From owner-freebsd-security@FreeBSD.ORG Tue Jan 18 15:01:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 403EA16A4CE for ; Tue, 18 Jan 2005 15:01:18 +0000 (GMT) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.31.48.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41F9A43D1D for ; Tue, 18 Jan 2005 15:01:17 +0000 (GMT) (envelope-from gareth@za.uu.net) Received: from [196.30.72.11] (helo=pixproxy.so.cpt1.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.34; FreeBSD) id 1Cqur1-000EId-Cj for freebsd-security@freebsd.org; Tue, 18 Jan 2005 17:01:15 +0200 Received: from gabba.so.cpt1.za.uu.net (gabba.so.cpt1.za.uu.net [196.30.72.25]) by pixproxy.so.cpt1.za.uu.net (Postfix) with ESMTP id C792E57AC for ; Tue, 18 Jan 2005 17:01:10 +0200 (SAST) Date: Tue, 18 Jan 2005 17:01:10 +0200 (SAST) From: Gareth Hopkins X-X-Sender: gareth@gabba.so.cpt1.za.uu.net To: freebsd-security@freebsd.org Message-ID: <20050118165955.N13742@gabba.so.cpt1.za.uu.net> X-Cell: +27 82 929 6668 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanner: Scanned By ClamAV X-Spam-Score: -4.9 (----) X-Scan-Signature: 79e5ec34ee5d48a2f0fb22844ac73fe4 Subject: Kerberos ticket passing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 15:01:18 -0000 howdie, Has anyone got a successful kerberos ticket passing solution setup with OpenSSH on BSD 5.3 ? --- Gareth Hopkins Server Operations UUNET South Africa From owner-freebsd-security@FreeBSD.ORG Tue Jan 18 20:22:40 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 894AE16A4CE for ; Tue, 18 Jan 2005 20:22:40 +0000 (GMT) Received: from ext-nj2gw-8.online-age.net (ext-nj2gw-8.online-age.net [64.14.56.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id E38A943D45 for ; Tue, 18 Jan 2005 20:22:39 +0000 (GMT) (envelope-from michael.sherman@og.ge.com) Received: from int-nj2gw-2.online-age.net (int-nj2gw-2 [3.159.236.66]) id j0IKb8hJ026867 for ; Tue, 18 Jan 2005 15:37:08 -0500 Received: from nyschx06psge.ps.ge.com (localhost [127.0.0.1]) id j0IKMbhp019036 for ; Tue, 18 Jan 2005 15:22:38 -0500 (EST) Received: by nyschx06psge.ps.ge.com with Internet Mail Service (5.5.2657.72) id ; Tue, 18 Jan 2005 15:22:38 -0500 Message-ID: <6BBE5C5603D0D611A06F0002A5D6556405FAA185@nyschx22psge.sch.ge.com> From: "Sherman, Michael (GE Energy)" To: FreeBSD-security@FreeBSD.org Date: Tue, 18 Jan 2005 15:22:34 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="ISO-8859-1" X-Mailman-Approved-At: Wed, 19 Jan 2005 15:46:14 +0000 Subject: ipf question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 20:22:40 -0000 Hello. I am a relatively new FreeBSD user. I have samba, ssh and vnc server running on it. I am also trying to set up the IPFILTER on it. I used the handbook to familiarize myself with the software and the sample script provided in the chapter discussing ipf, I decided to use as a starting point. After reading the ipf chapter I assumed that if "block in log first quick on xl0 all" is used, everything which is not opened by default will be blocked. Now I opened only samba and ssh ports: pass in quick on xl0 proto tcp/udp from any to any port 137 <> 139 keep state pass in quick on xl0 proto tcp/udp from any to any port = 445 keep state pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state However I am able to connect to the vncserver, without actually opening it in the script. I guess my assumption was wrong, please let me know if I missed on something. Michael From owner-freebsd-security@FreeBSD.ORG Tue Jan 18 16:25:45 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1D1D16A4CE for ; Tue, 18 Jan 2005 16:25:45 +0000 (GMT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [128.30.28.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59A7D43D2D for ; Tue, 18 Jan 2005 16:25:45 +0000 (GMT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.9/8.12.9) with ESMTP id j0IGPhaa012562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK CN=khavrinen.lcs.mit.edu issuer=SSL+20Client+20CA); Tue, 18 Jan 2005 11:25:44 -0500 (EST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.9/8.12.9/Submit) id j0IGPhTq012559; Tue, 18 Jan 2005 11:25:43 -0500 (EST) (envelope-from wollman) Date: Tue, 18 Jan 2005 11:25:43 -0500 (EST) From: Garrett Wollman Message-Id: <200501181625.j0IGPhTq012559@khavrinen.lcs.mit.edu> To: Gareth Hopkins In-Reply-To: <20050118165955.N13742@gabba.so.cpt1.za.uu.net> References: <20050118165955.N13742@gabba.so.cpt1.za.uu.net> X-Spam-Score: -19.8 () IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES X-Scanned-By: MIMEDefang 2.37 X-Mailman-Approved-At: Wed, 19 Jan 2005 15:46:22 +0000 cc: freebsd-security@FreeBSD.ORG Subject: Kerberos ticket passing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 16:25:46 -0000 < said: > Has anyone got a successful kerberos ticket passing solution setup > with OpenSSH on BSD 5.3 ? Yep. Port the Debian 3.8 patches to 3.9 (takes a little bit of work) and use the openssh-portable port. Works fine with 3.4, 3.6, 3.8, and 3.9 servers. -GAWollman From owner-freebsd-security@FreeBSD.ORG Wed Jan 19 18:01:32 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F59616A4CE for ; Wed, 19 Jan 2005 18:01:32 +0000 (GMT) Received: from radix.cryptio.net (radix.cryptio.net [64.81.55.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62E3843D2F for ; Wed, 19 Jan 2005 18:01:32 +0000 (GMT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.13.1/8.13.1) with ESMTP id j0JI1VYo062843 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 19 Jan 2005 10:01:31 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.13.1/8.13.1/Submit) id j0JI1V4H062842; Wed, 19 Jan 2005 10:01:31 -0800 (PST) (envelope-from emechler) Date: Wed, 19 Jan 2005 10:01:31 -0800 From: Erick Mechler To: "Sherman, Michael (GE Energy)" Message-ID: <20050119180131.GL19851@techometer.net> References: <6BBE5C5603D0D611A06F0002A5D6556405FAA185@nyschx22psge.sch.ge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6BBE5C5603D0D611A06F0002A5D6556405FAA185@nyschx22psge.sch.ge.com> User-Agent: Mutt/1.4.2.1i cc: FreeBSD-security@freebsd.org Subject: Re: ipf question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 18:01:32 -0000 :: pass in quick on xl0 proto tcp/udp from any to any port 137 <> 139 keep :: state This line allows in all tcp and udp ports less than 137 and greater than 139, which is exactly what you don't want :) If you want to allow all ports 137-139 inclusive, you need to change it to ... port 136 >< 140 keep state The < and > operators are not inclusive. Cheers - Erick From owner-freebsd-security@FreeBSD.ORG Wed Jan 19 18:36:54 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59CF716A4CE for ; Wed, 19 Jan 2005 18:36:54 +0000 (GMT) Received: from marvin.muc.de (marvin.muc.de [193.149.48.2]) by mx1.FreeBSD.org (Postfix) with SMTP id 485B843D49 for ; Wed, 19 Jan 2005 18:36:53 +0000 (GMT) (envelope-from mod-submit@uni-berlin.de) Received: (qmail 16653 invoked by alias); 19 Jan 2005 18:36:51 -0000 Delivered-To: mods-muc-lists-freebsd-security@moderators.muc.de Received: (qmail 16646 invoked from network); 19 Jan 2005 18:36:51 -0000 Received: from mail.fu-berlin.de (130.133.1.2) by marvin.muc.de with SMTP; 19 Jan 2005 18:36:51 -0000 Received: by Mail.FU-Berlin.DE (Exim 4.42) from curry.zedat.fu-berlin.de ([160.45.10.36]) for muc-lists-freebsd-security@moderators.muc.de with esmtp id <1CrKhH-000Kxg-Ab>; Wed, 19 Jan 2005 19:36:51 +0100 Received: by Curry.ZEDAT.FU-Berlin.DE (Smail3.2.0.98) from news.uni-berlin.de with bsmtp id ; Wed, 19 Jan 2005 19:36:51 +0100 (MET) To: muc-lists-freebsd-security@moderators.muc.de Path: individual.net!not-for-mail From: Rudolf Polzer Newsgroups: mpc.lists.freebsd.security,muc.lists.freebsd.security Followup-To: muc.lists.freebsd.security Date: 19 Jan 2005 18:36:50 GMT Lines: 17 Message-ID: References: <6BBE5C5603D0D611A06F0002A5D6556405FAA185@nyschx22psge.sch.ge.com> <20050119180131.GL19851@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Orig-X-Trace: individual.net JagOLM7VMtMHrdxkbo3bxQSoq9e8bN655VwLNJOCWa0UsoEvN5 User-Agent: slrn/0.9.8.1 (FreeBSD) X-Mailman-Approved-At: Thu, 20 Jan 2005 13:34:20 +0000 Subject: Re: ipf question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 18:36:54 -0000 ["Followup-To:" header set to muc.lists.freebsd.security.] »Erick Mechler« wrote: > :: pass in quick on xl0 proto tcp/udp from any to any port 137 <> 139 keep > :: state > > This line allows in all tcp and udp ports less than 137 and greater than > 139, which is exactly what you don't want :) If you want to allow all > ports 137-139 inclusive, you need to change it to > > ... port 136 >< 140 keep state > > The < and > operators are not inclusive. I know it has been defined like that. But why? Why wasn't an inclusive .. operator used? There must be a reason for this, but which one is it? From owner-freebsd-security@FreeBSD.ORG Thu Jan 20 14:10:17 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 324EB16A4CE for ; Thu, 20 Jan 2005 14:10:17 +0000 (GMT) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E0CE43D31 for ; Thu, 20 Jan 2005 14:10:12 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id QAA00106 for ; Thu, 20 Jan 2005 16:10:09 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <41EFBBC1.7030705@icyb.net.ua> Date: Thu, 20 Jan 2005 16:10:09 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0 (X11/20041230) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <41E796DC.2090102@icyb.net.ua> <20050114140709.GD57985@empiric.icir.org> <41E7DAC3.3050707@icyb.net.ua> <20050114152222.GG57985@empiric.icir.org> <41E7EADC.7080104@icyb.net.ua> In-Reply-To: <41E7EADC.7080104@icyb.net.ua> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 21 Jan 2005 13:13:20 +0000 Subject: Re: debugging encrypted part of isakmp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 14:10:17 -0000 on 14.01.2005 17:53 Andriy Gapon said the following: > > I see. I think it should not be too hard theoretically to write a > program that would do such decryption offline, using code from isakmpd > or racoon, and playing for both sides to deduce internal state/random > values that original parties used. But that's definitely a lot of work. > Looks like wrote nonsence and what I wanted was to break Diffie-Hellman exchange or to derive DH shared key using encrypted information and knowing certain parts of original information, both of which are either not feasible or too hard. Sorry for wasting your time. -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Thu Jan 20 17:04:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 451DF16A4CE; Thu, 20 Jan 2005 17:04:16 +0000 (GMT) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E42143D31; Thu, 20 Jan 2005 17:04:14 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id TAA04975; Thu, 20 Jan 2005 19:04:12 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <41EFE48C.5040206@icyb.net.ua> Date: Thu, 20 Jan 2005 19:04:12 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0 (X11/20041230) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=KOI8-U Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 21 Jan 2005 13:13:20 +0000 Subject: ipsec vs. broadcast X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 17:04:16 -0000 Maybe this is already fixed in the newer code, I am still on 5.2.1 and have a problem with traffic that originally goes to a broadcast ip address but then gets encrypted by ipsec and should go into a tunnel but when it is sent it has ethernet broadcast flag. Just to be clear: traffic originates on the same host which is a tunnel endpoint. It looks to me that a fix could be as simple as clearing M_BCAST in ipsec code (ipsec4_output), but I am not sure. -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Thu Jan 20 19:53:42 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11F0A16A4CE for ; Thu, 20 Jan 2005 19:53:42 +0000 (GMT) Received: from marvin.muc.de (marvin.muc.de [193.149.48.2]) by mx1.FreeBSD.org (Postfix) with SMTP id 13E1743D4C for ; Thu, 20 Jan 2005 19:53:41 +0000 (GMT) (envelope-from emechler@radix.cryptio.net) Received: (qmail 4160 invoked by alias); 20 Jan 2005 19:53:39 -0000 Delivered-To: mods-muc-lists-freebsd-security@moderators.muc.de Received: (qmail 4153 invoked from network); 20 Jan 2005 19:53:38 -0000 Received: from radix.cryptio.net (64.81.55.119) by marvin.muc.de with SMTP; 20 Jan 2005 19:53:38 -0000 Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.13.1/8.13.1) with ESMTP id j0KJrXDx072322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 20 Jan 2005 11:53:33 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.13.1/8.13.1/Submit) id j0KJrXSB072321; Thu, 20 Jan 2005 11:53:33 -0800 (PST) (envelope-from emechler) Date: Thu, 20 Jan 2005 11:53:33 -0800 From: Erick Mechler To: Rudolf Polzer Message-ID: <20050120195333.GQ19851@techometer.net> References: <6BBE5C5603D0D611A06F0002A5D6556405FAA185@nyschx22psge.sch.ge.com> <20050119180131.GL19851@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Fri, 21 Jan 2005 13:13:20 +0000 cc: muc-lists-freebsd-security@moderators.muc.de Subject: Re: ipf question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jan 2005 19:53:42 -0000 :: > ... port 136 >< 140 keep state :: > :: > The < and > operators are not inclusive. :: :: I know it has been defined like that. But why? :: :: Why wasn't an inclusive .. operator used? There must be a reason for :: this, but which one is it? AFAIK, there is no such thing as an inclusive gt or lt operator.