From owner-freebsd-security@FreeBSD.ORG Mon Apr 28 11:02:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4051637B408 for ; Mon, 28 Apr 2003 11:02:50 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5BD743FBD for ; Mon, 28 Apr 2003 11:02:48 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3SI2mUp077139 for ; Mon, 28 Apr 2003 11:02:48 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3SI2m7c077115 for security@freebsd.org; Mon, 28 Apr 2003 11:02:48 -0700 (PDT) Date: Mon, 28 Apr 2003 11:02:48 -0700 (PDT) Message-Id: <200304281802.h3SI2m7c077115@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 18:02:50 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 06:45:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A75B737B401 for ; Wed, 30 Apr 2003 06:45:39 -0700 (PDT) Received: from obstruction.com (CPE00e018983b2f-CM013349903124.cpe.net.cable.rogers.com [24.157.68.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56D5C43FDD for ; Wed, 30 Apr 2003 06:45:38 -0700 (PDT) (envelope-from guy@obstruction.com) Received: (from guy@localhost) by obstruction.com (8.9.2/8.9.2) id JAA20818 for freebsd-security@freebsd.org; Wed, 30 Apr 2003 09:45:37 -0400 (EDT) (envelope-from guy) Date: Wed, 30 Apr 2003 09:45:37 -0400 From: Guy Middleton To: freebsd-security@freebsd.org Message-ID: <20030430094537.A20710@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Subject: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 13:45:40 -0000 I have a FreeBSD box acting as a firewall and NAT gateway I would like to set it up to transparently pass IPSec packets -- I have an IPSec VPN client running on another machine, connecting to a remote network. Is there a way to do this? I can't find any hints in the man pages. From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 06:55:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 655C437B401 for ; Wed, 30 Apr 2003 06:55:28 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B70DF43FD7 for ; Wed, 30 Apr 2003 06:55:27 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id h3UDtRke055452; Wed, 30 Apr 2003 07:55:27 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id h3UDtR6o055451; Wed, 30 Apr 2003 07:55:27 -0600 (MDT) Date: Wed, 30 Apr 2003 07:55:27 -0600 From: "David G. Andersen" To: Guy Middleton Message-ID: <20030430075527.A54362@cs.utah.edu> References: <20030430094537.A20710@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030430094537.A20710@chaos.obstruction.com>; from guy@obstruction.com on Wed, Apr 30, 2003 at 09:45:37AM -0400 cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 13:55:28 -0000 Guy Middleton just mooed: > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. It's probably using either ipip, esp, or ipencap. tcpdump the traffic, and then permit whichever protocol it's using. permit esp from foo to bar -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 11:50:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9A4B37B401 for ; Wed, 30 Apr 2003 11:50:49 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 474C243F85 for ; Wed, 30 Apr 2003 11:50:47 -0700 (PDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com[24.147.188.198]) by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP id <2003043018504605100m09gpe>; Wed, 30 Apr 2003 18:50:46 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.9/8.12.7) with ESMTP id h3UIojPN033567; Wed, 30 Apr 2003 14:50:45 -0400 (EDT) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h3UIoiwW033564; Wed, 30 Apr 2003 14:50:44 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: Guy Middleton References: <20030430094537.A20710@chaos.obstruction.com> From: Lowell Gilbert Date: 30 Apr 2003 14:50:44 -0400 In-Reply-To: <20030430094537.A20710@chaos.obstruction.com> Message-ID: <44k7dbn7jv.fsf@be-well.ilk.org> Lines: 12 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 18:50:50 -0000 Guy Middleton writes: > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. It's impossible. IPSEC can't be passed through a NAT. The best you could do would be to terminate the tunnel on the gateway itself. From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 12:04:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DDE337B401 for ; Wed, 30 Apr 2003 12:04:10 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id C59A143FBD for ; Wed, 30 Apr 2003 12:04:09 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (electron.centtech.com [204.177.173.173]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h3UJ4756028126; Wed, 30 Apr 2003 14:04:07 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3EB01E1E.1040808@centtech.com> Date: Wed, 30 Apr 2003 14:03:58 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Lowell Gilbert References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 19:04:10 -0000 Lowell Gilbert wrote: > Guy Middleton writes: > > >>I have a FreeBSD box acting as a firewall and NAT gateway >> >>I would like to set it up to transparently pass IPSec packets -- I have >>an IPSec VPN client running on another machine, connecting to a remote network. >> >>Is there a way to do this? I can't find any hints in the man pages. > > > It's impossible. IPSEC can't be passed through a NAT. > > The best you could do would be to terminate the tunnel on the gateway itself. It actually depends on what is being "ipsec"'ed .. but for most real uses, you are right.. