From owner-freebsd-security@FreeBSD.ORG Mon Jan 26 00:34:25 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2656D16A4CE for ; Mon, 26 Jan 2004 00:34:25 -0800 (PST) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 413D643D3F for ; Mon, 26 Jan 2004 00:34:23 -0800 (PST) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.9/8.12.9) with SMTP id i0OGALku033523 for ; Sat, 24 Jan 2004 17:10:21 +0100 (CET) (envelope-from prosa@pro.sk) Message-ID: <01a901c3e294$8ea8a500$3501a8c0@peter> From: "Peter Rosa" To: "FreeBSD Security" Date: Sat, 24 Jan 2004 17:10:16 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) X-Spam-Status: No, hits=-100.0 required=6.0 tests=USER_IN_WHITELIST version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) Subject: Kernel modules listing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 08:34:25 -0000 Hi all, please, is there some utility/command/... to list all installed kernel modules ? Peter Rosa From owner-freebsd-security@FreeBSD.ORG Mon Jan 26 00:37:45 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4895F16A4CE for ; Mon, 26 Jan 2004 00:37:45 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-67-119-53-122.dsl.lsan03.pacbell.net [67.119.53.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 260FD43D2D for ; Mon, 26 Jan 2004 00:37:44 -0800 (PST) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 8EA1966E35; Mon, 26 Jan 2004 00:37:43 -0800 (PST) Date: Mon, 26 Jan 2004 00:37:43 -0800 From: Kris Kennaway To: Peter Rosa Message-ID: <20040126083743.GA38909@xor.obsecurity.org> References: <01a901c3e294$8ea8a500$3501a8c0@peter> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <01a901c3e294$8ea8a500$3501a8c0@peter> User-Agent: Mutt/1.4.1i cc: FreeBSD Security Subject: Re: Kernel modules listing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 08:37:45 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jan 24, 2004 at 05:10:16PM +0100, Peter Rosa wrote: > Hi all, >=20 > please, is there some utility/command/... to list all installed kernel > modules ? kldstat Kris --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAFNHXWry0BWjoQKURAixzAJ4w346aSVLwfyK4Y2t9SoK86Pm3jQCfcCUR lvHUMimVOf/bax28EO3YEBc= =j6I9 -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- From owner-freebsd-security@FreeBSD.ORG Mon Jan 26 01:10:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11EE616A4CE for ; Mon, 26 Jan 2004 01:10:35 -0800 (PST) Received: from mail.butovo-online.ru (mail.b-o.ru [212.5.78.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ADD043D1D for ; Mon, 26 Jan 2004 01:10:33 -0800 (PST) (envelope-from resident@b-o.ru) Received: from [192.168.92.185] (helo=192.168.92.185) by mail.butovo-online.ru with esmtp (Exim 4.24) id 1Al2sU-000ITD-UG for freebsd-security@freebsd.org; Mon, 26 Jan 2004 12:17:54 +0300 Date: Mon, 26 Jan 2004 12:11:55 +0300 From: Andrew Riabtsev X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1653155537.20040126121155@b-o.ru> To: freebsd-security@freebsd.org In-Reply-To: <01a901c3e294$8ea8a500$3501a8c0@peter> References: <01a901c3e294$8ea8a500$3501a8c0@peter> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Kernel modules listing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andrew Riabtsev List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jan 2004 09:10:35 -0000 Hi Peter, Saturday, January 24, 2004, 7:10:16 PM, you wrote: PR> Hi all, PR> please, is there some utility/command/... to list all installed kernel PR> modules ? PR> Peter Rosa try ls /modules - lists loadable modules kldstat -v - lists all loaded and compiled in modules. -- Andrew mailto:resident@b-o.ru From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 05:34:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B416716A4B3 for ; Wed, 22 Oct 2003 05:34:46 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0517643F85 for ; Wed, 22 Oct 2003 05:34:46 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [204.177.173.28]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h9MCYj6T046682; Wed, 22 Oct 2003 07:34:45 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3F967956.5060307@centtech.com> From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jim Hatfield References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: IPSec VPNs: to gif or not to gif X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 22 Oct 2003 12:34:46 -0000 X-Original-Date: Wed, 22 Oct 2003 07:34:30 -0500 X-List-Received-Date: Wed, 22 Oct 2003 12:34:46 -0000 Jim Hatfield wrote: >I will