From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 06:37:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8C7637B401 for ; Mon, 16 Jun 2003 06:37:54 -0700 (PDT) Received: from orion.interexc.com (orion.interexc.com [193.108.123.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00C1843F3F for ; Mon, 16 Jun 2003 06:37:53 -0700 (PDT) (envelope-from sat@orion.interexc.com) Received: from orion.interexc.com (localhost [127.0.0.1]) by orion.interexc.com (8.12.9/8.12.9) with ESMTP id h5GDbu2e056135 for ; Mon, 16 Jun 2003 16:37:56 +0300 (EEST) (envelope-from sat@orion.interexc.com) Received: (from sat@localhost) by orion.interexc.com (8.12.9/8.12.9/Submit) id h5GDbuLX056134 for freebsd-security@freebsd.org; Mon, 16 Jun 2003 16:37:56 +0300 (EEST) Date: Mon, 16 Jun 2003 16:37:56 +0300 From: Oleg Shevtsov To: freebsd-security@freebsd.org Message-ID: <20030616133756.GA56119@orion.interexc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: AC97 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 13:37:55 -0000 Hi, I can't find any LINT file in the /usr/src/sys/i386/conf at my new 5.1 FreeBSD. Can u help me? From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 06:56:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BEFC37B401 for ; Mon, 16 Jun 2003 06:56:04 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id EE8C643F85 for ; Mon, 16 Jun 2003 06:55:59 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 32472 invoked from network); 16 Jun 2003 13:48:59 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 16 Jun 2003 13:48:58 -0000 Received: (qmail 11311 invoked by uid 1000); 16 Jun 2003 13:58:33 -0000 Date: Mon, 16 Jun 2003 16:58:32 +0300 From: Peter Pentchev To: Oleg Shevtsov Message-ID: <20030616135832.GA436@straylight.oblivion.bg> Mail-Followup-To: Oleg Shevtsov , freebsd-security@freebsd.org References: <20030616133756.GA56119@orion.interexc.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline In-Reply-To: <20030616133756.GA56119@orion.interexc.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: LINT / NOTES [Was: AC97] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 13:56:04 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 16, 2003 at 04:37:56PM +0300, Oleg Shevtsov wrote: > Hi, > I can't find any LINT file > in the /usr/src/sys/i386/conf > at my new 5.1 FreeBSD. Can u help me? Take a look at the 20000621 entry in the src/UPDATING file; you might have to 'cd /sys/i386/conf && make LINT'. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+7c0I7Ri2jRYZRVMRAsSiAJ9bX0rhEfLGsTbx2T3J3L/ZpzWX1QCfYD0W bZ6EBa1JCA6eWXgHFfCmWpM= =iPI3 -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 10:59:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F44437B401 for ; Mon, 16 Jun 2003 10:59:56 -0700 (PDT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7166D43F93 for ; Mon, 16 Jun 2003 10:59:55 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.9/8.12.9) with ESMTP id h5GI32Wx011621 for ; Mon, 16 Jun 2003 11:03:03 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost) by metafocus.net (8.12.9/8.12.9/Submit) with ESMTP id h5GI32Dq011618 for ; Mon, 16 Jun 2003 11:03:02 -0700 (PDT) Date: Mon, 16 Jun 2003 11:03:01 -0700 (PDT) From: Dave To: freebsd-security@freebsd.org Message-ID: <20030616105955.U11598@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 17:59:56 -0000 What would be a good POP daemon to use? I know there are a few in the mail ports. Are they any good? What I mean by good is 'secure as possible' (is there really such thing as being totally secure / invulnerable?) Cheers From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 11:02:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55D9137B401 for ; Mon, 16 Jun 2003 11:02:57 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 910484401A for ; Mon, 16 Jun 2003 11:02:45 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h5GI2jUp034996 for ; Mon, 16 Jun 2003 11:02:45 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h5GI2j9s034990 for security@freebsd.org; Mon, 16 Jun 2003 11:02:45 -0700 (PDT) Date: Mon, 16 Jun 2003 11:02:45 -0700 (PDT) Message-Id: <200306161802.h5GI2j9s034990@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 18:02:57 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 11:06:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F64C37B401 for ; Mon, 16 Jun 2003 11:06:08 -0700 (PDT) Received: from natto.numachi.com (natto.numachi.com [198.175.254.216]) by mx1.FreeBSD.org (Postfix) with SMTP id 6023E43FB1 for ; Mon, 16 Jun 2003 11:06:07 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 79398 invoked by uid 1001); 16 Jun 2003 18:06:06 -0000 Date: Mon, 16 Jun 2003 14:06:06 -0400 From: Brian Reichert To: Dave Message-ID: <20030616180606.GL41619@numachi.com> References: <20030616105955.U11598@metafocus.