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Attitudes are contagious, is yours worth catching? ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 12:34:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1D6937B401 for ; Wed, 30 Apr 2003 12:34:38 -0700 (PDT) Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100]) by mx1.FreeBSD.org (Postfix) with SMTP id AFAD843F75 for ; Wed, 30 Apr 2003 12:34:37 -0700 (PDT) (envelope-from gregw-freebsd-security@greg.cex.ca) Received: (qmail 20520 invoked by uid 1001); 30 Apr 2003 19:35:01 -0000 Date: Wed, 30 Apr 2003 12:35:01 -0700 From: Greg White To: freebsd-security@freebsd.org Message-ID: <20030430123501.A20461@greg.cex.ca> Mail-Followup-To: freebsd-security@freebsd.org References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org>;02:50:44PM -0400 Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 19:34:39 -0000 On Wed Apr 04/30/03, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > Guy Middleton writes: > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. That totally depends on what the endpoint is, and what the IPSEC client supports. Nortel and Cisco (and most other commercial IPSEC device vendors AFAIK) support this draft: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-05.txt NAT traversal through IKE is now a reality. The vendor's documentation will detail what other ports must be passed, on either side, to fully support this. ISTR that it requires an additional UDP port. I have succesfully (and repeatedly) used Nortel VPN client on a NATed host through a FreeBSD gateway. -- Greg White From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 12:51:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6BC637B401 for ; Wed, 30 Apr 2003 12:51:31 -0700 (PDT) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id B645843FCB for ; Wed, 30 Apr 2003 12:51:28 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 9102 invoked from network); 30 Apr 2003 19:51:48 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.116.73) by graceland.gigatrex.com with SMTP; 30 Apr 2003 19:51:48 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) h3UJqgiN024656; Wed, 30 Apr 2003 15:52:42 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h3UJqfPC024653; Wed, 30 Apr 2003 15:52:42 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 30 Apr 2003 15:52:41 -0400 (EDT) From: Matt Piechota To: Lowell Gilbert In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org> Message-ID: <20030430154157.U24608@cithaeron.argolis.org> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 19:51:32 -0000 On Wed, 30 Apr 2003, Lowell Gilbert wrote: > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. Actually, that's not strictly true. I've done such a thing myself, but with a trick: I blindly forwarded any packet from the tunnel-server to the client. The specifics: $WORK uses a Bay (now Nortel) IPSEC VPN server. It's configured to do tunnelling, and assign the client a dynamic address. To do the forwarding, I set up a line like: redirect_proto tcp clientip natgwextip vpnserverip redirect_proto udp clientip natgwextip vpnserverip in /etc/natd.conf (and set rc.conf to have natd look at that file). It worked for me, although I suspect that if someone forged vpnserverip, they could sneak packets to my client machine. The client uses nortel's client, but watching what I could using a sniffer, it looked like a fairly normal IPSEC connect. Oddly enough, I was just going to ask how I'd do that forward using ipfw, ipfw2, or ipfilter, since I use ppp now and not natd. Or, can I use natd with ppp if I don't 'ppp -nat ...'? -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 13:53:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA6737B401 for ; Wed, 30 Apr 2003 13:53:53 -0700 (PDT) Received: from obstruction.com (CPE00e018983b2f-CM013349903124.cpe.net.cable.rogers.com [24.157.68.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C03243FE0 for ; Wed, 30 Apr 2003 13:53:49 -0700 (PDT) (envelope-from guy@obstruction.com) Received: (from guy@localhost) by obstruction.com (8.9.2/8.9.2) id QAA23781; Wed, 30 Apr 2003 16:53:48 -0400 (EDT) (envelope-from guy) Date: Wed, 30 Apr 2003 16:53:48 -0400 From: Guy Middleton To: freebsd-security@freebsd.org Message-ID: <20030430165348.A23754@chaos.obstruction.com> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <44k7dbn7jv.fsf@be-well.ilk.org>;02:50:44PM -0400 Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 20:53:54 -0000 On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > Guy Middleton writes: > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's impossible. IPSEC can't be passed through a NAT. > > The best you could do would be to terminate the tunnel on the gateway itself. Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works through a LinkSys router / NAT gateway (a BEFSR81) at a different location. The LinkSys even has a friendly little check-box to allow IPSec pass-through. I would like the FreeBSD gateway to work the same way as the LinkSys. From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 15:13:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82B8837B401 for ; Wed, 30 Apr 2003 15:13:23 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0E3D43FA3 for ; Wed, 30 Apr 2003 15:13:22 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 6B9B415D for ; Wed, 30 Apr 2003 16:13:21 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h3UMDs210369 for freebsd-security@freebsd.org; Wed, 30 Apr 2003 16:13:54 -0600 Date: Wed, 30 Apr 2003 16:13:54 -0600 From: Tillman To: freebsd-security@freebsd.org Message-ID: <20030430161354.I1447@seekingfire.com> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> <20030430165348.A23754@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030430165348.A23754@chaos.obstruction.com>; from guy@obstruction.com on Wed, Apr 30, 2003 at 04:53:48PM -0400 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 22:13:23 -0000 On Wed, Apr 30, 2003 at 04:53:48PM -0400, Guy Middleton wrote: > On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > > Guy Middleton writes: > > > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > > > I would like to set it up to transparently pass IPSec packets -- I have > > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > > > Is there a way to do this? I can't find any hints in the man pages. > > > > It's impossible. IPSEC can't be passed through a NAT. > > > > The best you could do would be to terminate the tunnel on the gateway itself. > > Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works > through a LinkSys router / NAT gateway (a BEFSR81) at a different location. > The LinkSys even has a friendly little check-box to allow IPSec pass-through. > > I would like the FreeBSD gateway to work the same way as the LinkSys. Cisco VPN has an option to encapsulate the tunnel in UDP packets. You'll want to find out which UDP is being used and ensure that it's NATed. - Tillman -- The prayer of the monk is not perfect until he no longer recognizes himself or the fact that he is praying. St. Anthony From owner-freebsd-security@FreeBSD.ORG Wed Apr 30 15:33:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37A8437B401 for ; Wed, 30 Apr 2003 15:33:39 -0700 (PDT) Received: from newton.pconline.com (newton.pconline.com [206.145.48.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 750EE43FB1 for ; Wed, 30 Apr 2003 15:33:38 -0700 (PDT) (envelope-from chris@pconline.com) Received: from localhost (chris@localhost) by newton.pconline.com (8.11.6/8.11.6) with ESMTP id h3UMYW408733 for ; Wed, 30 Apr 2003 17:34:33 -0500 Date: Wed, 30 Apr 2003 17:34:32 -0500 (CDT) From: Chris Kesler To: freebsd-security@freebsd.org In-Reply-To: <20030430190041.1297337B405@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 22:33:39 -0000 Guy Middleton wrote: > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ Guy, I do this on my FreeBSD firewall, using IPF and IPNAT. I have Nortel's Extranet Access Client on a PC. I use it to connect to a Nortel Contivity VPN switch at work. I figured that, if any off-the-shelf broadband router can do it, then I should be able to do it. It took some time and patience and a lot of packet captures, but I got it. There are two types of traffic that you must allow to pass through. ISAKMP, which is UDP port 500. And ESP, which is IP protocol 50. I'm not sure if the following is true for all IPSec implementations, but in my case, the VPN switch at the office would drop the ISAKMP packet unless it was both sourced and destined for UDP 500. After I added these two rules to my /etc/ipnat.rules file, I have been able to connect to my work via VPN. ################################### # For VPN key exchange, must be UDP 500 for both source and destination ################################### map xl0 from 192.168.1.0/24 port = isakmp to any port = isakmp -> 0/32 ################################### # Catchall for non-TCP and non-UDP, i.e. ICMP, and ESP for VPN ################################### map xl0 192.168.1.0/24 -> 0/32 Of course, you'll have to allow both these types of traffic into your private LAN. In my case, I did not require additional rules in my ipf.rules file, because I already allow all Internet bound traffic from my private LAN to go out. And the return traffic is allowed in, thanks to the "keep state" feature if IPFilter. Good luck! -Chris From owner-freebsd-security@FreeBSD.ORG Thu May 1 04:29:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C4A837B401 for ; Thu, 1 May 2003 04:29:07 -0700 (PDT) Received: from chomsky.sohotech.ca (ottawa-hs-64-26-169-251.s-ip.magma.ca [64.26.169.