From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 10:22:09 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78D2316A41C for ; Mon, 27 Jun 2005 10:22:09 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from amd64.molecon.ru (amd64.molecon.ru [213.219.245.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01DE943D55 for ; Mon, 27 Jun 2005 10:22:08 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from [194.154.84.59] (helo=[10.20.5.22]) by amd64.molecon.ru with esmtp (Exim 4.51 (FreeBSD)) id 1DmqkU-0007Cv-63 for freebsd-security@freebsd.org; Mon, 27 Jun 2005 14:21:54 +0400 Date: Mon, 27 Jun 2005 14:21:10 +0400 From: Oleg Rusanov X-Mailer: The Bat! (v3.0) Professional Organization: Molecon X-Priority: 3 (Normal) Message-ID: <1344959974.20050627142110@molecon.ru> To: freebsd-security MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-PopBeforeSMTPSenders: freebsd-amd64@molecon.ru, freebsd-opennet@molecon.ru, info@molecon.ru, mysql@molecon.ru, oleg@molecon.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - amd64.molecon.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - molecon.ru X-Source: X-Source-Args: X-Source-Dir: Subject: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Oleg Rusanov List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 10:22:09 -0000 Hello. My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. I found out that someone has started phpshell through a hole in one of phpbb forums. Also has filled in scripts for flud and spam and "vadim script" in "/tmp". I has made it noexec. Recently has found out the same process. May be i have left again /tmp opened, or other hole may be. What is better to do for clean my system? amd64# ps aux -H USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND nobody 60138 99.0 0.2 12796 4844 ?? RL 7:11AM 739:26.28 sh -i (perl5.8.6) amd64# ps -lp 60138 UID PID PPID CPU PRI NI VSZ RSS MWCHAN STAT TT TIME COMMAND 65534 60138 1 291 114 0 12796 4844 - R ?? 762:55.06 sh -i (perl5.8.6) amd64# (i can not find info about parent process 65534) amd64# sockstat| grep 60138 nobody perl5.8.6 60138 3 tcp4 my_ip:55000 161.53.178.240:9999 amd64# amd64# lsof -p 60138 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME perl5.8.6 60138 nobody cwd VDIR 4,13 512 2 / perl5.8.6 60138 nobody rtd VDIR 4,13 512 2 / perl5.8.6 60138 nobody txt VREG 4,18 13144 6312845 /usr/local/bin/perl5.8.6 perl5.8.6 60138 nobody txt VREG 4,13 173264 616 /libexec/ld-elf.so.1 perl5.8.6 60138 nobody txt VREG 4,18 1272229 6524324 /usr/local/lib/perl5/5.8.6/mach/CORE/libperl.so perl5.8.6 60138 nobody txt VREG 4,13 151160 576 /lib/libm.so.3 perl5.8.6 60138 nobody txt VREG 4,13 33024 339 /lib/libcrypt.so.2 perl5.8.6 60138 nobody txt VREG 4,13 52064 583 /lib/libutil.so.4 perl5.8.6 60138 nobody txt VREG 4,13 1055864 585 /lib/libc.so.5 perl5.8.6 60138 nobody txt VREG 4,18 22226 6901089 /usr/local/lib/perl5/5.8.6/mach/auto/IO/IO.so perl5.8.6 60138 nobody txt VREG 4,18 28921 6901280 /usr/local/lib/perl5/5.8.6/mach/auto/Socket/Socket.so perl5.8.6 60138 nobody 0r VCHR 2,2 0t0 7 /dev/null perl5.8.6 60138 nobody 1u PIPE 0x6f537410 0 ->0xffffff006f5372d0 perl5.8.6 60138 nobody 2w VREG 4,18 47856095 6407163 /usr/local/apache/logs/error_log perl5.8.6 60138 nobody 3u IPv4 0xffffff00168142c0 0t0 TCP my_hostname:55000->zagreb.hr.eu.undernet.org:9999 (ESTABLISHED) perl5.8.6 60138 nobody 4u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE perl5.8.6 60138 nobody 15w VREG 4,18 47856095 6407163 /usr/local/apache/logs/error_log perl5.8.6 60138 nobody 18w VREG 4,18 84 6406351 /usr/local/apache/domlogs/my_site.ru-bytes_log ... apache logs... perl5.8.6 60138 nobody 61w VREG 4,18 847357 6407164 /usr/local/apache/logs/ssl_engine_log perl5.8.6 60138 nobody 62w VREG 4,16 147300 8310 /var/log/my_site.ru perl5.8.6 60138 nobody 63w VREG 4,18 0 6406441 /usr (/dev/ad4s1f) perl5.8.6 60138 nobody 109w VREG 4,18 0 6406441 /usr (/dev/ad4s1f) amd64# amd64# fstat -p 60138 USER CMD PID FD MOUNT INUM MODE SZ|DV R/W nobody perl5.8.6 60138 root / 2 drwxr-xr-x 512 r nobody perl5.8.6 60138 wd / 2 drwxr-xr-x 512 r nobody perl5.8.6 60138 text /usr 6312845 -rwxr-xr-x 13144 r nobody perl5.8.6 60138 0 /dev 7 crw-rw-rw- null r nobody perl5.8.6 60138 1* pipe ffffff006f537410 <-> ffffff006f5372d0 0 rw nobody perl5.8.6 60138 2 /usr 6407163 -rw-r--r-- 47853541 w nobody perl5.8.6 60138 3* internet stream tcp ffffff00168142c0 nobody perl5.8.6 60138 4* internet stream tcp nobody perl5.8.6 60138 15 /usr 6407163 -rw-r--r-- 47853541 w nobody perl5.8.6 60138 18 /usr 6406351 -rw-r--r-- 84 w nobody perl5.8.6 60138 19 /usr 6406445 -rw-r--r-- 177196 w nobody perl5.8.6 60138 20 /usr 6406367 -rw-r--r-- 273155 w nobody perl5.8.6 60138 21 /usr 6406346 -rw-r--r-- 68 w nobody perl5.8.6 60138 22 /usr 6406340 -rw-r--r-- 219769 w nobody perl5.8.6 60138 23 /usr 6406152 -rw-r--r-- 61985 w nobody perl5.8.6 60138 24 /usr 6406295 -rw-r--r-- 98621 w nobody perl5.8.6 60138 25 /usr 6406287 -rw-r--r-- 2558162 w nobody perl5.8.6 60138 26 /usr 6406284 -rw-r--r-- 32168 w nobody perl5.8.6 60138 27 /usr 6406292 -rw-r--r-- 265964 w nobody perl5.8.6 60138 28 /usr 6406213 -rw-r--r-- 1607 w nobody perl5.8.6 60138 29 /usr 6407351 -rw-r--r-- 347197 w nobody perl5.8.6 60138 30 /usr 6407377 -rw-r--r-- 140832 w nobody perl5.8.6 60138 31 /usr 6407290 -rw-r--r-- 935975 w nobody perl5.8.6 60138 32 /usr 6406393 -rw-r--r-- 5634 w nobody perl5.8.6 60138 33 /usr 6407328 -rw-r--r-- 51239 w nobody perl5.8.6 60138 34 /usr 6406252 -rw-r--r-- 12198 w nobody perl5.8.6 60138 35 /usr 6407325 -rw-r--r-- 13538 w nobody perl5.8.6 60138 36 /usr 6407319 -rw-r--r-- 23151 w nobody perl5.8.6 60138 37 /usr 6407322 -rw-r--r-- 16184 w nobody perl5.8.6 60138 38 /usr 6407341 -rw-r--r-- 146759 w nobody perl5.8.6 60138 39 /usr 6407329 -rw-r--r-- 36336 w nobody perl5.8.6 60138 40 /usr 6406423 -rw-r--r-- 43747 w nobody perl5.8.6 60138 41 /usr 6407330 -rw-r--r-- 95287 w nobody perl5.8.6 60138 42 /usr 6406425 -rw-r--r-- 28586 w nobody perl5.8.6 60138 43 /usr 6406223 -rw-r--r-- 210 w nobody perl5.8.6 60138 44 /usr 6407166 -rw-r--r-- 613177 w nobody perl5.8.6 60138 45 /usr 6406160 -rw-r--r-- 0 w nobody perl5.8.6 60138 46 /usr 6406166 -rw-r--r-- 123158 w nobody perl5.8.6 60138 47 /usr 6407974 -rw-r--r-- 272 w nobody perl5.8.6 60138 48 /usr 6407952 -rw-r--r-- 196 w nobody perl5.8.6 60138 49 /usr 6407915 -rw-r--r-- 49313 w nobody perl5.8.6 60138 50 /usr 6407942 -rw-r--r-- 170924 w nobody perl5.8.6 60138 51 /usr 6407933 -rw-r--r-- 1496129 w nobody perl5.8.6 60138 52 /usr 6407931 -rw-r--r-- 202140 w nobody perl5.8.6 60138 53 /usr 6407924 -rw-r--r-- 342351 w nobody perl5.8.6 60138 54 /usr 6407913 -rw-r--r-- 23547 w nobody perl5.8.6 60138 55 /usr 6407288 -rw-r--r-- 18729 w nobody perl5.8.6 60138 56 /usr 6407289 -rw-r--r-- 377903 w nobody perl5.8.6 60138 57 /usr 6407166 -rw-r--r-- 613177 w nobody perl5.8.6 60138 58 /usr 6407175 -rw-r--r-- 4526 w nobody perl5.8.6 60138 59 /usr 6407171 -rw-r--r-- 373516 w nobody perl5.8.6 60138 60 /usr 6407181 -rw-r--r-- 49888 w nobody perl5.8.6 60138 61 /usr 6407164 -rw-r--r-- 847357 w nobody perl5.8.6 60138 62 /var 8310 -rw-r--r-- 147300 w nobody perl5.8.6 60138 63 /usr 6406441 -rw------- 0 w nobody perl5.8.6 60138 109 /usr 6406441 -rw------- 0 w amd64# then i kill -9 60138 process, its restart with other number - 86717, and i rebooted for kill him. amd64# lsof -i -n | grep 86717 perl5.8.6 86717 nobody 3u IPv4 0xffffff004b465000 0t0 TCP my_ip:53650->161.53.178.240:9999 (ESTABLISHED) perl5.8.6 86717 nobody 4u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE amd64# How can i found hole on my server? -- Regards, Oleg mailto:freebsd-security@molecon.ru From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 10:32:06 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EBA116A41C for ; Mon, 27 Jun 2005 10:32:06 +0000 (GMT) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 826B043D1F for ; Mon, 27 Jun 2005 10:32:04 +0000 (GMT) (envelope-from jan.muenther@nruns.com) Received: from port-212-202-171-134.dynamic.qsc.de [212.202.171.134] (helo=[10.0.0.102]) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML21M-1DmquI0c5u-0006wa; Mon, 27 Jun 2005 12:32:02 +0200 Message-ID: <42BFD5A4.4070208@nruns.com> Date: Mon, 27 Jun 2005 12:32:04 +0200 From: Jan Muenther User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: Oleg Rusanov References: <1344959974.20050627142110@molecon.ru> In-Reply-To: <1344959974.20050627142110@molecon.