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030616105955.U11598@metafocus.net> User-Agent: Mutt/1.4i cc: freebsd-security@freebsd.org Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 18:06:08 -0000 On Mon, Jun 16, 2003 at 11:03:01AM -0700, Dave wrote: > > What would be a good POP daemon to use? I know there are a few in the > mail ports. Are they any good? I use the popd associated with qmail, FWIW. Qmail unto itself has a great track record for reliability and security. > What I mean by good is 'secure as possible' (is there really such thing as > being totally secure / invulnerable?) > > Cheers -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 11:25:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FA1E37B401 for ; Mon, 16 Jun 2003 11:25:12 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CF4C43F75 for ; Mon, 16 Jun 2003 11:25:11 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h5GIPA1f016232; Mon, 16 Jun 2003 19:25:10 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h5GIPAJY016231; Mon, 16 Jun 2003 19:25:10 +0100 (BST) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h5GILtHh090812; Mon, 16 Jun 2003 19:21:55 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200306161821.h5GILtHh090812@grimreaper.grondar.org> To: Dave From: markm@freebsd.org In-Reply-To: Your message of "Mon, 16 Jun 2003 11:03:01 PDT." <20030616105955.U11598@metafocus.net> Date: Mon, 16 Jun 2003 19:21:55 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-0.2 required=5.0 tests=IN_REP_TO,NO_REAL_NAME,QUOTED_EMAIL_TEXT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 18:25:12 -0000 Dave writes: > What would be a good POP daemon to use? I know there are a few in the > mail ports. Are they any good? This question is impossible to answer. :-) "Hey! You have CD's! Are any of them any good?" "Of course they are! That's why I bought them??!" > What I mean by good is 'secure as possible' (is there really such thing as > being totally secure / invulnerable?) You need to help folks when asking very open questions like this. 1) What is your threat model? a) What are you trying to protect? b) How badly do your attackers want this? c) How much can you afford for resources to thwart this? 2) What research have you already done? a) You should have knowlege of a set of features and be asking about those. b) you should already know which are blatantly _not_ suitable and why. 3) Why does this question not belong in newbies@/questions@? The use of the word "secure" is not enough. Without pre-empting the above, you won't get useful answers. It's like asking "What car should I get?", without disclosing that you are a family man, and that a Ferrari is useless compared with an RV. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 12:14:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A782D37B401 for ; Mon, 16 Jun 2003 12:14:18 -0700 (PDT) Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A13B43F75 for ; Mon, 16 Jun 2003 12:14:17 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from saruman.ccmr.cornell.edu (saruman.ccmr.cornell.edu [128.84.249.196])h5GJEGxi020370; Mon, 16 Jun 2003 15:14:16 -0400 Received: from localhost (mitch@localhost)h5GJEGtE022060; Mon, 16 Jun 2003 15:14:16 -0400 X-Authentication-Warning: saruman.ccmr.cornell.edu: mitch owned process doing -bs Date: Mon, 16 Jun 2003 15:14:16 -0400 (EDT) From: Mitch Collinsworth To: Dave In-Reply-To: <20030616105955.U11598@metafocus.net> Message-ID: References: <20030616105955.U11598@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 19:14:18 -0000 On Mon, 16 Jun 2003, Dave wrote: > What I mean by good is 'secure as possible' (is there really such thing as > being totally secure / invulnerable?) Yes. It's called "not connected to the network, in a bomb-shelter, with an emergency generator, with plenty of fuel". -Mitch From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 15:44:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7F3C37B401 for ; Mon, 16 Jun 2003 15:44:52 -0700 (PDT) Received: from jcn1400.jcontinuum.ca (jcn1400.jcontinuum.ca [69.10.137.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1133F43FD7 for ; Mon, 16 Jun 2003 15:44:52 -0700 (PDT) (envelope-from jpmichel@jcontinuum.ca) Received: from xerxes (jchome7.no.domain [216.211.52.96]) h5GMhaQn045625 for ; Mon, 16 Jun 2003 18:43:37 -0400 (EDT) (envelope-from jpmichel@jcontinuum.ca) Message-ID: <005001c33458$e44e02b0$0e0ea8c0@xerxes> From: "Justin P. Michel" To: References: <20030616105955.U11598@metafocus.net> Date: Mon, 16 Jun 2003 18:44:43 -0400 Organization: J Continuum MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Justin P. Michel" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 22:44:53 -0000 Yeah, but then according to Murphy, your generator will blow up... ----- Original Message ----- From: "Mitch Collinsworth" To: "Dave" Cc: Sent: Monday, June 16, 2003 3:14 PM Subject: Re: POP daemon > > On Mon, 16 Jun 2003, Dave wrote: > > > What I mean by good is 'secure as possible' (is there really such thing as > > being totally secure / invulnerable?) > > Yes. It's called "not connected to the network, in a bomb-shelter, > with an emergency generator, with plenty of fuel". > > -Mitch > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 16:40:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 622A737B404 for ; Mon, 16 Jun 2003 16:40:41 -0700 (PDT) Received: from smtp02.wlv.untd.com (smtp02.wlv.untd.com [209.247.163.