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF7F243F3F for ; Thu, 1 May 2003 04:29:06 -0700 (PDT) (envelope-from vmsmith@grokking.org) Received: from conrad.sohotech.ca (conrad.sohotech.ca [192.168.1.2]) by chomsky.sohotech.ca (8.12.6p2/8.12.6) with ESMTP id h41BT4a4017847 for ; Thu, 1 May 2003 07:29:04 -0400 (EDT) (envelope-from vmsmith@grokking.org) Received: from [192.168.1.4] ([192.168.1.4]) by conrad.sohotech.ca with Microsoft SMTPSVC(5.0.2195.5329); Thu, 1 May 2003 07:29:04 -0400 From: "V.M.Smith" To: freebsd-security@freebsd.org In-Reply-To: <20030430190040.A78C937B407@hub.freebsd.org> References: <20030430190040.A78C937B407@hub.freebsd.org> Content-Type: text/plain Organization: Message-Id: <1051788543.641.31.camel@thoreau.sohotech.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 01 May 2003 07:29:04 -0400 Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 May 2003 11:29:04.0377 (UTC) FILETIME=[DEE88690:01C30FD4] Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 11:29:08 -0000 Hi, Looks like you just want client-side "pass-through" functionality. If this is correct, try using ipf/ipnat and write a map proxy rule in /etc/ipnat.rules. I use this, assuming ipf/ipnat on a dual-homed gateway: [NOTE: this should appear BEFORE other map entries.] map -> 0/32 proxy port 500 ipsec/udp Then make sure your /etc/ipf.rules have appropriate entries to support it. I use these: pass in quick on proto 50 from any to any keep state pass in quick on proto udp from any port = 500 to any keep state Try using tcpdump on the gateway to determine any additional needs specific to your implementation and topology. Set aside some time and be prepared to tinker... Hope that helps, VS On Wed, 2003-04-30 at 15:00, freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. how to configure a FreeBSD firewall to pass IPSec? (Guy Middleton) > 2. Re: how to configure a FreeBSD firewall to pass IPSec? > (David G. Andersen) > 3. Re: how to configure a FreeBSD firewall to pass IPSec? > (Lowell Gilbert) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 30 Apr 2003 09:45:37 -0400 > From: Guy Middleton > Subject: how to configure a FreeBSD firewall to pass IPSec? > To: freebsd-security@freebsd.org > Message-ID: <20030430094537.A20710@chaos.obstruction.com> > Content-Type: text/plain; charset=us-ascii > > I have a FreeBSD box acting as a firewall and NAT gateway > > I would like to set it up to transparently pass IPSec packets -- I have > an IPSec VPN client running on another machine, connecting to a remote network. > > Is there a way to do this? I can't find any hints in the man pages. > > ------------------------------ > > Message: 2 > Date: Wed, 30 Apr 2003 07:55:27 -0600 > From: "David G. Andersen" > Subject: Re: how to configure a FreeBSD firewall to pass IPSec? > To: Guy Middleton > Cc: freebsd-security@freebsd.org > Message-ID: <20030430075527.A54362@cs.utah.edu> > Content-Type: text/plain; charset=us-ascii > > Guy Middleton just mooed: > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > I would like to set it up to transparently pass IPSec packets -- I have > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > Is there a way to do this? I can't find any hints in the man pages. > > It's probably using either ipip, esp, or ipencap. tcpdump the > traffic, and then permit whichever protocol it's using. > > permit esp from foo to bar > > -Dave From owner-freebsd-security@FreeBSD.ORG Thu May 1 07:46:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BC6837B41C for ; Thu, 1 May 2003 07:46:16 -0700 (PDT) Received: from obstruction.com (CPE00e018983b2f-CM013349903124.cpe.net.cable.rogers.com [24.157.68.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25A3A43F85 for ; Thu, 1 May 2003 07:46:15 -0700 (PDT) (envelope-from guy@obstruction.com) Received: (from guy@localhost) by obstruction.com (8.9.2/8.9.2) id KAA29079; Thu, 1 May 2003 10:46:14 -0400 (EDT) (envelope-from guy) Date: Thu, 1 May 2003 10:46:14 -0400 From: Guy Middleton To: freebsd-security@freebsd.org Message-ID: <20030501104614.A29056@chaos.obstruction.com> References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <1051788543.641.31.camel@thoreau.sohotech.ca>; from vmsmith@grokking.org on Thu, May 01, 2003 at 07:29:04AM -0400 Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 14:46:16 -0000 Thanks to everybody for the suggestions, I'll try them this weekend. The discussion brings up a question: Until now (and as recommended in the Handbook), I have been using ifpw and natd. Everybody here who has IPSec client passthrough working seems to use ifw/ipnat. Is ipf/ipnat more flexible? And why is there more than one firewalling scheme in FreeBSD? From owner-freebsd-security@FreeBSD.ORG Thu May 1 07:46:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3904037B401 for ; Thu, 1 May 2003 07:46:24 -0700 (PDT) Received: from obstruction.com (CPE00e018983b2f-CM013349903124.cpe.net.cable.rogers.com [24.157.68.