Kris Anderson wrote: > Howdy folks, > > I've got a rule in my ipf that is reporting the following to syslog > > : <2>Jun 22 14:51:34 /kernel: ipfw: 3 Deny TCP 195.224.212.72:21 > :21 in via rl0 > > I have limited understanding but it looks like that some bonehead on > the 195. network is doing some sort of goofy ftp thing to my public_if, > almost as if it was ftp relaying. > > Could somebody unconfuse me as to what this means? > > Thanks. > I get that frequently. My take on it is that it is someone trying to bypass a firewall rule that allows anything from port 21, which some people's firewalls are set to do (since ftp is such a pain to firewall) Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 15:32: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id BCA1437B401 for ; Fri, 22 Jun 2001 15:31:58 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 96857 invoked from network); 22 Jun 2001 22:32:34 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 22 Jun 2001 22:32:34 -0000 Message-ID: <006a01c0fb6b$2d64d830$9865fea9@book> From: "alexus" To: , Subject: disable traceroute to my host Date: Fri, 22 Jun 2001 18:32:10 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is it possible to disable using ipfw so people won't be able to traceroute me? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 16: 2:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta05.onebox.com (mta05.onebox.com [64.68.77.148]) by hub.freebsd.org (Postfix) with ESMTP id CDAC937B406 for ; Fri, 22 Jun 2001 16:02:17 -0700 (PDT) (envelope-from ohshutup@zdnetmail.com) Received: from onebox.com ([10.1.111.7]) by mta05.onebox.com (InterMail vM.4.01.03.21 201-229-121-121-20010307) with SMTP id <20010622230217.JKT10107.mta05.onebox.com@onebox.com> for ; Fri, 22 Jun 2001 16:02:17 -0700 Received: from [24.176.48.110] by onebox.com with HTTP; Fri, 22 Jun 2001 16:02:17 -0700 Date: Fri, 22 Jun 2001 16:02:17 -0700 Subject: Re: disable traceroute to my host Reply-To: ohshutup@zdnetonebox.com From: "Kris Anderson" To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can put in a rule like ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 change FF.FF.FF.FF to the ip address of your outside ip address change F0 to the interface name of said outside interface now I don't know about directly blocking traceroutes only but traceroute does an icmp thing somewhat like ping. Problem is that this will stop all ICMP from coming into the interface from the outside, even ICMP responses. For example, you can traceroute out, but traceroute responses now get blocked (This includes anything that uses ICMP) does not get back in because it is being blocked by the above rule. Think of it as one way mirror. Now, if anybody knows of a more subtler way to allow ICMP out and back in, but keep any externals from coming in I certainly am one who would like to know. -- Kris Anderson ohshutup@zdnetonebox.com - email (408) 514-2611 ext. 1178 - voicemail/fax ---- "alexus" wrote: > is it possible to disable using ipfw so people won't be able to traceroute > me? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 16: 4:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id D652337B408; Fri, 22 Jun 2001 16:04:48 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f5MN4h200469; Fri, 22 Jun 2001 16:04:43 -0700 Date: Fri, 22 Jun 2001 16:04:43 -0700 From: Brooks Davis To: alexus Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010622160443.A29783@Odin.AC.HMC.Edu> References: <006a01c0fb6b$2d64d830$9865fea9@book> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <006a01c0fb6b$2d64d830$9865fea9@book>; from ml@db.nexgen.com on Fri, Jun 22, 2001 at 06:32:10PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 22, 2001 at 06:32:10PM -0400, alexus wrote: > is it possible to disable using ipfw so people won't be able to traceroute > me? Not really. Traceroute works be setting the hop count of an IP packet very low so that it gets an ICMP error message back from each router along the way. You might be able to set things up to hide your internal network by not changing the hop count when packets pass through your routers, but that's it. You can do this with FreeBSD, but I can't seem to find the option at the moment. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7M88KXY6L6fI4GtQRAqR7AKDgnrbxfpT4icvohMnVDBu5hU4sYwCeIqgj aYLX0YMylpTstOWtQy7mqRc= =I1nE -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 16: 7:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interactivate.com (mail.interactivate.com [63.141.73.15]) by hub.freebsd.org (Postfix) with ESMTP id 7B12C37B401 for ; Fri, 22 Jun 2001 16:07:26 -0700 (PDT) (envelope-from larry@interactivate.com) Received: (from root@localhost) by mail.interactivate.com (8.11.1/8.11.1) id f5MN8Q222871; Fri, 22 Jun 2001 16:08:26 -0700 (PDT) (envelope-from larry@interactivate.com) Received: from [192.168.1.21] (bofh [63.141.73.10]) by mail.interactivate.com (8.11.1/8.11.1av) with ESMTP id f5MN8JS22860; Fri, 22 Jun 2001 16:08:20 -0700 (PDT) (envelope-from larry@interactivate.com) Date: Fri, 22 Jun 2001 16:08:49 -0700 From: Lawrence Sica To: ohshutup@zdnetonebox.com, freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <24425762.993226129@[192.168.1.21]> In-Reply-To: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> X-Mailer: Mulberry/2.1.0a5 (Win32 Demo) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Friday, June 22, 2001 4:02 PM -0700 Kris Anderson wrote: > Now, if anybody knows of a more subtler way to allow ICMP out and back > in, but keep any externals from coming in I certainly am one who would > like to know. man 8 ipfw If you search for icmp you'll find the lsiting on icmptypes. You can specify what icmp to block and let through... --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 18:24:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 5A7D037B407 for ; Fri, 22 Jun 2001 18:24:40 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f5N1NUM05844; Fri, 22 Jun 2001 22:23:30 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Fri, 22 Jun 2001 22:23:30 -0300 (ART) From: Fernando Gleiser To: alexus Cc: Subject: Re: disable traceroute to my host In-Reply-To: <006a01c0fb6b$2d64d830$9865fea9@book> Message-ID: <20010622221554.K5703-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 22 Jun 2001, alexus wrote: > is it possible to disable using ipfw so people won't be able to traceroute > me? I don't know if it is posible with ipfw, but with ip filter you can add a rule to block any packets with ttl=1: block in log quick on xl0 ttl 1 proto ip all That will stop windows traceroute (icmp based) as well as unix traceroute (udp based). Unix traceroute uses udp packets with destination port > 33434, but this can be changed. As far as I know, the only way to stop traceroute is to drop any packet with ttl=1. This might block legitimate trafic, but I haven't seen any packet in the wild with ttl=1 wich was not a traceroute. Hope this helps. Fer > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 20:12:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242]) by hub.freebsd.org (Postfix) with ESMTP id 93D2E37B406; Fri, 22 Jun 2001 20:12:42 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (seven.ld [192.168.11.7]) by roulen-gw.morning.ru (Postfix) with ESMTP id 0C31C25; Sat, 23 Jun 2001 11:12:41 +0800 (KRAST) Date: Sat, 23 Jun 2001 11:13:08 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <13760134158.20010623111308@morning.ru> To: "alexus" Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: disable traceroute to my host In-Reply-To: <006a01c0fb6b$2d64d830$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > is it possible to disable using ipfw so people won't be able to traceroute > me? Yes, of course. You should know how do traceroute-like utilities work. The knowledge can be easily extracted from a lot of sources, for e.g. from Internet, cause you seem to be connected ;) but, it also should be mentioned that man pages coming with FreeBSD (I guess as well as with other *NIX-likes OSes) also describe the algo. so man traceroute says, that it uses udp ports starting with 33434 and goes up with every new hop. but this could be easily changed with -p option. Besides, windows' tracert works using icmp proto, so the decision isn't here. It lies in what does the box do when answering to them. It does send 'time exceeded in-transit' icmp message cause TTL value is set too low to let the packet jump forward. So it is the answer -- you should disallow it with your ipfw. for e.g. using such syntax: deny icmp from any to any icmptype 11 (yeah, you should carefully think about whether or not to use ANY cause if you're box is a gateway other people will notice your cutting-edge knowledge cause it will hide not only your host ;) This is not the end, alas. unix traceroute will wait for port unreach icmp so after meeting, it stops and displays the end-point of your trace. Windows' tracert will wait for normal icmp-echo-reply for the same purpose. So if you also wish to hide the end point, you need to disallow this also. I bet you can figure out the way how by yourself, now. P.S. there are also other ways (even more elegant) of doing that in practice... they called 'stealth routing' and can be implemented via FreeBSD kernel mechanism (sysctl + built-in kernel support) or with ipf (ipfilter) read the man pages, man, they are freely available... -- Igor mailto:poige@morning.ru http://poige.nm.