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 6ECED43F85 for ; Mon, 16 Jun 2003 16:40:40 -0700 (PDT) (envelope-from idiot1@netzero.net) Received: (qmail 28764 invoked from network); 16 Jun 2003 23:40:37 -0000 Received: from dialup-67.31.212.97.dial1.tampa1.level3.net (HELO netzero.net) (67.31.212.97) by smtp02.wlv.untd.com with SMTP; 16 Jun 2003 23:40:37 -0000 Message-ID: <3EEE5500.50803@netzero.net> Date: Mon, 16 Jun 2003 19:38:40 -0400 From: Kirk Bailey Organization: Silas Dent Memorial Cabal of ERIS Esoteric and hot dog boiling society User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: markm@freebsd.org, freebsd-security@freebsd.org References: <200306161821.h5GILtHh090812@grimreaper.grondar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 23:40:41 -0000 I rather enjoy the benifits of Qpopper. http://www.eudora.com/qpopper/ markm@freebsd.org wrote: > Dave writes: > >>What would be a good POP daemon to use? I know there are a few in the >>mail ports. Are they any good? > > > This question is impossible to answer. :-) "Hey! You have CD's! Are > any of them any good?" "Of course they are! That's why I bought > them??!" > > >>What I mean by good is 'secure as possible' (is there really such thing as >>being totally secure / invulnerable?) > > > You need to help folks when asking very open questions like this. > > 1) What is your threat model? > a) What are you trying to protect? > b) How badly do your attackers want this? > c) How much can you afford for resources to thwart this? > > 2) What research have you already done? > a) You should have knowlege of a set of features and be asking > about those. > b) you should already know which are blatantly _not_ suitable > and why. > > 3) Why does this question not belong in newbies@/questions@? > The use of the word "secure" is not enough. > > Without pre-empting the above, you won't get useful answers. It's > like asking "What car should I get?", without disclosing that you > are a family man, and that a Ferrari is useless compared with an RV. > > M > -- > Mark Murray > iumop ap!sdn w,I idlaH > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- end Cheers! Kirk D Bailey think http://www.howlermonkey.net/ +-----+ http://www.tinylist.org/ http://www.listville.net/ | BOX | http://www.sacredelectron.org/ +-----+ "Thou art free"-ERIS think 'Got a light?'-Promethieus . From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 16:49:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E715F37B401 for ; Mon, 16 Jun 2003 16:49:24 -0700 (PDT) Received: from smtp02.wlv.untd.com (smtp02.wlv.untd.com [209.247.163.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 3E96B43FBD for ; Mon, 16 Jun 2003 16:49:24 -0700 (PDT) (envelope-from idiot1@netzero.net) Received: (qmail 10688 invoked from network); 16 Jun 2003 23:49:15 -0000 Received: from dialup-67.31.212.97.dial1.tampa1.level3.net (HELO netzero.net) (67.31.212.97) by smtp02.wlv.untd.com with SMTP; 16 Jun 2003 23:49:15 -0000 Message-ID: <3EEE5705.6020002@netzero.net> Date: Mon, 16 Jun 2003 19:47:17 -0400 From: Kirk Bailey Organization: Silas Dent Memorial Cabal of ERIS Esoteric and hot dog boiling society User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mitch Collinsworth References: <20030616105955.U11598@metafocus.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 23:49:25 -0000 Pay CAREFUL attention to the firewall and it's rules. Insure ALL ports are closed, or listened to ONLY by their proper daemon. Insure you have up to date software running in the server, and do NOT run anything with the word windows in it, the word is known to bring bad luck. RTFM for your collection of daemons, and insure they have been given carefully thought out instructions and defaults. DO NOT allow something/anything to execute instructions. DO NOT use anything but a VERY recent version of formmail- or better, do not run formmail. Insure the httpd daemon can only access the web directory, and the web directory's cgi-bin, and nothing else. Only use scripts that are carefully checked to avoid bugs, or were checked out by someone else who is knowledgable at the art of peverting a server- or do not permit cgi at all. Although ssi includes are trather safe, DO NOT configure the httpd server to permit running commands, only cgi files- and they only from the web cgi-bin. DO NOT place anything else in that directory except known and trustworthy scripts or compiled programs. INSURE they cannot be written to by the user the httpd server runs as; in fact, insure the directory