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFF2143FB1 for ; Thu, 1 May 2003 07:46:22 -0700 (PDT) (envelope-from guy@obstruction.com) Received: (from guy@localhost) by obstruction.com (8.9.2/8.9.2) id KAA29103; Thu, 1 May 2003 10:46:22 -0400 (EDT) (envelope-from guy) Date: Thu, 1 May 2003 10:46:22 -0400 From: Guy Middleton To: freebsd-security@freebsd.org Message-ID: <20030501104614.A29056@chaos.obstruction.com> References: <20030430190040.A78C937B407@hub.freebsd.org> <1051788543.641.31.camel@thoreau.sohotech.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <1051788543.641.31.camel@thoreau.sohotech.ca>; from vmsmith@grokking.org on Thu, May 01, 2003 at 07:29:04AM -0400 Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 14:46:24 -0000 Thanks to everybody for the suggestions, I'll try them this weekend. The discussion brings up a question: Until now (and as recommended in the Handbook), I have been using ifpw and natd. Everybody here who has IPSec client passthrough working seems to use ifw/ipnat. Is ipf/ipnat more flexible? And why is there more than one firewalling scheme in FreeBSD? From owner-freebsd-security@FreeBSD.ORG Thu May 1 12:32:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 313F237B401 for ; Thu, 1 May 2003 12:32:56 -0700 (PDT) Received: from chomsky.sohotech.ca (ottawa-hs-64-26-169-251.s-ip.magma.ca [64.26.169.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CC8D43FB1 for ; Thu, 1 May 2003 12:32:54 -0700 (PDT) (envelope-from vmsmith@grokking.org) Received: from conrad.sohotech.ca (conrad.sohotech.ca [192.168.1.2]) by chomsky.sohotech.ca (8.12.6p2/8.12.6) with ESMTP id h41JWpa4041652 for ; Thu, 1 May 2003 15:32:52 -0400 (EDT) (envelope-from vmsmith@grokking.org) Date: Thu, 1 May 2003 15:32:51 -0400 Message-ID: <7931E2E61A63FB4D9F0DECE73E05C636D227@conrad.sohotech.ca> MIME-Version: 1.0 X-MS-Has-Attach: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MS-TNEF-Correlator: Thread-Topic: freebsd-security Digest, Vol 6, Issue 3 Thread-Index: AcMQE/yIAY34aXcpQK6gtAXA6sVWzgAAsVWg X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 From: "V. M. Smith" To: content-class: urn:content-classes:message Subject: RE: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 19:32:56 -0000 Guy: FWIW, I tried ipfw/natd a few weeks ago but couldn't seem to get it to = keep state properly through NAT. Eventually I gave up and turned to = ipf/ipnat and have been happy with it ever since. I thought I read somewhere that ipfw/natd is the more "native" of the = two systems and been a part of FreeBSD for a longer time but someone = more experienced with the OS than myself can probably shed more light on = this. Also, I think ipfw has better application for traffic shaping, if = that's a feature you want/need. Some claim you can successfully mix the = two simultaneously but I'm not familiar (or brave) enough to try :) VS ------------------------------ Message: 9 Date: Thu, 1 May 2003 10:46:22 -0400 From: Guy Middleton Subject: Re: how to configure a FreeBSD firewall to pass IPSec? To: freebsd-security@freebsd.org Message-ID: <20030501104614.A29056@chaos.obstruction.com> Content-Type: text/plain; charset=3Dus-ascii Thanks to everybody for the suggestions, I'll try them this weekend. The discussion brings up a question: Until now (and as recommended in the Handbook), I have been using ifpw and natd. Everybody here who has IPSec client passthrough working seems to use ifw/ipnat. Is ipf/ipnat more flexible? And why is there more = than one firewalling scheme in FreeBSD? ------------------------------ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" End of freebsd-security Digest, Vol 6, Issue 3 ********************************************** From owner-freebsd-security@FreeBSD.ORG Thu May 1 15:35:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 824F337B401 for ; Thu, 1 May 2003 15:35:42 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADD2443FB1 for ; Thu, 1 May 2003 15:35:41 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc02.attbi.com (sccrmhc02) with ESMTP id <20030501223540002006js31e>; Thu, 1 May 2003 22:35:40 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h41MZcki085589; Thu, 1 May 2003 15:35:39 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h41MZbYG085588; Thu, 1 May 2003 15:35:37 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 1 May 2003 15:35:36 -0700 From: "Crist J. Clark" To: Guy Middleton Message-ID: <20030501223536.GA85493@blossom.cjclark.org> References: <20030430094537.A20710@chaos.obstruction.com> <44k7dbn7jv.fsf@be-well.ilk.org> <20030430165348.A23754@chaos.obstruction.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030430165348.A23754@chaos.obstruction.