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de login:9a8a46f2b40f7808f7699def63624ac2 Cc: freebsd-security Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 10:32:06 -0000 Reinstall from trusted media, then restore backups of your data (data only, mind you). I'd also really advise against using something with a security history like phpBB's. FWIW, faulty PHP apps are one of the most common ways of breaking into Unix-ish boxes for the kids nowadays. Cheers, j. From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 11:34:49 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC9E16A41C for ; Mon, 27 Jun 2005 11:34:49 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from amd64.molecon.ru (amd64.molecon.ru [213.219.245.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 684E043D4C for ; Mon, 27 Jun 2005 11:34:49 +0000 (GMT) (envelope-from freebsd-security@molecon.ru) Received: from [194.154.84.59] (helo=[10.20.5.22]) by amd64.molecon.ru with esmtp (Exim 4.51 (FreeBSD)) id 1Dmrsm-0008zG-8X for freebsd-security@freebsd.org; Mon, 27 Jun 2005 15:34:32 +0400 Date: Mon, 27 Jun 2005 15:34:36 +0400 From: Oleg Rusanov X-Mailer: The Bat! (v3.0) Professional Organization: Molecon X-Priority: 3 (Normal) Message-ID: <1181649450.20050627153436@molecon.ru> To: freebsd-security In-Reply-To: <42BFDAB9.7010204@sochiwater.ru> References: <1344959974.20050627142110@molecon.ru> <42BFDAB9.7010204@sochiwater.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-PopBeforeSMTPSenders: freebsd-amd64@molecon.ru, freebsd-opennet@molecon.ru, info@molecon.ru, mysql@molecon.ru, oleg@molecon.ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - amd64.molecon.ru X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - molecon.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re[2]: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Oleg Rusanov List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 11:34:49 -0000 > Also check that your kernel wasn't recompiled and that there aren't any > (known at least) rootkits (chkrootkit). > Anyway, IMHO, there are more ways to hide something in your system.. > If I were you, I'd do all this to try to know the real reason and to > keep that in mind for the future. Finally, I'd follow Jan Muenther's > advice to be sure that you're absolutely clean. amd64# uname -mirs FreeBSD 5.4-STABLE amd64 L71 amd64# amd64# kldstat Id Refs Address Size Name 1 2 0xffffffff80100000 470930 kernel 2 1 0xffffffffb45b0000 2213 nullfs.ko amd64# sysctl kern.securelevel kern.securelevel: -1 Shell account only for me. And "Php open_basedir" was disabled only for one account. So phpshell may go only from this account, but there are no phpbb hole on this account. hm. chrootkit not working, also after reinstall. Checking `bindshell'... INFECTED (PORTS: 465 4000) Checking `lkm'... here is he checking for a log time, i think its not normal. I continue to search. -- Regards, Oleg mailto:freebsd-security@molecon.ru From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 10:31:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0380616A41C for ; Mon, 27 Jun 2005 10:31:34 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from viefep20-int.chello.at (viefep12-int.chello.at [213.46.255.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DEA243D1D for ; Mon, 27 Jun 2005 10:31:32 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from [80.98.156.20] by viefep20-int.chello.at (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050627103130.TQAS29474.viefep20-int.chello.at@[80.98.156.20]>; Mon, 27 Jun 2005 12:31:30 +0200 Message-ID: <42BFD57D.8090806@t-hosting.hu> Date: Mon, 27 Jun 2005 12:31:25 +0200 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Oleg Rusanov References: <1525910592.20050627141014@molecon.ru> In-Reply-To: <1525910592.20050627141014@molecon.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 27 Jun 2005 12:30:17 +0000 Cc: freebsd-security@freebsd.org Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 10:31:34 -0000 Oleg Rusanov wrote: > What is better to do for clean my system? > > > You should backup the data You need. You can also save You configuration files: httpd.conf, etc. Then make a clean install from disc. The intruder could install a rootkit, and modify system binaries. The best thing You can do is reinstall everything. >How can i found hole on my server? > > > It is the harder part. 1, Check You FreeBSD version in uname -a. Is it up-to-date? Have You upgraded to the appropriate security branch? Or does it have some security issues? 2, Think about what network daemons You are using. Check the version numbers and look for security advisories on the project homepage and in mailing list archives. Does something have a vulnerability? 3, Now. Check all the homepages You have. There could be somewhere a deficiency in point of security? If You use open-source portal projects like phpbb You mentioned, look for security advisories on the project homepage, or in mailing list archives. If You have custom php code, You should examine them. 4, You can never trust anybody.... Is there local users on the machine? They might take a local root exploit if there is such vulnerability. If You haven't found the hole so far, You should look for advisories again... You should examine every package that You have installed. The prevention is extremely important: 1, Subscribe to freebsd-announce and to freebsd-security-notifications and upgrade Your system if necessary. 2, Subscribe to announce and security lists of *each* software You use and upgrade them if necessary. 3, Place only trusted and secure code to the hosted websites. 4, If somebody don't need a unix account don't give him one. Or if he need, try to minimize the privileges he gets. The most powerful protection is to setup a jail environment and using this for giving out user accounts. Cheers, G醔or K鰒esd醤 P.S.: I've removed freebsd-amd64 from cc list, since it is related to freebsd-security. *** * From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 13:36:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E58916A41C for ; Mon, 27 Jun 2005 13:36:52 +0000 (GMT) (envelope-from wagnerr@zoomtown.com) Received: from ms-smtp-01-eri0.ohiordc.rr.com (ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 688F543D4C for ; Mon, 27 Jun 2005 13:36:51 +0000 (GMT) (envelope-from wagnerr@zoomtown.com) Received: from raymond (rrcs-24-172-142-74.central.biz.rr.com [24.172.142.74]) by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with ESMTP id j5RDamWY022065 for ; Mon, 27 Jun 2005 09:36:49 -0400 (EDT) Message-Id: <200506271336.j5RDamWY022065@ms-smtp-01-eri0.ohiordc.rr.com> From: "Raymond Wagner" To: Date: Mon, 27 Jun 2005 09:36:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcV7HT376hFXZz7HQxKzRrAws58mSw== X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: running jail with alternate IP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 13:36:52 -0000 I am currently setting up a firewall that translates my internal network over to 5 public IP addresses. The addresses are dynamically assigned, so I use ddclient to update my www.dyndns.org account. I've set up several aliases on the external interface of the firewall, and succeeded in having the internal computers use those extra public IPs. What I want to do is have 5 copies of ddclient all running in separate jails bound to different public IPs. I did some experimenting with jail, jailing a shell and then running lynx to www.whatismyip.com. I had to open up the firewall to get it to work, and then it gave me the public IP address bound to the first IP on the interface. Looking at the firewall logs, it seems as if jail is sending packets on the main IP (the non-aliased one), but modifying the header so they return to the aliased IP that was given to it when running the jail command. Is this how jail is supposed to operate, or am I doing something wrong? From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 14:00:51 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6706516A41C for ; Mon, 27 Jun 2005 14:00:51 +0000 (GMT) (envelope-from marko.lerota@optima-telekom.hr) Received: from redcloud.optima-telekom.hr (surf212.optima-telekom.hr [85.114.34.212]) by mx1.FreeBSD.org (Postfix) with SMTP id ADD5643D1F for ; Mon, 27 Jun 2005 14:00:49 +0000 (GMT) (envelope-from