ITSELF cannot be written to by the httpd identity. THAT IDENTITY MUST NOT BE A PRIVILIGED USER. Carefully learn to understand the idea of identities, groups, and permissions. Learn to love your logs. Learn to sue crackers, they can (with a little luck, they're usually bankrupt losers) be profit centers. Am I being paranoid? . Mitch Collinsworth wrote: > On Mon, 16 Jun 2003, Dave wrote: > > >>What I mean by good is 'secure as possible' (is there really such thing as >>being totally secure / invulnerable?) > > > Yes. It's called "not connected to the network, in a bomb-shelter, > with an emergency generator, with plenty of fuel". > > -Mitch > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- end Cheers! Kirk D Bailey think http://www.howlermonkey.net/ +-----+ http://www.tinylist.org/ http://www.listville.net/ | BOX | http://www.sacredelectron.org/ +-----+ "Thou art free"-ERIS think 'Got a light?'-Promethieus . From owner-freebsd-security@FreeBSD.ORG Tue Jun 17 09:30:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A23137B401 for ; Tue, 17 Jun 2003 09:30:52 -0700 (PDT) Received: from mail8-sh.home.nl (mail8.home.nl [213.51.128.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1638243F75 for ; Tue, 17 Jun 2003 09:30:51 -0700 (PDT) (envelope-from laurens@netric.org) Received: from cp14275a ([217.120.112.14]) by mail8-sh.home.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with SMTP id <20030617163049.SIHP29574.mail8-sh.home.nl@cp14275a> for ; Tue, 17 Jun 2003 18:30:49 +0200 Message-ID: <004601c334ed$d3381f70$0200a8c0@cp14275a> From: "Laurens" To: References: <20030616105955.U11598@metafocus.net> Date: Tue, 17 Jun 2003 18:30:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2003 16:30:52 -0000 Have a look at: http://www.openwall.com/popa3d/DESIGN.shtml ----- Original Message ----- From: "Dave" To: Sent: Monday, June 16, 2003 8:03 PM Subject: POP daemon > > What would be a good POP daemon to use? I know there are a few in the > mail ports. Are they any good? > > What I mean by good is 'secure as possible' (is there really such thing as > being totally secure / invulnerable?) > > Cheers > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Tue Jun 17 09:41:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34E7F37B401 for ; Tue, 17 Jun 2003 09:41:48 -0700 (PDT) Received: from mx.vipnet.ro (cosmic.vipnet.ro [193.230.219.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 4425643FDD for ; Tue, 17 Jun 2003 09:41:46 -0700 (PDT) (envelope-from vladg@vipnet.ro) Received: (qmail 11541 invoked from network); 17 Jun 2003 16:44:10 -0000 Received: from unknown (HELO rtfm.vipnet.ro) (193.230.219.12) by cosmic.vipnet.ro with SMTP; 17 Jun 2003 16:44:10 -0000 Date: Tue, 17 Jun 2003 19:41:11 +0300 From: Vlad GALU To: freebsd-security@freebsd.org Message-Id: <20030617194111.1e79eb78.vladg@vipnet.ro> In-Reply-To: <004601c334ed$d3381f70$0200a8c0@cp14275a> References: <20030616105955.U11598@metafocus.net> <004601c334ed$d3381f70$0200a8c0@cp14275a> Organization: VipNET Bucharest X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="=.Bp'_dDyxM8MgP_" Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2003 16:41:48 -0000 --=.Bp'_dDyxM8MgP_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 17 Jun 2003 18:30:55 +0200 "Laurens" wrote: > Have a look at: http://www.openwall.com/popa3d/DESIGN.shtml I can't complain about qmail-pop3d either. Does wonders, but you have to use qmail though :) > > ----- Original Message ----- > From: "Dave" > To: > Sent: Monday, June 16, 2003 8:03 PM > Subject: POP daemon > > > > > > What would be a good POP daemon to use? I know there are a few in > > the mail ports. Are they any good? > > > > What I mean by good is 'secure as possible' (is there really such > > thing as being totally secure / invulnerable?) > > > > Cheers > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > -- Vlad GALU Network Administrator VipNET Bucharest tel: 021/3039940 email: vladg@vipnet.ro web: http://www.vipnet.ro PGP: http://mirapoint.vipnet.ro/public_key.pgp --=.Bp'_dDyxM8MgP_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+70SpBQlxy6GegvARAkJ+AJ4q7A6NlrG1XVBIznhvF6DYFN8v6QCgq+AF 8TtE/ln4nxjb1WtWvr/rL4g= =ePWA -----END PGP SIGNATURE----- --=.Bp'_dDyxM8MgP_-- From owner-freebsd-security@FreeBSD.ORG Tue Jun 17 18:50:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1005837B401 for ; Tue, 17 Jun 2003 18:50:02 -0700 (PDT) Received: from Shenton.org (23.ebbed1.client.atlantech.net [209.190.235.35]) by mx1.FreeBSD.org (Postfix) with SMTP id EE3E443FBD for ; Tue, 17 Jun 2003 18:50:00 -0700 (PDT) (envelope-from chris@mail.hq.nasa.gov) Received: (qmail 12225 invoked by uid 1000); 18 Jun 2003 01:49:59 -0000 To: Vlad GALU References: <20030616105955.U11598@metafocus.net> <004601c334ed$d3381f70$0200a8c0@cp14275a> <20030617194111.1e79eb78.vladg@vipnet.ro> From: Chris Shenton Date: 17 Jun 2003 21:49:59 -0400 In-Reply-To: <20030617194111.1e79eb78.vladg@vipnet.ro> Message-ID: <878ys09mt4.fsf@PECTOPAH.shenton.org> Lines: 30 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-security@freebsd.org Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jun 2003 01:50:02 -0000 Vlad GALU writes: > I can't complain about qmail-pop3d either. Does wonders, > but you have to use qmail though :) Agreed about qmail's pop3d. All of the qmail suite has a very good history of security. But you don't *have* to use qmail's smtpd and MTA, but you will have to use a Maildir mailbox format -- it's what pop3d reads. You can actually configure sendmail to deliver to Maildirs using the "maildrop" program and I understand recent "procmail" can do this too -- configure sendmail to use these instead of the regular local delivery agent. I prefer qmail but if you feel compelled to use sendmail, this is an option. Also, single-mailbox-file-per-user will *always* be slow for POP users who want to leave a bunch of mail on server. This kills qpopper, ancient or modern versions. Maildir's one-message-per-file makes this easy since it doesn't have to rewrite a big mailbox file all the time. Other MTAs like courier understand Maildir natively. And if you're looking for an IMAP server which is Maildir-aware, I like courier's imapd, available separately from the entire courier suite, if you want to combine qmail with courier-imapd. They're all in the ports, /usr/mail/*. From owner-freebsd-security@FreeBSD.ORG Wed Jun 18 06:32:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6CE937B401 for ; Wed, 18 Jun 2003 06:32:03 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 888CE43FAF for ; Wed, 18 Jun 2003 06:32:02 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5IDW0BH087187 for ; Wed, 18 Jun 2003 14:32:00 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h5IDW0D0060086 for ; Wed, 18 Jun 2003 14:32:00 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Wed, 18 Jun 2003 14:32:00 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C36744457E@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C36744457E@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jun 2003 13:32:04 -0000 On Wed, 11 Jun 2003 13:21:07 +0100, in local.freebsd.security you wrote: >## Example ## >fxp0 =3D external nic >xl0 =3D internal nic >internal network =3D 10.10.10.0/24 >internal traffic NAT'd to 1.2.3.4 > >## handle nat traffic >100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0 >200 divert 8668 ip from any to 1.2.3.4 in via fxp0 > >300 check-state > >## dynamic rules for internal clients access to everything >## needed so un-nat'd return traffic can flow out the=20 >## internal nic to the internal clients >400 allow tcp from 10.10.10.0/24 to any keep-state via xl0 >500 allow udp from 10.10.10.0/24 to any keep-state via xl0 > >## dynamic rules allow natd alias address access to >## external resources >600 allow tcp from 1.2.3.4 to any keep-state out via fxp0 >700 allow udp from 1.2.3.4 to any keep-state out via fxp0 This appears to work but I am at a loss to understand how! If I follow one TCP packet all the way out to the Internet and its reply back to the internal net, there are four ipfw trips: A - request packet incoming on xl0 B - request packet outgoing on fxp0 C - reply packet incoming on fxp0 D - reply packet outgoing on xl0 Trip A matches rule 400 and is accepted, creating a dynamic rule which will match trip D. Trip B first matches rule 100, gets rewritten by natd then matches rule 600 and is sent, creating a dynamic rule matching a reply to 1.2.3.4. Trip C is the problem. It matches rule 200 so gets rewritten, and now does not match the dynamic rule created by trip B=20 since that matches packets with 1.2.3.4 as destination address, which this packet no longer has. None of the other rules match either, so it is dropped. So how can it work????? This is the problem I have always been struggling with, ie should the dynamic rules match the incoming packets before or after they have been rewritten by natd to have their final destination address. I have always had the equivalent of "pass all from any to any via xl0", which replaces the dynamic rule created by trip A and used by trip D, but this doesn't alter the problem. From owner-freebsd-security@FreeBSD.ORG Wed Jun 18 06:39:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1736A37B407 for ; Wed, 18 Jun 2003 06:39:39 -0700 (PDT) Received: from likya.bimel.com.tr (likya.bimel.com.tr [212.175.96.