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 22:35:42 -0000 On Wed, Apr 30, 2003 at 04:53:48PM -0400, Guy Middleton wrote: > On Wed, Apr 30, 2003 at 02:50:44PM -0400, Lowell Gilbert wrote: > > Guy Middleton writes: > > > > > I have a FreeBSD box acting as a firewall and NAT gateway > > > > > > I would like to set it up to transparently pass IPSec packets -- I have > > > an IPSec VPN client running on another machine, connecting to a remote network. > > > > > > Is there a way to do this? I can't find any hints in the man pages. > > > > It's impossible. IPSEC can't be passed through a NAT. > > > > The best you could do would be to terminate the tunnel on the gateway itself. > > Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works > through a LinkSys router / NAT gateway (a BEFSR81) at a different location. > The LinkSys even has a friendly little check-box to allow IPSec pass-through. > > I would like the FreeBSD gateway to work the same way as the LinkSys. Have you tried it? A Cisco VPN client worked fine for me the first time I tried. Of course, we are using UDP encapsulation. And LinkSys routers have actually been the only thing we've found that manage to break the Cisco clients (the LinkSys "pass-through" was actually breaking it). Funny. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Fri May 2 12:09:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E350B37B401 for ; Fri, 2 May 2003 12:09:24 -0700 (PDT) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE9E543FAF for ; Fri, 2 May 2003 12:09:23 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.12.3/8.12.3) with ESMTP id h42J6oBn020947; Fri, 2 May 2003 16:06:50 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Fri, 2 May 2003 16:06:50 -0300 (ART) From: Fernando Gleiser To: Guy Middleton In-Reply-To: <20030430165348.A23754@chaos.obstruction.com> Message-ID: <20030502160124.Q9299-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-120.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,REPLY_WITH_QUOTES,USER_IN_WHITELIST version=2.53 X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) cc: freebsd-security@freebsd.org Subject: Re: how to configure a FreeBSD firewall to pass IPSec? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 19:09:25 -0000 On Wed, 30 Apr 2003, Guy Middleton wrote: > > Ok, now I'm confused. The same client (Cisco VPN 3.5 on Windows) works > through a LinkSys router / NAT gateway (a BEFSR81) at a different location. > The LinkSys even has a friendly little check-box to allow IPSec pass-through. > > I would like the FreeBSD gateway to work the same way as the LinkSys. I have set up both Cisco and Checkpoint VPNs behind a FreeBSD router/firewall runing IPFilter using both ESP and UDP encapsulation. It works like a charm. In the ESP case, I have to 'bimap' (one to one NAT) the internal host to an external IP. The UDP encapsulated case worked right out of the box. Fer From owner-freebsd-security@FreeBSD.ORG Fri May 2 12:13:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D978037B401 for ; Fri, 2 May 2003 12:13:27 -0700 (PDT) Received: from mail.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4753C43FCB for ; Fri, 2 May 2003 12:13:27 -0700 (PDT) (envelope-from mario@schmut.com) Received: (qmail 22424 invoked from network); 2 May 2003 19:13:34 -0000 Received: from unknown (HELO schmut.com) ([66.92.219.142]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 2 May 2003 19:13:34 -0000 Received: from 192.168.23.97 (SquirrelMail authenticated user mario@schmut.com) by webmail.schmut.com with HTTP; Fri, 2 May 2003 12:14:38 -0700 (PDT) Message-ID: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> Date: Fri, 2 May 2003 12:14:38 -0700 (PDT) From: "mario" To: X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Did i get hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mario@schmut.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 19:13:28 -0000 hello, i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for my home. It also acts as a dns / mail server to the outside world. I'm using ipf and basically filter for bogus networks on the way in and out. I allow everything out keeping state, and allow this in: pass in proto icmp from any to any icmp-type squench group 200 pass in proto icmp from any to any icmp-type timex group 200 pass in proto icmp from any to any icmp-type paramprob group 200 pass in quick proto tcp from any port > 1023 to any port = smtp group 200 pass in quick proto udp from any port > 1023 to any port = domain group 200 on these ports i run qmail and tinydns i was a bit sloppy by leaving these w/out a password figuring they can't login anyway. gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin I've changed this now though i'm still not sure about the implications of this. Also i'm not running tripwire or any other intrusion detection. Here's my problem. When i got up this morning, i noticed that the box rebooted at 0:32 this morning. I have 3 other computers that did not reboot leaving me to believe there was no power