marko.lerota@optima-telekom.hr) Received: (qmail 39817 invoked by uid 1001); 27 Jun 2005 13:54:31 -0000 To: Oleg Rusanov Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <1344959974.20050627142110@molecon.ru> (Oleg Rusanov's message of "Mon, 27 Jun 2005 14:21:10 +0400") References: <1344959974.20050627142110@molecon.ru> Organization: Unix Users - Fanatics Dept. X-Request-PGP: X-GNUPG-Fingerprint: CF5E 6862 2777 A471 5D2E 0015 8DA6 D56D 17E5 2A51 From: Marko Lerota Date: Mon, 27 Jun 2005 15:54:31 +0200 Message-ID: <861x6n52i0.fsf@redcloud.local> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.17 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-security Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 14:00:51 -0000 Oleg Rusanov writes: > Hello. > > My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. > I found out that someone has started phpshell through a hole in one of phpbb forums. > Also has filled in scripts for flud and spam and "vadim script" in > "/tmp". I has made it noexec. Recently has found out the same process. > May be i have left again /tmp opened, or other hole may be. > What is better to do for clean my system? > > How can i found hole on my server? Before formating try the rkhunter and nessus -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 14:02:24 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BCCD16A41C for ; Mon, 27 Jun 2005 14:02:24 +0000 (GMT) (envelope-from marko.lerota@optima-telekom.hr) Received: from redcloud.optima-telekom.hr (surf212.optima-telekom.hr [85.114.34.212]) by mx1.FreeBSD.org (Postfix) with SMTP id 63CAC43D53 for ; Mon, 27 Jun 2005 14:02:23 +0000 (GMT) (envelope-from marko.lerota@optima-telekom.hr) Received: (qmail 39890 invoked by uid 1001); 27 Jun 2005 14:02:45 -0000 To: freebsd-security Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <1344959974.20050627142110@molecon.ru> (Oleg Rusanov's message of "Mon, 27 Jun 2005 14:21:10 +0400") References: <1344959974.20050627142110@molecon.ru> Organization: Unix Users - Fanatics Dept. X-Request-PGP: X-GNUPG-Fingerprint: CF5E 6862 2777 A471 5D2E 0015 8DA6 D56D 17E5 2A51 From: Marko Lerota Date: Mon, 27 Jun 2005 16:02:45 +0200 Message-ID: <86wtof3nju.fsf@redcloud.local> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.17 (Jumbo Shrimp, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: "sh -i" My server was hacked. How can i found hole on my server? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 14:02:24 -0000 Oleg Rusanov writes: > Hello. > > My server was hacked. The CPU has been loaded on 99 % by "sh -i" process. > I found out that someone has started phpshell through a hole in one of phpbb forums. > Also has filled in scripts for flud and spam and "vadim script" in > "/tmp". I has made it noexec. Recently has found out the same process. > May be i have left again /tmp opened, or other hole may be. > What is better to do for clean my system? > How can i found hole on my server? Before formating try the rkhunter and nessus -- One cannot sell the earth upon which the people walk Tacunka Witco From owner-freebsd-security@FreeBSD.ORG Mon Jun 27 18:43:33 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0119C16A41C for ; Mon, 27 Jun 2005 18:43:33 +0000 (GMT) (envelope-from mario@schmut.com) Received: from mail.schmut.com (dsl092-049-002.sfo4.dsl.speakeasy.net [66.92.49.2]) by mx1.FreeBSD.org (Postfix) with SMTP id CAD5C43D48 for ; Mon, 27 Jun 2005 18:43:32 +0000 (GMT) (envelope-from mario@schmut.com) Received: (qmail 60924 invoked by uid 89); 27 Jun 2005 18:43:32 -0000 Received: from schmut.com (snoopy.schmut.com [192.168.23.1]) by snoopy.schmut.com (tmda-ofmipd) with ESMTP; Mon, 27 Jun 2005 11:43:29 -0700 (PDT) Received: from 209.213.222.98 (SquirrelMail authenticated user mario@schmut.com) by mail.schmut.com with HTTP; Mon, 27 Jun 2005 11:43:29 -0700 (PDT) Message-ID: <20688.209.213.222.98.1119897809.squirrel@mail.schmut.com> Date: Mon, 27 Jun 2005 11:43:29 -0700 (PDT) To: In-Reply-To: <200506271336.j5RDamWY022065@ms-smtp-01-eri0.ohiordc.rr.com> References: <200506271336.j5RDamWY022065@ms-smtp-01-eri0.ohiordc.rr.com> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: mario X-Primary-Address: mario@schmut.com Cc: freebsd-security@freebsd.org Subject: Re: running jail with alternate IP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mario List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2005 18:43:33 -0000 So, Raymond Wagner wrote: > I am currently setting up a firewall that translates my internal network > over to 5 public IP addresses. The addresses are dynamically assigned, > so I use ddclient to update my www.dyndns.org account. I've set up > several aliases on the external interface of the firewall, and succeeded > in having the internal computers use those extra public IPs. > > What I want to do is have 5 copies of ddclient all running in separate > jails bound to different public IPs. I did some experimenting with > jail, jailing a shell and then running lynx to www.whatismyip.com. I > had to open up the firewall to get it to work, and then it gave me the > public IP address bound to the first IP on the interface. Looking at > the firewall logs, it seems as if jail is sending packets on the main IP > (the non-aliased one), but modifying the header so they return to the > aliased IP that was given to it when running the jail command. > > Is this how jail is supposed to operate, or am I doing something wrong? i don't know about the implications of jail, but as far as i know, when you have multiple interfaces going to the same subnet, in your case your provider and the internet, only 1 of those ips can have it's netmask set for that subnet and all the other netmasks have to be 255.255.255.255. This implies that all outbound packets routed to your gateway (presumably your provider) are routed through that one ip. mario;> From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:00:06 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BC3616A41C for ; Wed, 29 Jun 2005 21:00:06 +0000 (GMT) (envelope-from rcoleman@criticalmagic.com) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [69.61.68.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FDDE43D53 for ; Wed, 29 Jun 2005 21:00:06 +0000 (GMT) (envelope-from rcoleman@criticalmagic.com) Received: from [10.40.30.162] (delta.ciphertrust.com [216.235.158.34]) by saturn.criticalmagic.com (Postfix) with ESMTP id 4B84F3BD2A; Wed, 29 Jun 2005 17:00:05 -0400 (EDT) Message-ID: <42C30C13.8090302@criticalmagic.com> Date: Wed, 29 Jun 2005 17:01:07 -0400 From: Richard Coleman Organization: Critical Magic User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Uwe Doering References: <42BC5054.908@criticalmagic.com> <42BD3AB4.2030209@geminix.org> In-Reply-To: <42BD3AB4.2030209@geminix.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Any status on timestamp vulnerability fix for 4.X? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:00:06 -0000 Uwe Doering wrote: > Richard Coleman wrote: > >> Any information on when (or if) the following timestamp vulnerability >> will be fixed for 4.X? Any information would be appreciated. >> >> http://www.kb.cert.org/vuls/id/637934 > > > FYI, the fix for RELENG_5 applies to RELENG_4 as is (apart from the CVS > version header, of course): > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=u > > > After verifying its semantic correctness for RELENG_4 we've been running > the patch for a couple of weeks now with no ill effects. > > I'm posting this also as an encouragement for committers to go ahead and > do the MFC. It's low hanging fruit. > > Uwe We tried applying that diff to 4.10, but compilation failed with tcp_input.o: In function 'tcp_dooptions': tcp_input.o(.text+0x21d8): undefined reference to 'TSTMP_GT' Did you just define that macro? Or was something else required? Thanks for the help. Richard Coleman rcoleman@criticalmagic.com From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:37:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D57A516A41C; Wed, 29 Jun 2005 21:37:27 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from 0.mail.spammertrap.net (0.mail.spammertrap.net [204.89.241.