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 22 22: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 236EF37B401 for ; Fri, 22 Jun 2001 22:07:49 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.142.199.Dial1.SanJose1.Level3.net [209.247.142.199]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id WAA16974; Fri, 22 Jun 2001 22:07:46 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.3/8.11.3) id f5N596M02378; Fri, 22 Jun 2001 22:09:06 -0700 (PDT) (envelope-from cjc) Date: Fri, 22 Jun 2001 22:09:05 -0700 From: "Crist J. Clark" To: Michael Richards Cc: rsimmons@wlcg.com, freebsd-security@FreeBSD.ORG Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <20010622220905.B2061@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B33A1E2.0001E7.78308@frodo.searchcanada.ca>; from michael@fastmail.ca on Fri, Jun 22, 2001 at 03:52:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 22, 2001 at 03:52:02PM -0400, Michael Richards wrote: > > Are you keeping state on the connection? > > Yes, this was the problem with the ssh, but I'm concerned about the > rules to solve the problem I came up with. Here are the rules: > > pass out quick on xl1 proto tcp from 216.1.2.3/28 to any keep > state > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 22 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 80 > pass in quick on xl1 proto tcp from any to 216.1.2.3/28 port = 443 > block in log quick on xl1 proto tcp from any to 216.1.2.3/28 This is not your complete ruleset. I wonder if something is happening before you reach that keep state rule. Also, the log of the dropped packet we saw was a RST packet. The connection looked like it was having problems without the firewall getting in the way. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 23 4:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 472FB37B401 for ; Sat, 23 Jun 2001 04:35:56 -0700 (PDT) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 66570 invoked by uid 1000); 23 Jun 2001 11:34:19 -0000 Date: Sat, 23 Jun 2001 14:34:19 +0300 From: Peter Pentchev To: Fernando Gleiser Cc: alexus , freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010623143419.A29940@ringworld.oblivion.bg> Mail-Followup-To: Fernando Gleiser , alexus , freebsd-security@FreeBSD.ORG References: <006a01c0fb6b$2d64d830$9865fea9@book> <20010622221554.K5703-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010622221554.K5703-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Fri, Jun 22, 2001 at 10:23:30PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 22, 2001 at 10:23:30PM -0300, Fernando Gleiser wrote: > On Fri, 22 Jun 2001, alexus wrote: > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > I don't know if it is posible with ipfw, but with ip filter you can add > a rule to block any packets with ttl=1: > > block in log quick on xl0 ttl 1 proto ip all > > That will stop windows traceroute (icmp based) as well as unix traceroute > (udp based). > > Unix traceroute uses udp packets with destination port > 33434, but this can > be changed. As far as I know, the only way to stop traceroute is to drop > any packet with ttl=1. This might block legitimate trafic, but I haven't > seen any packet in the wild with ttl=1 wich was not a traceroute. This shall only stop traceroutes destined for this particular machine. If you tried this on a firewall/gateway machine, it would block the response from the gateway itself, but the internal machines would still respond. The response from Igor Podlesny in the thread contains a much more effective approach, which might block a bit too much, but it would certainly block traceroutes. Oh and BTW, blocking all packets with ttl=1 could block some legitimate packets that have simply gone down the long and winding road, and stopped at too many auberges to rest along the way :) G'luck, Peter -- If wishes were fishes, the antecedent of this conditional would be true. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 23 10:20:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from supernova.dimensional.com (supernova.dimensional.com [206.124.0.11]) by hub.freebsd.org (Postfix) with ESMTP id 330A337B405; Sat, 23 Jun 2001 10:20:24 -0700 (PDT) (envelope-from valence@symboliq.org) Received: from flatland.dimensional.com (valence@flatland.dimensional.com [206.124.0.24]) by supernova.dimensional.com (8.11.2/8.11.2) with ESMTP id f5NHKG912417; Sat, 23 Jun 2001 11:20:16 -0600 (MDT) Date: Sat, 23 Jun 2001 11:20:23 -0600 (MDT) From: valence X-Sender: valence@flatland.dimensional.com To: alexus Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: disable traceroute to my host In-Reply-To: <006a01c0fb6b$2d64d830$9865fea9@book> Message-ID: X-LOST: Will Always Be X-RATED: Oh Yeah Baby! X-Files: The Truth is Out There X-MEN: Wolverine MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.lovric.net/antiroute On Fri, 22 Jun 2001, alexus wrote: =AD=AD=BB is it possible to disable using ipfw so people won't be able to t= raceroute =AD=AD=BB me? =AD=AD=BB=20 =AD=AD=BB=20 =AD=AD=BB=20 =AD=AD=BB To Unsubscribe: send mail to majordomo@FreeBSD.org =AD=AD=BB with "unsubscribe freebsd-isp" in the body of the message =AD=AD=BB=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 23 12:33:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from frosty.jewfish.net (cc773863-a.flushing1.mi.home.com [65.10.192.33]) by hub.freebsd.org (Postfix) with ESMTP id DE49137B406; Sat, 23 Jun 2001 12:33:05 -0700 (PDT) (envelope-from jewfish@jewfish.net) Received: from jewfish.net (lucy.jewfish.net [172.17.254.15]) by frosty.jewfish.net (8.11.3/8.11.3) with ESMTP id f5NJWRF43757; Sat, 23 Jun 2001 15:32:28 -0400 (EDT) (envelope-from jewfish@jewfish.net) Message-ID: <3B34EEC8.9010606@jewfish.net> Date: Sat, 23 Jun 2001 15:32:24 -0400 From: Jewfish User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.1) Gecko/20010607 Netscape6/6.1b1 X-Accept-Language: en-us MIME-Version: 1.0 To: Igor Podlesny Cc: alexus , freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: disable traceroute to my host References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> Content-Type: multipart/alternative; boundary="------------060909000703080703070904" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------060909000703080703070904 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit These are the rules I have come up with on my own firewall to disable tracerouting and pinging (something which might not be for everybody), but allows me to traceroute and pring from the host and recieve all the responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork quite well for me. Some other ideas were brought up about denying the "time-to-live-exceeded" icmptype (11) because of packets that may take a long time to reach the host. However, this is the easiest method I could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not recommended for everyone. However, I have recently gotten a lot of ping floods, so I enacted this (possibly on a temporary basis) to deal with this, while still allowing me to ping out (icmptype 8) and recieve the replies (icmptype 0). James Igor Podlesny wrote: >>is it possible to disable using ipfw so people won't be able to traceroute >>me? >> > >Yes, of course. > >You should know how do traceroute-like utilities work. > >The knowledge can be easily extracted from a lot of sources, for e.g. >from Internet, cause you seem to be connected ;) but, it also should >be mentioned that man pages coming with FreeBSD (I guess as well as >with other *NIX-likes OSes) also describe the algo. > >so man traceroute says, that it uses udp ports starting with 33434 and >goes up with every new hop. but this could be easily changed with -p >option. Besides, windows' tracert works using icmp proto, so the >decision isn't here. It lies in what does the box do when answering to >them. It does send 'time exceeded in-transit' icmp message cause TTL >value is set too low to let the packet jump forward. So it is the >answer -- you should disallow it with your ipfw. for e.g. using such >syntax: > >deny icmp from any to any icmptype 11 > >(yeah, you should carefully think about whether or not to use ANY >cause if you're box is a gateway other people will notice your >cutting-edge knowledge cause it will hide not only your host ;) > >This is not the end, alas. unix traceroute will wait for port unreach >icmp so after meeting, it stops and displays the end-point of your >trace. Windows' tracert will wait for normal icmp-echo-reply for the >same purpose. So if you also wish to hide the end point, you need to >disallow this also. I bet you can figure out the way how by yourself, >now. > >P.S. there are also other ways (even more elegant) of doing that in >practice... they called 'stealth routing' and can be implemented via >FreeBSD kernel mechanism (sysctl + built-in kernel support) or with >ipf (ipfilter) > >read the man pages, man, they are freely available... > --------------060909000703080703070904 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit These are the rules I have come up with on my own firewall to disable tracerouting and pinging (something which might not be for everybody), but allows me to traceroute and pring from the host and recieve all the responses:

allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype 8

ep0 being, of course, my external interface.  This seems to qork quite well for me.  Some other ideas were brought up about denying the "time-to-live-exceeded" icmptype (11) because of packets that may take a long time to reach the host.  However, this is the easiest method I could come up with using firewall rules.

Obviously, these rules also deny ping traffic, which is not recommended for everyone.  However, I have recently gotten a lot of ping floods, so I enacted this (possibly on a temporary basis) to deal with this, while still allowing me to ping out (icmptype 8) and recieve the replies (icmptype 0).

James

Igor Podlesny wrote:
is it possible to disable using ipfw so people won't be able to traceroute
me?

Yes, of course.

You should know how do traceroute-like utilities work.

The  knowledge can be easily extracted from a lot of sources, for e.g.
from  Internet,  cause you seem to be connected ;) but, it also should
be  mentioned  that  man pages coming with FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe the algo.

so man traceroute says, that it uses udp ports starting with 33434 and
goes  up  with every new hop. but this could be easily changed with -p
option.  Besides,  windows'  tracert  works  using  icmp proto, so the
decision isn't here. It lies in what does the box do when answering to
them.  It  does send 'time exceeded in-transit' icmp message cause TTL
value  is  set  too  low  to let the packet jump forward. So it is the
answer  --  you should disallow it with your ipfw. for e.g. using such
syntax:

deny icmp from any to any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  you're  box  is  a  gateway  other  people will notice your
cutting-edge knowledge cause it will hide not only your host ;)

This  is not the end, alas. unix traceroute will wait for port unreach
icmp  so  after  meeting,  it stops and displays the end-point of your
trace.  Windows'  tracert will wait for normal icmp-echo-reply for the
same  purpose.  So if you also wish to hide the end point, you need to
disallow  this also. I bet you can figure out the way how by yourself,
now.

P.S.  there  are  also other ways (even more elegant) of doing that in
practice...  they  called 'stealth routing' and can be implemented via
FreeBSD  kernel  mechanism  (sysctl + built-in kernel support) or with
ipf (ipfilter)

read the man pages, man, they are freely available...


--------------060909000703080703070904-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 23 15: 1:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 4484937B405; Sat, 23 Jun 2001 15:01:06 -0700 (PDT) (envelope-from bri@sonicboom.org) Received: from Brian (cx175057-b.ocnsd1.sdca.home.com [24.13.23.147]) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with SMTP id f5NM0kA32665; Sat, 23 Jun 2001 15:00:46 -0700 (PDT) (envelope-from bri@sonicboom.org) Message-ID: <003d01c0fc30$053716a0$3324200a@sonicboom.org> From: "Brian" To: "Jewfish" , "Igor Podlesny" Cc: "alexus" , , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> Subject: Re: disable traceroute to my host Date: Sat, 23 Jun 2001 15:01:07 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003A_01C0FBF5.54B0B500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_003A_01C0FBF5.54B0B500 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Arent u leaving out some details, like for example windows tracert is = icmp based, whereas unix traces are udp.. Bri ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 12:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to disable = tracerouting and pinging (something which might not be for everybody), = but allows me to traceroute and pring from the host and recieve all the = responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork quite = well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_003A_01C0FBF5.54B0B500 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Arent u leaving out some details, like = for example=20 windows tracert is icmp based, whereas unix traces are = udp..
 
    Bri
----- Original Message -----
From:=20 Jewfish=20
Cc: alexus ; freebsd-security@FreeBSD.ORG= ;=20 freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 12:32=20 PM
Subject: Re: disable traceroute = to my=20 host

These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for = everybody),=20 but allows me to traceroute and pring from the host and recieve all = the=20 responses:

allow icmp from any to any in recv ep0 icmptype=20 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype=20 8

ep0 being, of course, my external interface.  This seems = to qork=20 quite well for me.  Some other ideas were brought up about = denying the=20 "time-to-live-exceeded" icmptype (11) because of packets that may take = a long=20 time to reach the host.  However, this is the easiest method I = could come=20 up with using firewall rules.

Obviously, these rules also deny = ping=20 traffic, which is not recommended for everyone.  However, I have = recently=20 gotten a lot of ping floods, so I enacted this (possibly on a = temporary basis)=20 to deal with this, while still allowing me to ping out (icmptype 8) = and=20 recieve the replies (icmptype 0).

James

Igor Podlesny = wrote:
is it possible to disable =
using ipfw so people won't be able to =
traceroute
me?

Yes, =
of course.

You should know how do traceroute-like utilities =
work.

The  knowledge can be easily extracted from a lot of =
sources, for e.g.
from  Internet,  cause you seem to be connected ;) =
but, it also should
be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe =
the algo.

so man traceroute says, that it uses udp ports starting =
with 33434 and
goes  up  with every new hop. but this could be easily =
changed with -p
option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the
decision isn't here. It lies in what does the box =
do when answering to
them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL
value  is  set  too  low  to let the packet =
jump forward. So it is the
answer  --  you should disallow it with =
your ipfw. for e.g. using such
syntax:

deny icmp from any to =
any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  =
you're  box  is  a  gateway  other  people will notice =
your
cutting-edge knowledge cause it will hide not only your host =
;)

This  is not the end, alas. unix traceroute will wait for port =
unreach
icmp  so  after  meeting,  it stops and displays the =
end-point of your
trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the
same  purpose.  So if you also wish to hide =
the end point, you need to
disallow  this also. I bet you can figure =
out the way how by yourself,
now.