shortly be replacing a couple of proprietary VPN boxes >with a FreeBSD solution. Section 10.10 of the Handbook has a >detailed description of how to do this. > >However I remember a lot of discussion about a year ago about >whether the gif interface was necessary to set up VPNs like >this or whether it was just a convenience, for "getting the >routing right". A number of people said that gif was not >needed but I've never found a step-by-step description of how >to set up a lan-to-lan VPN without using it. > I use gif interfaces for my VPN's, and it works extremely well. The only other solution I think I would even try, is mpd, but that uses a much weaker protocol from what I know (PPTP). It's so easy to use gif, I'm not sure why you wouldn't. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Wed Oct 22 10:33:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E60F316A4B3 for ; Wed, 22 Oct 2003 10:33:37 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73C9843FEA for ; Wed, 22 Oct 2003 10:33:35 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h9MHXQaT043696; Wed, 22 Oct 2003 18:33:26 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h9MHXQAp043695; Wed, 22 Oct 2003 18:33:26 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h9MHYBWl071580; Wed, 22 Oct 2003 18:34:11 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200310221734.h9MHYBWl071580@grimreaper.grondar.org> To: Eric Anderson From: Mark Murray In-Reply-To: Your message of "Wed, 22 Oct 2003 07:24:27 CDT." <3F9676FB.9020107@centtech.com> Sender: mark@grondar.org X-Spam-Status: No, hits=-2.0 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: security@freebsd.org Subject: Re: hardware crypto and SSL? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 22 Oct 2003 17:33:38 -0000 X-Original-Date: Wed, 22 Oct 2003 18:34:11 +0100 X-List-Received-Date: Wed, 22 Oct 2003 17:33:38 -0000 Eric Anderson writes: > The new VIA Eden-N processors have built in high-speed AES encryption > routines - OpenBSD supports it and FreeBSD support is coming down the > line soon. *wave* :-) > Note - I work for the company who designed the processor, so I am > biased. But really, it IS FAST. This is true. This is the fastest AES I've seen. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 01:34:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26C5F16A4BF for ; Mon, 27 Oct 2003 01:34:37 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C1E243F93 for ; Mon, 27 Oct 2003 01:34:36 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 9936C66CFA; Mon, 27 Oct 2003 01:34:35 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 67BC0DBA; Mon, 27 Oct 2003 01:34:35 -0800 (PST) From: Kris Kennaway To: Jarkko Santala Message-ID: <20031027093435.GA6111@rot13.obsecurity.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <20031027110203.B96390@trillian.santala.org> User-Agent: Mutt/1.4.1i cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Mon, 27 Oct 2003 09:34:37 -0000 X-Original-Date: Mon, 27 Oct 2003 01:34:35 -0800 X-List-Received-Date: Mon, 27 Oct 2003 09:34:37 -0000 --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote: > On Mon, 27 Oct 2003, Kris Kennaway wrote: >=20 > > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > > We're being ping-flooded by the Nachi worm, which probes subnets for > > > systems to attack by sending 92-byte ping packets. Unfortunately, > > > IPFW doesn't seem to have the ability to filter packets by length. > > > Assuming that I stick with IPFW, what's the best way to stem the > > > tide? > > > > Block all ping packets? Most security-conscious admins do this >=20 > D'oh? I like ping very much and it would make me very sad indeed if I > couldn't ping my boxes to solve possible network problems along the way. I > fail to see the security problem and possible DoS issues could be solved > by using limiting of sort. The security and DoS concerns are really kind of obvious. No-one has a gun to your head though, so I fail to see why you're complaining that someone else might do this on their own network. > Definitely this block-all approach is not sane, its like if someone > complains about NFS being broken you'd say disable it. Filtering packets > by length on the other hand is a very nice feature to have. As it happens, ipfw[2] does this anyway. Kris --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nOaqWry0BWjoQKURArhbAJ9dQgwTmZE5jALrbWKwLZrHzy3gYQCfUUww lFaiqUBTj+kcAPbtGFBlxyw= =95JV -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--