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id A55DB43D4C; Wed, 29 Jun 2005 21:37:27 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 9819618F3BE; Wed, 29 Jun 2005 17:37:24 -0400 (EDT) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by 0.mail.spammertrap.net (Postfix) with ESMTP id BCF8218F3BC; Wed, 29 Jun 2005 17:37:16 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Wed, 29 Jun 2005 17:37:16 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Perl master site changed to tobez.org? Thread-Index: AcV87Z6NtUCzmccvRN+Qt5z7nRw24gABA1EQ From: "Michael Scheidell" To: X-Virus-Scanned: SpammerTrap(tm) SME-250 1.39 at spammertrap.net X-Spam-Status: No, hits=-7.451 tagged_above=-999 required=6.9 tests=[AWL=0.150, BAYES_00=-2.599, LOCAL_RCVD=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] X-Spam-Level: Cc: tobez@freebsd.org Subject: Perl master site changed to tobez.org? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:37:28 -0000 Tobez: no disrespect intended, obviously you saw a problem with the master sites for perl 5.8.7 and did what you could to help, and with your position as a maintainer, I know that the trust we have in you and your patches is well earned, so don't take this question as anything but my well-earned paranoia rearing its ugly head: Yes, building perl5.8.7 did seem like it had a lot of problems with the master_sites which is why I went to the freebsd ports cvs tree and looked to see if they fixed it, however, I believe it would be prudent for me to ask: How safe is this your site? And, yes, in some of my build scripts I pull the distfiles from our local system due to some issues with some of the sites, however, how safe is tobez.org from hacking? =20 (ok, so, how safe is OUR site from hacking) or anyone's for that matter, so please don't take this as a challenge. I have enough to do not to have to go rebuilding our servers. (from new Makefile for perl5.8) =20 MASTER_SITES=3D ${MASTER_SITE_PERL_CPAN} \ ${MASTER_SITE_LOCAL:S/$/:local/} \ =20 http://www.tobez.org/download/port-mirrors/lang/perl58/:local MASTER_SITE_SUBDIR=3D ../../src \ tobez/:local ./:local From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:41:34 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF99916A41C for ; Wed, 29 Jun 2005 21:41:34 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF6F243D58 for ; Wed, 29 Jun 2005 21:41:34 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IIV005J689AEXE0@l-daemon> for freebsd-security@freebsd.org; Wed, 29 Jun 2005 15:41:34 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd4mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IIV005CT89AS900@pd4mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 29 Jun 2005 15:41:34 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IIV00514898YN@l-daemon> for freebsd-security@freebsd.org; Wed, 29 Jun 2005 15:41:34 -0600 (MDT) Date: Wed, 29 Jun 2005 14:41:02 -0700 From: Colin Percival In-reply-to: To: Michael Scheidell Message-id: <42C3156E.3090308@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.91.0.0 References: User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050406) Cc: freebsd-security@freebsd.org Subject: Re: Perl master site changed to tobez.org? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:41:35 -0000 Michael Scheidell wrote: > How safe is this your site? This doesn't matter (much), since the ports code checks MD5 hashes before trusting a downloaded distfile. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:42:40 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2FA16A425; Wed, 29 Jun 2005 21:42:40 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from 0.mail.spammertrap.net (0.mail.spammertrap.net [204.89.241.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9153F43D58; Wed, 29 Jun 2005 21:42:40 +0000 (GMT) (envelope-from scheidell@secnap.net) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 2889B18F3CB; Wed, 29 Jun 2005 17:42:40 -0400 (EDT) Received: from secnap2.secnap.com (secnap2.secnap.com [204.89.241.128]) by 0.mail.spammertrap.net (Postfix) with ESMTP id A46D118F3CA; Wed, 29 Jun 2005 17:42:39 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 Date: Wed, 29 Jun 2005 17:42:39 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Perl master site changed to tobez.org? Thread-Index: AcV882e6kXwo7eTOQv248jyDM3gyWAAAAaVA From: "Michael Scheidell" To: "Colin Percival" X-Virus-Scanned: SpammerTrap(tm) SME-250 1.39 at spammertrap.net X-Spam-Status: No, hits=-7.451 tagged_above=-999 required=6.9 tests=[AWL=0.150, BAYES_00=-2.599, LOCAL_RCVD=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] X-Spam-Level: Cc: freebsd-security@freebsd.org Subject: RE: Perl master site changed to tobez.org? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:42:41 -0000 Ok, yes, there is that... Thanks. =20 > -----Original Message----- > From: Colin Percival [mailto:cperciva@freebsd.org]=20 > Sent: Wednesday, June 29, 2005 5:41 PM > To: Michael Scheidell > Cc: freebsd-security@freebsd.org > Subject: Re: Perl master site changed to tobez.org? >=20 > Michael Scheidell wrote: > > How safe is this your site? >=20 > This doesn't matter (much), since the ports code checks MD5=20 > hashes before trusting a downloaded distfile. >=20 > Colin Percival >=20 >=20 >=20 From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:43:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E3F116A41C; Wed, 29 Jun 2005 21:43:38 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.194.102.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 638A743D4C; Wed, 29 Jun 2005 21:43:38 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F19F651281; Wed, 29 Jun 2005 17:43:36 -0400 (EDT) Date: Wed, 29 Jun 2005 17:43:36 -0400 From: Kris Kennaway To: Colin Percival Message-ID: <20050629214336.GA91386@xor.obsecurity.org> References: <42C3156E.3090308@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <42C3156E.3090308@freebsd.org> User-Agent: Mutt/1.4.2.1i Cc: Michael Scheidell , freebsd-security@freebsd.org Subject: Re: Perl master site changed to tobez.org? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:43:38 -0000 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 29, 2005 at 02:41:02PM -0700, Colin Percival wrote: > Michael Scheidell wrote: > > How safe is this your site? >=20 > This doesn't matter (much), since the ports code checks MD5 hashes > before trusting a downloaded distfile. Well, after, but before using it :) Kris --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD4DBQFCwxYIWry0BWjoQKURAm2EAJ4/7lg/xwsektL2iU6o8HsbiU6n0wCXdNiE 5lFOpZ2lK6uuOBQYdsHLng== =1TSL -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:51:27 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D3DC16A41C for ; Wed, 29 Jun 2005 21:51:27 +0000 (GMT) (envelope-from gemini@geminix.org) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C2BA43D49 for ; Wed, 29 Jun 2005 21:51:27 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <42C317DC.50401@geminix.org> Date: Wed, 29 Jun 2005 23:51:24 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050526 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Richard Coleman References: <42BC5054.908@criticalmagic.com> <42BD3AB4.2030209@geminix.org> <42C30C13.8090302@criticalmagic.com> In-Reply-To: <42C30C13.8090302@criticalmagic.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.51 (FreeBSD)) id 1DnkSr-000GJM-Dq; Wed, 29 Jun 2005 23:51:25 +0200 Cc: freebsd-security@freebsd.org Subject: Re: Any status on timestamp vulnerability fix for 4.X? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:51:27 -0000 Richard Coleman wrote: > Uwe Doering wrote: > >> Richard Coleman wrote: >> >>> Any information on when (or if) the following timestamp vulnerability >>> will be fixed for 4.X? Any information would be appreciated. >>> >>> http://www.kb.cert.org/vuls/id/637934 >> >> FYI, the fix for RELENG_5 applies to RELENG_4 as is (apart from the >> CVS version header, of course): >> >> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c.diff?r1=1.252.2.15&r2=1.252.2.16&f=u >> >> After verifying its semantic correctness for RELENG_4 we've been >> running the patch for a couple of weeks now with no ill effects. >> >> I'm posting this also as an encouragement for committers to go ahead >> and do the MFC. It's low hanging fruit. >> >> Uwe > > We tried applying that diff to 4.10, but compilation failed with > > tcp_input.o: In function 'tcp_dooptions': > tcp_input.o(.text+0x21d8): undefined reference to 'TSTMP_GT' > > Did you just define that macro? Or was something else required? Well, this MFC affected two files, actually. I didn't mention it explicitly because I considered it obvious from the accompanying CVS comment: ---------------- cut here ---------------- MFC: rev 1.270 of tcp_input.c, rev 1.25 of tcp_seq.h - Tighten up the Timestamp checks to prevent a spoofed segment from setting ts_recent to an arbitrary value, stopping further communication between the two hosts. - If the Echoed Timestamp is greater than the current time, fall back to the non RFC 1323 RTT calculation. ---------------- cut here ---------------- So 'tcp_seq.h' needs to be patched, too. Here's the direct link to that diff: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_seq.h.diff?r1=1.22.2.1&r2=1.22.2.2&f=u With both patches in place the kernel ought to compile correctly. Hope it works for you now. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:54:54 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30BEC16A41C; Wed, 29 Jun 2005 21:54:54 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10AA243D4C; Wed, 29 Jun 2005 21:54:54 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5TLsr5l008142; Wed, 29 Jun 2005 21:54:53 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5TLsrFp008140; Wed, 29 Jun 2005 21:54:53 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jun 2005 21:54:53 GMT Message-Id: <200506292154.j5TLsrFp008140@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:13.ipfw X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:54:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:13.ipfw Security Advisory The FreeBSD Project Topic: ipfw packet matching errors with address tables Category: core Module: netinet Announced: 2005-06-29 Credits: Max Laier Affects: FreeBSD 5.4-RELEASE Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) CVE Name: CAN-2005-2019 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ipfw(8) is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ipfw lookup tables are a way to specify many IP addresses which can be used for packet matching in an efficient manner. II. Problem Description The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table. III. Impact When lookup tables are used with ipfw, packets may on very rare occasions incorrectly match a lookup table. This could result in a packet being treated contrary to the defined packet filtering ruleset. For example, a packet may be allowed to pass through when it should have been discarded. The problem can only occur on Symmetric Multi-Processor (SMP) systems, or on Uni Processor (UP) systems with the PREEMPTION kernel option enabled (not the default). IV. Workaround a) Do not use lookup tables. OR b) Disable concurrent processing of packets in the network stack by setting the "debug.mpsafenet=0" tunable: # echo "debug.mpsafenet=0" >> /boot/loader.conf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:13/ipfw.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:13/ipfw.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/netinet/ip_fw2.c 1.70.2.14 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/ip_fw2.c 1.70.2.10.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2019 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:13.ipfw.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxeeFdaIBMps37IRAkOAAJ0cCLsoqdUsfTfPNxocl1/TSORXnwCeIq0L wM2hw6x90lSyoEVYnxfAg2s= =khtV -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:55:00 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6C0816A41C; Wed, 29 Jun 2005 21:55:00 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDC7943D48; Wed, 29 Jun 2005 21:55:00 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5TLt0PA008186; Wed, 29 Jun 2005 21:55:00 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5TLt0S7008185; Wed, 29 Jun 2005 21:55:00 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jun 2005 21:55:00 GMT Message-Id: <200506292155.j5TLt0S7008185@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:14.bzip2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:55:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:14.bzip2 Security Advisory The FreeBSD Project Topic: bzip2 denial of service and permission race vulnerabilities Category: contrib Module: contrib_bzip2 Announced: 2005-06-29 Credits: Imran Ghory, Chris Evans Affects: All FreeBSD releases Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0953, CAN-2005-1260 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background bzip2 is a block-sorting file compression utility. II. Problem Description Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions. III. Impact The first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time. The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted. IV. Workaround Do not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:14/bzip2.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libbz2 # make obj && make depend && make && make install # cd /usr/src/usr.bin/bzip2 # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/bzip2/bzip2.c 1.1.1.1.2.3 contrib/bzip2/bzlib.c 1.1.1.1.2.3 contrib/bzip2/compress.c 1.1.1.1.2.3 contrib/bzip2/decompress.c 1.1.1.1.2.3 contrib/bzip2/huffman.c 1.1.1.1.2.3 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 contrib/bzip2/bzip2.c 1.1.1.1.2.2.12.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.12.1 contrib/bzip2/compress.c 1.1.1.1.2.2.12.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.12.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 contrib/bzip2/bzip2.c 1.1.1.1.2.2.10.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.10.1 contrib/bzip2/compress.c 1.1.1.1.2.2.10.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.10.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.10.1 RELENG_5 contrib/bzip2/bzip2.c 1.1.1.2.8.1 contrib/bzip2/bzlib.c 1.1.1.2.8.1 contrib/bzip2/compress.c 1.1.1.2.8.1 contrib/bzip2/decompress.c 1.1.1.2.8.1 contrib/bzip2/huffman.c 1.1.1.2.8.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 contrib/bzip2/bzip2.c 1.1.1.2.12.1 contrib/bzip2/bzlib.c 1.1.1.2.12.1 contrib/bzip2/compress.c 1.1.1.2.12.1 contrib/bzip2/decompress.c 1.1.1.2.12.1 contrib/bzip2/huffman.c 1.1.1.2.12.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 contrib/bzip2/bzip2.c 1.1.1.2.10.1 contrib/bzip2/bzlib.c 1.1.1.2.10.1 contrib/bzip2/compress.c 1.1.1.2.10.1 contrib/bzip2/decompress.c 1.1.1.2.10.1 contrib/bzip2/huffman.c 1.1.1.2.10.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1260 http://marc.theaimsgroup.com/?l=bugtraq&m=111229375217633 http://scary.beasts.org/security/CESA-2005-002.txt The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:14.bzip.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxenFdaIBMps37IRAsYxAJ9K8pFrImuACPxauHUqGqumKs2nLQCfQ0ne SQ0RlXP6MiG88y/2B2wF7aA= =TvEK -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:55:05 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39E7F16A426; Wed, 29 Jun 2005 21:55:05 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A42443D48; Wed, 29 Jun 2005 21:55:05 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5TLt4kX008231; Wed, 29 Jun 2005 21:55:04 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5TLt4Op008228; Wed, 29 Jun 2005 21:55:04 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 29 Jun 2005 21:55:04 GMT Message-Id: <200506292155.j5TLt4Op008228@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-05:15.tcp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:55:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:15.tcp Security Advisory The FreeBSD Project Topic: TCP connection stall denial of service Category: core Module: inet Announced: 2005-06-29 Credits: Noritoshi Demizu Affects: All FreeBSD releases. Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0356, CAN-2005-2068 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP timestamps are used to measure Round-Trip Time and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP packets with the SYN flag set are used during setup of new TCP connections. II. Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. III. Impact Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. IV. Workaround In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:15/tcp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/tcp_input.c 1.107.2.44 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 src/sys/netinet/tcp_input.c 1.107.2.41.4.3 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 src/sys/netinet/tcp_input.c 1.107.2.41.2.1 RELENG_5 src/sys/netinet/tcp_input.c 1.252.2.16 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/tcp_input.c 1.252.