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id C16AB43F75 for ; Wed, 18 Jun 2003 06:39:33 -0700 (PDT) (envelope-from ustuntas@bimel.com.tr) Received: (from root@localhost) by likya.bimel.com.tr (8.12.6p2/8.12.8) id h5IDb9oa090271 for freebsd-security@freebsd.org; Wed, 18 Jun 2003 16:37:09 +0300 (EEST) (envelope-from ustuntas@bimel.com.tr) Received: from bimel.com.tr (zeugma.bimel.com.tr [212.175.96.11]) h5IDb8Cm090261 for ; Wed, 18 Jun 2003 16:37:08 +0300 (EEST) (envelope-from ustuntas@bimel.com.tr) Message-ID: <3EF06DFB.3020906@bimel.com.tr> Date: Wed, 18 Jun 2003 16:49:47 +0300 From: Murat USTUNTAS User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 X-Accept-Language: tr, en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <3EE9BC71.9000400@bimel.com.tr> In-Reply-To: <3EE9BC71.9000400@bimel.com.tr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Subject: Re: Gigabit Ethernet Security With Ipfilter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jun 2003 13:39:39 -0000 Hi All, I want to make some explanation on Giga Network. We make a plan to change the network speed (server side) to Giga Network. As shown: Local Area ========+-----------------+----------------> (May be Giga Net) | Transparent | 2 Mbit Internet | IpFilter | +-----------------' | | |_> (Giga Net) Servers And, take the information on NMBCLUSTERS , IPSTATE_SIZE and IPSTATE_MAX in ip_state.h. Or must I write this mail about ipfilter to ipfilter's mailing list. Regards, Murat Ustuntas > Hello all, > > I want to learn about requirements if I want to protect > gigabit network with ipfilter as transparent firewall. > Which type of hardware is required to install FreeBSD + ipf > (as transparancy ) . We use 3 gigabit ethernet to protection > which type of gigabit ethernet carts are powerfull. Also, > what about the NMBCLUSTERS , IPSTATE_SIZE and IPSTATE_MAX in > ip_state.h. > > I want to collect all information on that requirement. > > Regards, > > Murat Ustuntas > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Jun 19 04:43:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C55EC37B401 for ; Thu, 19 Jun 2003 04:43:00 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0813343F3F for ; Thu, 19 Jun 2003 04:42:59 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5JBgvBH001339 for ; Thu, 19 Jun 2003 12:42:57 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h5JBgvD0061128 for ; Thu, 19 Jun 2003 12:42:57 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Thu, 19 Jun 2003 12:42:57 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C367447C45@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C367447C45@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 11:43:01 -0000 Well, I *did* figure it out. >>## Example ## >>fxp0 =3D external nic >>xl0 =3D internal nic >>internal network =3D 10.10.10.0/24 >>internal traffic NAT'd to 1.2.3.4 >> >>## handle nat traffic >>100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0 >>200 divert 8668 ip from any to 1.2.3.4 in via fxp0 >> >>300 check-state >> >>## dynamic rules for internal clients access to everything >>## needed so un-nat'd return traffic can flow out the=20 >>## internal nic to the internal clients >>400 allow tcp from 10.10.10.0/24 to any keep-state via xl0 >>500 allow udp from 10.10.10.0/24 to any keep-state via xl0 >> >>## dynamic rules allow natd alias address access to >>## external resources >>600 allow tcp from 1.2.3.4 to any keep-state out via fxp0 >>700 allow udp from 1.2.3.4 to any keep-state out via fxp0 > >This appears to work but I am at a loss to understand how! > >If I follow one TCP packet all the way out to the Internet and >its reply back to the internal net, there are four ipfw trips: > >A - request packet incoming on xl0 >B - request packet outgoing on fxp0 >C - reply packet incoming on fxp0 >D - reply packet outgoing on xl0 > >Trip A matches rule 400 and is accepted, creating a dynamic >rule which will match trip D. > >Trip B first matches rule 100, gets rewritten by natd then >matches rule 600 and is sent, creating a dynamic rule >matching a reply to 1.2.3.4. > >Trip C is the problem. It matches rule 200 so gets rewritten, >and now does not match the dynamic rule created by trip B=20 >since that matches packets with 1.2.3.4 as destination >address, which this packet no longer has. None of the other >rules match either, so it is dropped. > >So how can it work????? It works because I wrongly assumed that dynamic rules check the interface if the rule which created them had a "via" clause. But reading the manual reveals that this is not so. So in my example above, the rule created by trip A is used during both trip C and trip D since it doesn't check the interface. The rule created by trip B is wasted - it's never used to match anything. The only use of the keep-state on rule 600 seems to be for conversations initiated by the router. I don't know why but I don't really like the lack of symmetry here. Plus there is a small problem in that if I telnet into the router then leave the session open for a long time, the rule is removed and next time I try to use the session it dies. I guess I can fix that by increasing the timeout from 5 minutes to 24 hours, or by adding another static rule which allows packets to go out on the internal network from the router itself. Jim From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 03:40:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CD9837B401 