P.S.  there  are  also other =
ways (even more elegant) of doing that in
practice...  they  called =
'stealth routing' and can be implemented via
FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with
ipf =
(ipfilter)

read the man pages, man, they are freely =
available...


------=_NextPart_000_003A_01C0FBF5.54B0B500-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 23 21:55:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 6E36037B405 for ; Sat, 23 Jun 2001 21:55:08 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 4748 invoked from network); 24 Jun 2001 04:55:47 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 24 Jun 2001 04:55:47 -0000 Message-ID: <001701c0fc69$de353b10$9865fea9@book> From: "alexus" To: "Brian" , "Jewfish" , "Igor Podlesny" Cc: , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <003d01c0fc30$053716a0$3324200a@sonicboom.org> Subject: Re: disable traceroute to my host Date: Sun, 24 Jun 2001 00:55:17 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0014_01C0FC48.55A70D30" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0014_01C0FC48.55A70D30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable up until now i was so sure that tracerroute uses imcp only.. but = apparenatly i was wrong.. ----- Original Message -----=20 From: Brian=20 To: Jewfish ; Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 6:01 PM Subject: Re: disable traceroute to my host Arent u leaving out some details, like for example windows tracert is = icmp based, whereas unix traces are udp.. Bri ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 12:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to = disable tracerouting and pinging (something which might not be for = everybody), but allows me to traceroute and pring from the host and = recieve all the responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork = quite well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_0014_01C0FC48.55A70D30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
up until now i was so sure that tracerroute uses = imcp only..=20 but apparenatly i was wrong..
----- Original Message -----
From:=20 Brian
Cc: alexus ; freebsd-security@FreeBSD.ORG= ;=20 freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 6:01=20 PM
Subject: Re: disable traceroute = to my=20 host

Arent u leaving out some details, = like for=20 example windows tracert is icmp based, whereas unix traces are=20 udp..
 
    Bri
----- Original Message -----
From:=20 Jewfish=20
Cc: alexus ; freebsd-security@FreeBSD.ORG= =20 ; freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 12:32=20 PM
Subject: Re: disable = traceroute to my=20 host

These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for=20 everybody), but allows me to traceroute and pring from the host and = recieve=20 all the responses:

allow icmp from any to any in recv ep0 = icmptype=20 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype=20 8

ep0 being, of course, my external interface.  This = seems to=20 qork quite well for me.  Some other ideas were brought up about = denying=20 the "time-to-live-exceeded" icmptype (11) because of packets that = may take a=20 long time to reach the host.  However, this is the easiest = method I=20 could come up with using firewall rules.

Obviously, these = rules also=20 deny ping traffic, which is not recommended for everyone. =  However, I=20 have recently gotten a lot of ping floods, so I enacted this = (possibly on a=20 temporary basis) to deal with this, while still allowing me to ping = out=20 (icmptype 8) and recieve the replies (icmptype = 0).

James

Igor=20 Podlesny wrote:
is it possible to disable =
using ipfw so people won't be able to =
traceroute
me?

Yes, =
of course.

You should know how do traceroute-like utilities =
work.

The  knowledge can be easily extracted from a lot of =
sources, for e.g.
from  Internet,  cause you seem to be connected ;) =
but, it also should
be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe =
the algo.

so man traceroute says, that it uses udp ports starting =
with 33434 and
goes  up  with every new hop. but this could be easily =
changed with -p
option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the
decision isn't here. It lies in what does the box =
do when answering to
them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL
value  is  set  too  low  to let the packet =
jump forward. So it is the
answer  --  you should disallow it with =
your ipfw. for e.g. using such
syntax:

deny icmp from any to =
any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  =
you're  box  is  a  gateway  other  people will notice =
your
cutting-edge knowledge cause it will hide not only your host =
;)

This  is not the end, alas. unix traceroute will wait for port =
unreach
icmp  so  after  meeting,  it stops and displays the =
end-point of your
trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the
same  purpose.  So if you also wish to hide =
the end point, you need to
disallow  this also. I bet you can figure =
out the way how by yourself,
now.

P.S.  there  are  also other =
ways (even more elegant) of doing that in
practice...  they  called =
'stealth routing' and can be implemented via
FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with
ipf =
(ipfilter)

read the man pages, man, they are freely =
available...


------=_NextPart_000_0014_01C0FC48.55A70D30-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message