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 src/sys/netinet/tcp_input.c 1.252.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:15.tcp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCwxe7FdaIBMps37IRAi39AJ9ss6PVEwloS4SlKEWi5S1hpHnzmACeJF7H rKmK2NtleJ98dTLWW4QLMn4= =6fBH -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 21:58:31 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B38216A616 for ; Wed, 29 Jun 2005 21:58:31 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDC5D43D5C for ; Wed, 29 Jun 2005 21:58:30 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr7so.prod.shaw.ca (pd4mr7so-qfe3.prod.shaw.ca [10.0.141.84]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IIV009R3912CIF0@l-daemon> for freebsd-security@freebsd.org; Wed, 29 Jun 2005 15:58:14 -0600 (MDT) Received: from pn2ml1so.prod.shaw.ca ([10.0.121.145]) by pd4mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IIV00A1C9127E30@pd4mr7so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 29 Jun 2005 15:58:14 -0600 (MDT) Received: from [192.168.0.60] (S0106006067227a4a.vc.shawcable.net [24.87.209.6]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IIV00A4Y9129G@l-daemon> for freebsd-security@freebsd.org; Wed, 29 Jun 2005 15:58:14 -0600 (MDT) Date: Wed, 29 Jun 2005 14:57:45 -0700 From: Colin Percival In-reply-to: <42C317DC.50401@geminix.org> To: Uwe Doering Message-id: <42C31959.3050001@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Accept-Language: en-us, en X-Enigmail-Version: 0.91.0.0 References: <42BC5054.908@criticalmagic.com> <42BD3AB4.2030209@geminix.org> <42C30C13.8090302@criticalmagic.com> <42C317DC.50401@geminix.org> User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050406) Cc: freebsd-security@freebsd.org, Richard Coleman Subject: Re: Any status on timestamp vulnerability fix for 4.X? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2005 21:58:31 -0000 Uwe Doering wrote: > So 'tcp_seq.h' needs to be patched, too. [...] Or you could just follow the instructions in FreeBSD-SA-05:15.tcp. :-) Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Jun 30 06:51:47 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3523716A41C for ; Thu, 30 Jun 2005 06:51:47 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: from web8502.mail.in.yahoo.com (web8502.mail.in.yahoo.com [202.43.219.164]) by mx1.FreeBSD.org (Postfix) with SMTP id 0F8FE43D1D for ; Thu, 30 Jun 2005 06:51:45 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: (qmail 8708 invoked by uid 60001); 30 Jun 2005 06:51:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=arO3EoyeQbnkAGIjZsc0x8+VhW511bEcf0jquCITRT2gBm6j5HMftA5GSWElr6GAj3igNzfHe5h14p2mNVl5TcQfPDawdHpzwMSqiYeAsSrgqk+fC8r9txLgfOkadCbvPznXjq/IBoJLY+/zjyZ5Ibna/HgiMYfw7MLeezR10t8= ; Message-ID: <20050630065143.8706.qmail@web8502.mail.in.yahoo.com> Received: from [203.126.245.198] by web8502.mail.in.yahoo.com via HTTP; Thu, 30 Jun 2005 07:51:43 BST Date: Thu, 30 Jun 2005 07:51:43 +0100 (BST) From: mohan chandra To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-2132320001-1120114303=:8698" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 06:51:47 -0000 --0-2132320001-1120114303=:8698 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Id: Content-Disposition: inline Hi All, I need to establish an IPSec tunnel between two FreeBSD systems using IPv6 addresses.The connetcion is host-to-host between two FreeBSD( RELEASE 4.11) systems with KAME IPSec implementation. |----------------->| host1-[mohan]| |host2-[ram] |<-----------------| host1 IPv6 address : fe80::2b0:d0ff:fe6f:dfa0 host2 IPv6 address : fe80::2b0:d0ff:fe48:7ce7 The 'ipsec.conf' file at Host1 and Host2 are attached along with this email.(you can refer them) IPsec is started with the following commands at both systems: *******at Host1******* mohan# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok mohan# ******************* *******at Host2******* ram# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok ram# ******************* (File setkey.sh is also attached with the email below for ur reference) After that I executed 'ping6' and 'tcpdump' commands to test the connection(on my system i.e.,host1-mohan), but, it seems is not working properly... ########### ping6 command output at host1 ############ mohan# ping6 -I xl0 fe80::2b0:d0ff:fe48:7ce7 PING6(56=40+8+8 bytes) fe80::2b0:d0ff:fe6f:dfa0%xl0 --> fe80::2b0:d0ff:fe48:7ce7 ^C --- fe80::2b0:d0ff:fe48:7ce7 ping6 statistics --- 6 packets transmitted, 0 packets received, 100% packet loss mohan# ############################################# But, with tcpdump command it seems like packets are moving from host1 to host2 without ESP(encryption) and reply packets from host2 to host1 with ESP(encryption) header. It is shown in the following output: ########## tcpdump at host1 ################### mohan# tcpdump -i xl0 host fe80::2b0:d0ff:fe6f:dfa0 tcpdump: listening on xl0 10:08:43.844723 fe80::2b0:d0ff:fe6f:dfa0[host1] > ff02::1:ff48:7ce7[host2]: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:43.845127 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0xf) 10:08:44.844736 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:44.845109 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x10) 10:08:48.844804 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:48.845150 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x13) 10:08:49.085694 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x14) 10:08:49.844840 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:49.845232 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x15) 10:08:50.085696 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x16) 10:08:51.085741 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x17) ###################################### Please, reply me what is the problem with the connection setup.Inform me is there any mistakes with the ipsec.conf file, policy setup..? Reply as soon as possible.. If you need any detail regarding the setup, I will send the details.. Please, give me proper suggestions..any help will be appreciated greatly.. Thanx, with Regards Mohan. __________________________________________________________ How much free photo storage do you get? Store your friends 'n family snaps for FREE with Yahoo! Photos http://in.photos.yahoo.com --0-2132320001-1120114303=:8698 Content-Type: text/plain; name="ipsec-host1.conf" Content-Description: 1396178509-ipsec-host1.conf Content-Disposition: inline; filename="ipsec-host1.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-2132320001-1120114303=:8698 Content-Type: text/plain; name="ipsec-host2.conf" Content-Description: 3256422772-ipsec-host2.conf Content-Disposition: inline; filename="ipsec-host2.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-2132320001-1120114303=:8698-- From owner-freebsd-security@FreeBSD.ORG Thu Jun 30 06:58:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E395E16A41C for ; Thu, 30 Jun 2005 06:58:14 +0000 (GMT) (envelope-from roth@droopy.unibe.ch) Received: from mailhub03.unibe.ch (mailhub03.unibe.ch [130.92.9.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ADC843D55 for ; Thu, 30 Jun 2005 06:58:14 +0000 (GMT) (envelope-from roth@droopy.unibe.ch) Received: from localhost (scanhub01.unibe.ch [130.92.254.65]) by mailhub03.unibe.ch (Postfix) with ESMTP id E5D0319410; Thu, 30 Jun 2005 08:58:12 +0200 (CEST) Received: from mailhub03.unibe.ch ([130.92.9.70]) by localhost (scanhub01.unibe.ch [130.92.254.65]) (amavisd-new, port 10024) with LMTP id 06666-14-11; Thu, 30 Jun 2005 08:58:10 +0200 (CEST) Received: from asterix.unibe.ch (asterix.unibe.ch [130.92.64.4]) by mailhub03.unibe.ch (Postfix) with ESMTP id BAD751940F; Thu, 30 Jun 2005 08:58:10 +0200 (CEST) Received: from droopy.unibe.ch (droopy [130.92.64.20]) by asterix.unibe.ch (8.12.10+Sun/8.12.10) with ESMTP id j5U6wAdB021013; Thu, 30 Jun 2005 08:58:10 +0200 (MEST) Received: (from roth@localhost) by droopy.unibe.ch (8.12.10+Sun/8.12.9/Submit) id j5U6wA9P015578; Thu, 30 Jun 2005 08:58:10 +0200 (MEST) Date: Thu, 30 Jun 2005 08:58:10 +0200 From: Tobias Roth To: mohan chandra Message-ID: <20050630065810.GA15451@droopy.unibe.ch> Mail-Followup-To: mohan chandra , freebsd-security@freebsd.org References: <20050630065143.8706.qmail@web8502.mail.in.