failure. I looked through all the logs seeking clues as to what happened. Hardware failure? It is an old p-75 and the hard drive has had issues in udma-2 but has been doing fine for months in pio4 mode. I also have a cron job at 0:30 to move the apache logs to a tmp file restart apache sleep 5 minutes and then move the tmp file somewhere where newsyslog can catch it. According to the logs, apache restarted fine but the tmp files never made it anywhere. Again nothing useful in them either. So if this was a hardware failure (harddrive), then any kernel panic statements probably would not make it to the harddrive. So it would be hard to tell. My question is, what if i got hacked? Would there be anyway to find out despite me being totally unprepared for this? That question really messes with my head. Any pointer and/or clue stick treatments would be greatly appreciated. thanx mario;> --------------------- Do you schmut!? http://www.schmut.com For a real web site try: House Of Sites http://www.HouseOfSites.net Email: mario@HouseOfSites.net From owner-freebsd-security@FreeBSD.ORG Fri May 2 12:28:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BC3837B401 for ; Fri, 2 May 2003 12:28:17 -0700 (PDT) Received: from mail.speakeasy.net (mail15.speakeasy.net [216.254.0.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id A835C43F85 for ; Fri, 2 May 2003 12:28:16 -0700 (PDT) (envelope-from mario@schmut.com) Received: (qmail 22694 invoked from network); 2 May 2003 19:28:22 -0000 Received: from unknown (HELO schmut.com) ([66.92.219.142]) (envelope-sender ) by mail15.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 2 May 2003 19:28:22 -0000 Received: from 192.168.23.97 (SquirrelMail authenticated user mario@schmut.com) by webmail.schmut.com with HTTP; Fri, 2 May 2003 12:29:27 -0700 (PDT) Message-ID: <4137.192.168.23.97.1051903767.squirrel@webmail.schmut.com> Date: Fri, 2 May 2003 12:29:27 -0700 (PDT) From: "mario" To: In-Reply-To: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> References: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Did i get hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mario@schmut.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 19:28:17 -0000 oh, the mod time on the kernel ls -lT -r-xr-xr-x 1 root wheel 4379563 Mar 27 13:37:08 2003 kernel .... > So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be > anyway to find out despite me being totally unprepared for this? > .... mario;> --------------------- Do you schmut!? http://www.schmut.com For a real web site try: House Of Sites http://www.HouseOfSites.net Email: mario@HouseOfSites.net Tel: 415-242-3376 From owner-freebsd-security@FreeBSD.ORG Fri May 2 12:40:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A228E37B401 for ; Fri, 2 May 2003 12:40:21 -0700 (PDT) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id 0EBA043F85 for ; Fri, 2 May 2003 12:40:20 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 13170 invoked from network); 2 May 2003 19:40:48 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.116.73) by graceland.gigatrex.com with SMTP; 2 May 2003 19:40:48 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) h42JffiN035954; Fri, 2 May 2003 15:41:41 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h42JffET035951; Fri, 2 May 2003 15:41:41 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Fri, 2 May 2003 15:41:41 -0400 (EDT) From: Matt Piechota To: mario In-Reply-To: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> Message-ID: <20030502153932.I30572@cithaeron.argolis.org> References: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Did i get hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 19:40:21 -0000 On Fri, 2 May 2003, mario wrote: > So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be anyway > to find out despite me being totally unprepared for this? > > That question really messes with my head. > Any pointer and/or clue stick treatments would be greatly appreciated. Make sure there's enough space on the temp file location for the apache log files. I've had other os machines crash when you fill up the root/tmp filesystems. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Fri May 2 13:12:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5E5137B401 for ; Fri, 2 May 2003 13:12:02 -0700 (PDT) Received: from smtp-27.ig.com.br (smtp-27.ig.com.br [200.226.132.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 79AD243FBF for ; Fri, 2 May 2003 13:12:01 -0700 (PDT) (envelope-from none@superig.com.br) Received: (qmail 1819 invoked from network); 2 May 2003 20:12:09 -0000 Received: from unknown (HELO superig.com.br) (200.179.208.42) by smtp-27.ig.com.br with SMTP; 2 May 2003 20:12:09 -0000 Message-ID: <3EB2D182.8010209@superig.com.br> Date: Fri, 02 May 2003 17:13:54 -0300 From: Tony Meman User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1 X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Did i get hacked? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 20:12:02 -0000 Hi Mario, well any strange activity in the system should be taken in consideration so I really think you should audit your system. You said the reboot ocurred at 0:32am, its a good idea to search for files modified around that time. You could use the binary of some trustable system just in case /usr/bin/find got trojaned. You said you did not find anything in the logs, they could have been erased, use chkrootkit to verify if there are wtmp/lastlog entries that may have been erased. Chkrootkit is a pretty nice utility and will be able to tell you if there're hidden processes running on the system (comparing output from ps with /proc entries) and search for well-known rootkits. The tool is not perfect but helps a lot, check it out: http://www.chkrootkit.org Good luck, -- Marcello Azambuja mario wrote: > hello, > i have a FreeBSD 4.8-PRERELEASE #0 that i use as a gateway / nat box for > my home. > It also acts as a dns / mail server to the outside world. > I'm using ipf and basically filter for bogus networks on the way in and out. > I allow everything out keeping state, > and allow this in: > pass in proto icmp from any to any icmp-type squench group 200 > pass in proto icmp from any to any icmp-type timex group 200 > pass in proto icmp from any to any icmp-type paramprob group 200 > pass in quick proto tcp from any port > 1023 to any port = smtp group 200 > pass in quick proto udp from any port > 1023 to any port = domain group 200 > > on these ports i run qmail and tinydns > > i was a bit sloppy by leaving these w/out a password > figuring they can't login anyway. > > gtinydns::nnnn:nnnn::0:0:tinydns:/nonexistent:/sbin/nologin > gdnslog::nnnn:nnnn::0:0:dns logger:/nonexistent:/sbin/nologin > gaxfrdns::nnnn:nnnn::0:0:zone transfer:/nonexistent:/sbin/nologin > > I've changed this now though i'm still not sure about the implications of > this. > Also i'm not running tripwire or any other intrusion detection. > > Here's my problem. When i got up this morning, i noticed that the box > rebooted > at 0:32 this morning. I have 3 other computers that did not reboot leaving me > to believe there was no power failure. I looked through all the logs seeking > clues as to what happened. Hardware failure? It is an old p-75 and the hard > drive has had issues in udma-2 but has been doing fine for months in pio4 > mode. > I also have a cron job at 0:30 to move the apache logs to a tmp file restart > apache sleep 5 minutes and then move the tmp file somewhere where newsyslog > can catch it. According to the logs, apache restarted fine but the tmp files > never made it anywhere. Again nothing useful in them either. > > So if this was a hardware failure (harddrive), then any kernel panic > statements probably would not make it to the harddrive. So it would be > hard to tell. My question is, what if i got hacked? Would there be anyway > to find out despite me being totally unprepared for this? > > That question really messes with my head. > Any pointer and/or clue stick treatments would be greatly appreciated. > > thanx > > mario;> > From owner-freebsd-security@FreeBSD.ORG Fri May 2 22:16:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B89A737B401 for ; Fri, 2 May 2003 22:16:32 -0700 (PDT) Received: from mail.speakeasy.net (mail15.speakeasy.net [216.254.0.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25A6043F85 for ; Fri, 2 May 2003 22:16:32 -0700 (PDT) (envelope-from mario@schmut.com) Received: (qmail 28444 invoked from network); 3 May 2003 05:16:45 -0000 Received: from unknown (HELO schmut.com) ([66.92.219.142]) (envelope-sender ) by mail15.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 3 May 2003 05:16:45 -0000 Received: from 192.168.23.97 (SquirrelMail authenticated user mario@schmut.com) by webmail.schmut.com with HTTP; Fri, 2 May 2003 22:17:45 -0700 (PDT) Message-ID: <4653.192.168.23.97.1051939065.squirrel@webmail.schmut.com> Date: Fri, 2 May 2003 22:17:45 -0700 (PDT) From: "mario" To: In-Reply-To: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> References: <4121.192.168.23.97.1051902878.squirrel@webmail.schmut.com> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Did i get hacked? Resolution. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mario@schmut.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2003 05:16:33 -0000 i just wanted to follow up on this. Based on replies that i got i ran a find on files modified after midnight and installed and ran chkrootkit from a clean box via nfs. I didn't find any problems, and since this is just a home network am not going worry about this any longer. Maybe i'll look into replacement hardware instead. I also want to thank those who help me on this with their replies. thanx mario;> --------------------- Do you schmut!? http://www.schmut.com For a real web site try: House Of Sites http://www.HouseOfSites.net Email: mario@HouseOfSites.net