for ; Fri, 20 Jun 2003 03:40:58 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 319A743F93 for ; Fri, 20 Jun 2003 03:40:57 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5KAetBH013938 for ; Fri, 20 Jun 2003 11:40:55 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h5KAetD0062007 for ; Fri, 20 Jun 2003 11:40:55 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Fri, 20 Jun 2003 11:40:55 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 10:40:58 -0000 On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you wrote: >: ipfw -f flush >: ipfw add 100 divert natd ip from any to any via rl0 in >: ipfw add 200 check-state >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 >: ipfw add 400 skipto 500 ip from any to any out via rl0 keep-state >: ipfw add 500 divert natd ip from any to any out via rl0 >: ipfw add 600 deny ip from 192.168.0.0/16 to any out via rl0 >: ipfw add 600 deny ip from any to 192.168.0.0/16 out via rl0 >: ipfw add 65000 allow ip from any to any Tricky indeed. I've been playing with the rules suggested by Greg Panula, but I don't really like them for a couple of reasons: - I prefer to keep the internal interface open. I often telnet into the router and keep the session open and inactive for hours, and the dynamic rules time out and kill it. - a rule is created which is never used, ie the outgoing packet starting a conversation creates two rules, only one of which is used in the check-state to match incoming. So I will try out your set. But one question first: do you ever get hits on the second rule 300? I would have thought it very difficult for anyone to route a packet to you with a non-routable destination address. Surely only your ISP could do that? Jim From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 05:49:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3A2F37B401 for ; Fri, 20 Jun 2003 05:49:27 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE71F43F3F for ; Fri, 20 Jun 2003 05:49:26 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Fri, 20 Jun 2003 13:49:20 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 19TLIU-0005Ej-00; Fri, 20 Jun 2003 13:47:18 +0100 Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Jim Hatfield In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 12:49:28 -0000 On Fri, 20 Jun 2003, Jim Hatfield wrote: [there was more] > >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 > >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 > But one question first: do you > ever get hits on the second rule 300? I would have thought > it very difficult for anyone to route a packet to you with > a non-routable destination address. Surely only your ISP > could do that? Do you trust your ISP? If the choice is between a rule that has no benefit providing everyone configured their stuff correctly, and leaving out the safety-net because you expect to not need it, that's a pretty simple choice. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Goth isn't dead, it's just lying very still and sucking its cheeks in. From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 06:13:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 055A037B401 for ; Fri, 20 Jun 2003 06:13:27 -0700 (PDT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42C6343F3F for ; Fri, 20 Jun 2003 06:13:26 -0700 (PDT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.9/8.12.9) with ESMTP id h5KDDMab066098; Fri, 20 Jun 2003 06:13:22 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.9/8.12.9/Submit) id h5KDDMGI066097; Fri, 20 Jun 2003 06:13:22 -0700 (PDT) Date: Fri, 20 Jun 2003 06:13:22 -0700 (PDT) From: David Wolfskill Message-Id: <200306201313.h5KDDMGI066097@bunrab.catwhisker.org> To: Jan.Grant@bristol.ac.uk, subscriber@insignia.com In-Reply-To: cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 13:13:27 -0000 >Date: Fri, 20 Jun 2003 13:47:18 +0100 (BST) >From: Jan Grant >To: Jim Hatfield >Cc: freebsd-security@freebsd.org >Subject: Re: IPFW: combining "divert natd" with "keep-state" >> >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 >> >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 >> But one question first: do you >> ever get hits on the second rule 300? I would have thought >> it very difficult for anyone to route a packet to you with >> a non-routable destination address. Surely only your ISP >> could do that? >Do you trust your ISP? If the choice is between a rule that has no >benefit providing everyone configured their stuff correctly, and leaving >out the safety-net because you expect to not need it, that's a pretty >simple choice. Indeed. I'm not using that particular set of rules, but I do block RFC 1918 netblocks on the external interface. And I do see attempts at traffic: Jun 19 02:14:28 janus /kernel: ipfw: 6000 Deny UDP 10.28.227.64:32769 63.193.123.122:53 in via dc0 Jun 19 02:14:57 janus last message repeated 18 times I expect this is a result