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050630065143.8706.qmail@web8502.mail.in.yahoo.com> User-Agent: Mutt/1.4i X-message-flag: Warning! Using Outlook is insecure and promotes virus distribution. Please use a different email client. X-Virus-checked: by University of Berne Cc: freebsd-security@freebsd.org Subject: Re: Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems...? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 06:58:15 -0000 On Thu, Jun 30, 2005 at 07:51:43AM +0100, mohan chandra wrote: > Hi All, > > I need to establish an IPSec tunnel between two > FreeBSD systems using IPv6 addresses.The connetcion is > host-to-host between two FreeBSD( RELEASE 4.11) > systems with KAME IPSec implementation. [snip] Hi Please resend this question to freebsd-questions@freebsd.org, as it does not belong on this list. If you are unsure what to send to which list, see the list charters at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/eresources.html thanks, t. From owner-freebsd-security@FreeBSD.ORG Thu Jun 30 07:07:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A38E16A41C for ; Thu, 30 Jun 2005 07:07:38 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: from web8510.mail.in.yahoo.com (web8510.mail.in.yahoo.com [202.43.219.172]) by mx1.FreeBSD.org (Postfix) with SMTP id 8F79143D5C for ; Thu, 30 Jun 2005 07:07:34 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: (qmail 79495 invoked by uid 60001); 30 Jun 2005 07:07:25 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=RrPTMHroW/ZAqAO0HZP8Cel1jWI1JLtL6HqzJzRIlf7mzBp/MiInplkMKKtEjVQx/bH6dhSJBtoLmhU9NuctYaBrpB5/BYIFBP1rhuH0Wkkpu0K2Ci1lTZ9UgQ56qTtge94GHbl+Wdl3dNGEvPLJu8CHZDB7Baj7b0S2vBn+hJM= ; Message-ID: <20050630070725.79493.qmail@web8510.mail.in.yahoo.com> Received: from [203.126.245.198] by web8510.mail.in.yahoo.com via HTTP; Thu, 30 Jun 2005 08:07:25 BST Date: Thu, 30 Jun 2005 08:07:25 +0100 (BST) From: mohan chandra To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-533975443-1120115245=:79488" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem with IPSec tunnel, using IPv6 addresses, ......... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 07:07:38 -0000 --0-533975443-1120115245=:79488 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Id: Content-Disposition: inline Hi All, In the previous mail, I have sent is only the problem that occurs, because of using IPv6 addresses. But the connection works with IPv4 addresses without any problem. Thanx, Mohan. __________________________________________________________ How much free photo storage do you get? Store your friends 'n family snaps for FREE with Yahoo! Photos http://in.photos.yahoo.com --0-533975443-1120115245=:79488 Content-Type: text/plain; name="ipsec-host1.conf" Content-Description: pat2137723804 Content-Disposition: inline; filename="ipsec-host1.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-533975443-1120115245=:79488 Content-Type: text/plain; name="ipsec-host2.conf" Content-Description: pat1490342534 Content-Disposition: inline; filename="ipsec-host2.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "ipv6readylogo3descbcout1" -A hmac-sha1 "ipv6readylogsha1out1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "ipv6readylogo3descbcin01" -A hmac-sha1 "ipv6readylogsha1in01"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-533975443-1120115245=:79488-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 1 04:49:57 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0452416A41F for ; Fri, 1 Jul 2005 04:49:57 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: from web8501.mail.in.yahoo.com (web8501.mail.in.yahoo.com [202.43.219.163]) by mx1.FreeBSD.org (Postfix) with SMTP id 0A70343D48 for ; Fri, 1 Jul 2005 04:49:55 +0000 (GMT) (envelope-from mohanchandra_01@yahoo.co.in) Received: (qmail 82133 invoked by uid 60001); 1 Jul 2005 04:49:53 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=HEXhUkhD/7TQ1/zasaY+KLYaODGMogFP+BryZkQviWdgxsb7jroZPW7TUsAb6ti/JkA6oBWWonqpCfmoySGcYCJx4qQodo8ZlvuT5QqccRvEDgrV+9a2+sn6FHcpRW6tV7gbHaDbgbBj6ATndvEH/evrrV7i7E18uNRZbtcwI44= ; Message-ID: <20050701044953.82131.qmail@web8501.mail.in.yahoo.com> Received: from [203.126.245.198] by web8501.mail.in.yahoo.com via HTTP; Fri, 01 Jul 2005 05:49:53 BST Date: Fri, 1 Jul 2005 05:49:53 +0100 (BST) From: mohan chandra To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="0-1302645420-1120193393=:82034" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems..... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 04:49:57 -0000 --0-1302645420-1120193393=:82034 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Content-Id: Content-Disposition: inline Hi All, I need to establish an IPSec tunnel between two FreeBSD systems, using IPv6 addresses.The connetcion is host-to-host between two FreeBSD( RELEASE 4.11) systems with KAME IPSec implementation. I tried to establish the connection, but it has some problems which are explained below. |----------------->| host1-[mohan]| |host2-[ram] |<-----------------| host1 IPv6 address : fe80::2b0:d0ff:fe6f:dfa0 host2 IPv6 address : fe80::2b0:d0ff:fe48:7ce7 The 'ipsec.conf' file at Host1 and Host2 are attached along with this email.(you can refer them) IPsec is started with the following commands at both systems:(ipsec SA & SPD are set according to ipsec.conf files at both sides) *******at Host1******* mohan# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok mohan# ******************* *******at Host2******* ram# /usr/local/etc/rc.d/setkey.sh start Starting VPN tunnel encryption..Ok ram# ******************* (File setkey.sh is also attached with the email below for ur reference) After that I executed 'ping6' and 'tcpdump' commands to test the ipsec connection(on my system i.e.,host1-mohan), but it seems, it is not working properly... ########### ping6 command output at host1############ mohan# ping6 -I xl0 fe80::2b0:d0ff:fe48:7ce7 PING6(56=40+8+8 bytes) fe80::2b0:d0ff:fe6f:dfa0%xl0 --> fe80::2b0:d0ff:fe48:7ce7 ^C --- fe80::2b0:d0ff:fe48:7ce7 ping6 statistics --- 6 packets transmitted, 0 packets received, 100% packet loss mohan# ############################################# But, with tcpdump command it seems like packets are moving from host1 to host2 without ESP(encryption) and reply packets from host2 to host1 with ESP(encryption) header. It is shown in the following output: ########## tcpdump at host1 ################### mohan# tcpdump -i xl0 host fe80::2b0:d0ff:fe6f:dfa0 tcpdump: listening on xl0 10:08:43.844723 fe80::2b0:d0ff:fe6f:dfa0[host1] > ff02::1:ff48:7ce7[host2]: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:43.845127 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0xf) 10:08:44.844736 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:44.845109 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x10) 10:08:48.844804 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:48.845150 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x13) 10:08:49.085694 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x14) 10:08:49.844840 fe80::2b0:d0ff:fe6f:dfa0 > ff02::1:ff48:7ce7: icmp6: neighbor sol: who has fe80::2b0:d0ff:fe48:7ce7 10:08:49.845232 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x15) 10:08:50.085696 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x16) 10:08:51.085741 fe80::2b0:d0ff:fe48:7ce7 > fe80::2b0:d0ff:fe6f:dfa0: ESP(spi=0x0000fead,seq=0x17) ###################################### Please, reply me what is the problem with the connection setup.Inform me is there any mistakes with the ipsec.conf files attached with this email or policy setup..? Reply as soon as possible.. The connection works with IPv4 addresses without any problems. If you need any detail regarding the setup, I will send you the details.. Please, give me proper suggestions..any help will be greatly appreciated .. Thanx, with Regards Mohan. _______________________________________________________ Too much spam in your inbox? Yahoo! Mail gives you the best spam protection for FREE! http://in.mail.yahoo.com --0-1302645420-1120193393=:82034 Content-Type: text/plain; name="ipsec-host1.conf" Content-Description: 1396178509-ipsec-host1.conf Content-Disposition: inline; filename="ipsec-host1.conf" ########The 'ipsec.conf' file at Host1 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1"; add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; --0-1302645420-1120193393=:82034 Content-Type: text/plain; name="ipsec-host2.conf" Content-Description: 3256422772-ipsec-host2.conf Content-Disposition: inline; filename="ipsec-host2.conf" ########The 'ipsec.conf' file at Host2 ######### # flush configs flush ; spdflush ; # add a SAD entry add fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 esp 0xFEAD -m transport -E 3des-cbc "host2tohost1host2tohost1" -A hmac-sha1 "host2tohost1hmacsha1"; add fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 esp 0xFEED -m transport -E 3des-cbc "host1tohost2host1tohost2" -A hmac-sha1 "host1tohost2hmacsha1"; # and specify what has to be encrypted spdadd fe80::2b0:d0ff:fe48:7ce7 fe80::2b0:d0ff:fe6f:dfa0 any -P out ipsec esp/transport/fe80::2b0:d0ff:fe48:7ce7-fe80::2b0:d0ff:fe6f:dfa0/require ; spdadd fe80::2b0:d0ff:fe6f:dfa0 fe80::2b0:d0ff:fe48:7ce7 any -P in ipsec esp/transport/fe80::2b0:d0ff:fe6f:dfa0-fe80::2b0:d0ff:fe48:7ce7/require ; --0-1302645420-1120193393=:82034-- From owner-freebsd-security@FreeBSD.ORG Fri Jul 1 12:26:14 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C11C316A41C for ; Fri, 1 Jul 2005 12:26:14 +0000 (GMT) (envelope-from shiner_chen@yahoo.com.cn) Received: from web15509.mail.cnb.yahoo.com (web15509.mail.cnb.yahoo.com [202.165.102.38]) by mx1.FreeBSD.org (Postfix) with SMTP id CC9F343D49 for ; Fri, 1 Jul 2005 12:26:12 +0000 (GMT) (envelope-from shiner_chen@yahoo.com.cn) Received: (qmail 39775 invoked by uid 60001); 1 Jul 2005 12:26:03 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.cn; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=TIuFbB3C+ZqJxWqS+F3T6uaAYsglXmudHV5o9mQz4k6oZYfi8GC9e7PoiO9VgRLmjoPwGwS9fLdnOZtEUI5Ix+LW/9nXTltcIXcQnH+hwcvadWPIOhnHO39bo7py3xsJyZSXw33LZhTFR9oWPGtfu+UyNeUuwst1CJ46CkdYQEY= ; Message-ID: <20050701122603.39773.qmail@web15509.mail.cnb.yahoo.com> Received: from [61.187.16.2] by web15509.mail.cnb.yahoo.com via HTTP; Fri, 01 Jul 2005 20:26:02 CST Date: Fri, 1 Jul 2005 20:26:02 +0800 (CST) From: shiner chen To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=gb2312 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: how to ignore the arp request for the alias ip in freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 12:26:14 -0000 I want only to ignore the arp request for alias ip ,at the same time I don't want disable the arp function of the interface ? How do ? thanks! --------------------------------- DO YOU YAHOO!? 雅虎免费G邮箱-中国第一绝无垃圾邮件骚扰超大邮箱 From owner-freebsd-security@FreeBSD.ORG Fri Jul 1 13:12:10 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1244516A41C for ; Fri, 1 Jul 2005 13:12:10 +0000 (GMT) (envelope-from vova@vbook.fbsd.ru) Received: from vbook.fbsd.ru (swsoft-mipt-nat.sw.ru [195.214.233.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA3B443D49 for ; Fri, 1 Jul 2005 13:12:09 +0000 (GMT) (envelope-from vova@vbook.fbsd.ru) Received: from vova by vbook.fbsd.ru with local (Exim 4.51 (FreeBSD)) id 1DoLJL-00035B-E5; Fri, 01 Jul 2005 17:12:03 +0400 From: Vladimir Grebenschikov To: shiner chen In-Reply-To: <20050701122603.39773.qmail@web15509.mail.cnb.yahoo.com> References: <20050701122603.39773.qmail@web15509.mail.cnb.yahoo.com> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable Organization: SWsoft Date: Fri, 01 Jul 2005 17:12:02 +0400 Message-Id: <1120223522.1232.11.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Sender: Vladimir Grebenschikov Cc: freebsd-security@freebsd.org Subject: Re: how to ignore the arp request for the alias ip in freebsd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vova@fbsd.ru List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 13:12:10 -0000 =F7 =D0=D4, 01/07/2005 =D7 20:26 +0800, shiner chen =D0=C9=DB=C5=D4: > I want only to ignore the arp request for alias ip ,at the same time I d= on't want disable the arp function of the interface ? How do ? thanks!=20 Probably you need to assign this ip on loopback interface.=20 This address will no more used for arp, but still can be accessible if there is route (IPv4 gw based or LLaddr gw based) for other hosts on ethernet. But, there is some drawbacks also - source IP address autoselect will not chose this IP when you connection to other host. --=20 Vladimir B. Grebenschikov vova@fbsd.ru From owner-freebsd-security@FreeBSD.ORG Fri Jul 1 18:19:52 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5165F16A420 for ; Fri, 1 Jul 2005 18:19:52 +0000 (GMT) (envelope-from saurabh@bhasin.in) Received: from bhasin.in (mail.bhasin.in [66.111.52.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id C479A43D58 for ; Fri, 1 Jul 2005 18:19:51 +0000 (GMT) (envelope-from saurabh@bhasin.in) Received: (qmail 32060 invoked by uid 89); 1 Jul 2005 04:53:10 -0000 Received: by simscan 1.1.0 ppid: 32050, pid: 32053, t: 1.6322s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:961 spam: 3.0.4 Received: from unknown (HELO ?192.168.168.100?) (saurabh@bhasin.in@67.174.246.11) by unknown.sagonet.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Jul 2005 04:53:08 -0000 Message-ID: <42C4CC2C.9090507@bhasin.in> Date: Thu, 30 Jun 2005 21:53:00 -0700 From: "saurabh.bhasin" User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: mohan chandra References: <20050701044953.82131.qmail@web8501.mail.in.yahoo.com> In-Reply-To: <20050701044953.82131.qmail@web8501.mail.in.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.bhasin.in X-Spam-Level: X-Spam-Status: No, score=-2.5 required=1.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org Subject: Re: Problem with IPSec tunnel, using IPv6 addresses, between Two FreeBSD systems..... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 18:19:52 -0000 Resending this message to this list will not yield any answers. Please send your questions to the correct list (freebsd-questions). mohan chandra wrote: > Hi All, > > I need to establish an IPSec tunnel between two > FreeBSD systems, using IPv6 addresses. From owner-freebsd-security@FreeBSD.ORG Sat Jul 2 22:06:50 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A551A16A41C for ; Sat, 2 Jul 2005 22:06:50 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0546F43D1D for ; Sat, 2 Jul 2005 22:06:49 +0000 (GMT) (envelope-from jesper@hackunite.net) Received: from mail.hackunite.net ([213.112.198.142] [213.112.198.142]) by mxfep02.bredband.com with ESMTP id <20050702220648.DZCP12835.mxfep02.bredband.com@mail.hackunite.net> for ; Sun, 3 Jul 2005 00:06:48 +0200 Received: from [213.112.198.211] (c-d3c670d5.022-45-6f72652.cust.bredbandsbolaget.se [213.112.198.211]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.hackunite.net (Postfix) with ESMTP id 10316616E for ; Sun, 3 Jul 2005 00:07:06 +0200 (CEST) Message-ID: <42C70FED.8080003@hackunite.net> Date: Sun, 03 Jul 2005 00:06:37 +0200 From: Jesper Wallin User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at mail.hackunite.net Subject: packets with syn/fin vs pf_norm.c X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2005 22:06:50 -0000 Hi, First of all, I know that not dropping SYN/FIN isn't really a big deal, it just makes no sense. But since it doesn't make any sense, I don't see the reason why not to discard them. I'm running pf on FreeBSD 5.4-RELEASE-p3 and I scrub any traffic. I've read some other posts on google and as far as I can tell, clearly invalid packets (like packets with SYN/RST set) is discared while scrub simply remove the FIN bit on packets with SYN/FIN. Note, I have no knowledge about coding in C, so sorry if this is wrong. I checked the source and this what I found: /usr/src/sys/contrib/pf/net/pf_norm.c:1424: --- flags = th->th_flags; if (flags & TH_SYN) { /* Illegal packet */ if (flags & TH_RST) goto tcp_drop; if (flags & TH_FIN) flags &= ~TH_FIN; } else { /* Illegal packet */ if (!(flags & (TH_ACK|TH_RST))) goto tcp_drop; } --- Wouldn't this code also check if I got TCP_DROP_SYNFIN set in my kernel and/or if I got the sysctl option for that enabled? Also, what happens if I run this little patch I 'wrote' (remember, I don't know C ;-D) --- 1427c1427 < if (flags & TH_RST) --- > if ((flags & TH_RST) || (flags & TH_FIN)) 1429,1431d1428 < < if (flags & TH_FIN) < flags &= ~TH_FIN; --- Sorry if I got all this wrong, I'm just curious how I can drop packets with the SYN/FIN bit set and still use scrub in pf.. Also, if I apply the patch above, do I need to compile the kernel, world or both? Best regards, Jesper Wallin