of a misconfiguration (or lack of configuration) on someone's part. Regardless, I won't have anything to do with it. (I also block packets with certain oddball options set, though I have yet to see any.) Peace, david -- David H. Wolfskill david@catwhisker.org Based on what I have seen to date, the use of Microsoft products is not consistent with reliability. I recommend FreeBSD for reliable systems. From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 10:14:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B99EA37B401 for ; Fri, 20 Jun 2003 10:14:59 -0700 (PDT) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id 35C1C43F75 for ; Fri, 20 Jun 2003 10:14:59 -0700 (PDT) (envelope-from unfurl@dub.net) Received: (qmail 29875 invoked by uid 1001); 20 Jun 2003 17:14:58 -0000 Date: 20 Jun 2003 10:14:58 -0700 Date: Fri, 20 Jun 2003 10:14:58 -0700 From: Bill Swingle To: Andy Harrison , freebsd-security@FreeBSD.org Message-ID: <20030620171458.GA29729@dub.net> References: <20030528063517.GA667@straylight.oblivion.bg> <20030528063627.GB667@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: <20030528063627.GB667@straylight.oblivion.bg> X-Operating-System: FreeBSD toxic.magnesium.net 4.6-STABLE FreeBSD 4.6-STABLE User-Agent: Mutt/1.5.4i Subject: Re: multihost master.passwd sync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 17:15:00 -0000 --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This is a way late reply but I've had wonderful success with using NIS for distributing user info (but *'ing out the passwords) then using kerberos for authentication. Dunno if that helps. -Bill On Wed, May 28, 2003 at 09:36:27AM +0300, Peter Pentchev wrote: > On Wed, May 28, 2003 at 09:35:17AM +0300, Peter Pentchev wrote: > > On Tue, May 27, 2003 at 01:46:37PM -0400, Andy Harrison wrote: > > >=20 > > > Just wondered if anyone had any suggestions about syncing up master.p= asswd > > > files between multiple machines that didn't involve allowing root log= in > > > remotely? The users need to be able to log in remotely and own files= on the > > > different machines. > >=20 > > People have mentioned LDAP; I am truly surprised no one has mentioned > > Kerberos yet. >=20 > Oh wait, nevermind. That's what I get for posting before coffee; > Kerberos still needs some way of telling the system that there is > such a user in the first place. >=20 > G'luck, > Peter >=20 > --=20 > Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > This sentence contradicts itself - or rather - well, no, actually it does= n't! --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| "Computers are useless. They can only give you answers" Pablo Picasso= =20 --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+80ESUgAclY4JAiMRArLTAJ4kUMWfF9zqahtD3WO8VTpZ0IilCQCeOrOB ydfs/H6HShjsGllb8T7QlMw= =PDTY -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- From owner-freebsd-security@FreeBSD.ORG Fri Jun 20 12:19:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD2F337B401 for ; Fri, 20 Jun 2003 12:19:22 -0700 (PDT) Received: from pimout4-ext.prodigy.net (pimout4-ext.prodigy.net [207.115.63.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2406743F85 for ; Fri, 20 Jun 2003 12:19:22 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metbsd.priv.metrol.net (adsl-67-121-60-13.dsl.anhm01.pacbell.net [67.121.60.13]) h5KJJKl8204758 for ; Fri, 20 Jun 2003 15:19:20 -0400 From: Michael Collette To: FreeBSD Security Date: Fri, 20 Jun 2003 12:19:14 -0700 User-Agent: KMail/1.5.2 References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200306201219.14573.metrol@metrol.net> Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2003 19:19:23 -0000 On Friday 20 June 2003 03:40 am, Jim Hatfield wrote: > I would have thought > it very difficult for anyone to route a packet to you with > a non-routable destination address. Surely only your ISP > could do that? I would agree, except for a Checkpoint exploit I'd read about a while back. See, their management console would only allow authorized IPs in to work on the enforcement point. By default, and impossible to turn off by a user, it would allow traffic from it's local IP without further checking. The exploit involved sending packets to the non-secure interface with a return address of the fw's own IP. Although the true source wouldn't get any packets back, it could send one-way commands to the firewall to have it bring it's guard down. I don't recall all the specifics. This was well over a year ago. BTW, is there a way to give certain IPs permissions to reloading IPFW's rules? There's some stuff I'd like to be able to admin remotely. Darn box won't let me reload rules, but it will let me reboot. I've done this quite a bit in the past to force new rules to load. I was rather hoping there was a more elegant solution to this. Later on, -- "Always listen to experts. They'll tell you what can't be done, and why. Then do it." - Robert A. Heinlein