From owner-freebsd-pf@FreeBSD.ORG Mon May 15 02:24:45 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67F6516A402 for ; Mon, 15 May 2006 02:24:45 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from grunt5.ihug.co.nz (grunt5.ihug.co.nz [203.109.254.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id D07FD43D46 for ; Mon, 15 May 2006 02:24:44 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: from 203-109-251-39.static.bliink.ihug.co.nz (heff.fud.org.nz) [203.109.251.39] by grunt5.ihug.co.nz with smtp (Exim 3.35 #1 (Debian)) id 1FfSlG-0002qU-00; Mon, 15 May 2006 14:24:42 +1200 Received: by heff.fud.org.nz (Postfix, from userid 1001) id 631911CCC3; Mon, 15 May 2006 14:24:41 +1200 (NZST) Date: Mon, 15 May 2006 14:24:41 +1200 From: Andrew Thompson To: Daniel Hartmeier Message-ID: <20060515022441.GE93207@heff.fud.org.nz> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> <20060508182723.GG9739@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060508182723.GG9739@insomnia.benzedrine.cx> User-Agent: Mutt/1.5.11 Cc: freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 02:24:45 -0000 On Mon, May 08, 2006 at 08:27:23PM +0200, Daniel Hartmeier wrote: > On Mon, May 08, 2006 at 11:49:30AM -0400, Adam McDougall wrote: > > > Could someone possibly produce a patch to force if_bridge to > > recalculate the checksum on every packet so I can test that as well? > > To me, the extra load on the firewall is less important than breaking > > packets I am trying to pass. > > Try the patch below, the first one is against -current and the second > against 6.0-stable. It compiles, but is otherwise untested. Looks good to me and it looks like its working for Adam. Did you want to commit this Daniel?, ive made a few comments below. > Index: if_bridge.c > =================================================================== > RCS file: /pub/tmp/cvs/freebsd/src/sys/net/if_bridge.c,v > retrieving revision 1.59 > diff -u -r1.59 if_bridge.c > --- if_bridge.c 29 Apr 2006 05:37:25 -0000 1.59 > +++ if_bridge.c 8 May 2006 18:17:40 -0000 > @@ -2590,7 +2590,7 @@ > static int > bridge_pfil(struct mbuf **mp, struct ifnet *bifp, struct ifnet *ifp, int dir) > { > - int snap, error, i; > + int snap, error, i, hlen; > struct ether_header *eh1, eh2; > struct ip_fw_args args; > struct ip *ip; > @@ -2787,8 +2787,25 @@ > > /* Restore ip and the fields ntohs()'d. */ Maybe change comment to: /* Recalculate the ip checksum and restore byte ordering */ > ip = mtod(*mp, struct ip *); > + if (ip == NULL) > + goto bad; I dont think this null check is needed, *mp cant be null. > + hlen = ip->ip_hl << 2; > + if (hlen < sizeof(struct ip)) > + goto bad; > + if (hlen > (*mp)->m_len) { > + if ((*mp = m_pullup(*mp, hlen)) == 0) > + goto bad; > + ip = mtod(*mp, struct ip *); > + if (ip == NULL) > + goto bad; > + } > ip->ip_len = htons(ip->ip_len); > ip->ip_off = htons(ip->ip_off); > + ip->ip_sum = 0; > + if (hlen == sizeof(struct ip)) > + ip->ip_sum = in_cksum_hdr(ip); > + else > + ip->ip_sum = in_cksum(*mp, hlen); > > break; > # ifdef INET6 > From owner-freebsd-pf@FreeBSD.ORG Mon May 15 04:24:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DE3B16A402 for ; Mon, 15 May 2006 04:24:14 +0000 (UTC) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (azimutprint.ru [217.15.145.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E63043D46 for ; Mon, 15 May 2006 04:24:13 +0000 (GMT) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (localhost [127.0.0.1]) by crom.azimutprint.ru (Postfix) with ESMTP id 770CEB851 for ; Mon, 15 May 2006 08:24:07 +0400 (MSD) Received: from [127.0.0.1] (greencomp.azimutprint.ru [192.168.1.2]) by crom.azimutprint.ru (Postfix) with ESMTP id 2B249B84E for ; Mon, 15 May 2006 08:24:07 +0400 (MSD) Message-ID: <44680266.2090007@azimut-tour.ru> Date: Mon, 15 May 2006 08:24:06 +0400 From: GreenX FreeBSD User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 04:24:14 -0000 Hi, I wish to make so: for that that the port ssh for certain IP would open, it is necessary in the beginning will be knocked on other port. While I have written about such rules: block all pass in quick on $int_if inet proto tcp from any to $int_if port http keep state (max-src-conn-rate 1/60, overload ) pass quick inet proto tcp from to $int_if port ssh They work, but there are some things not arranging me: - If to change port http for any other empty port (on http post, I have working apache) source IP does not get in the table though state it is created. - To be knocked it is necessary two times:) since max-src-conn-rate it is not allowed to set a zero. Somebody was engaged in similar distortions? Or somebody knows as to solve this task in another with PF? Best regards, GReenX. From owner-freebsd-pf@FreeBSD.ORG Mon May 15 05:26:16 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACED316A409 for ; Mon, 15 May 2006 05:26:16 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF45A43D48 for ; Mon, 15 May 2006 05:26:14 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so996951pya for ; Sun, 14 May 2006 22:26:13 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=FX0TwWeXOaJD+gSjNotXa1cliaMyLtfbGJ9hBslJHiGmdAsVorC50ON8Axjs4v19hFSeY+BNLiMX4//stNVIx/aDAZ8qedlt+NzzScJV2xugYV0CdNxsBqzUK6RjMeGPJsHpmPB2IzbH27vZwCZPCiIYEGuv002Rl/DH2a/EleM= Received: by 10.35.85.1 with SMTP id n1mr3692pyl; Sun, 14 May 2006 22:26:13 -0700 (PDT) Received: by 10.35.37.8 with HTTP; Sun, 14 May 2006 22:26:13 -0700 (PDT) Message-ID: Date: Sun, 14 May 2006 22:26:13 -0700 From: "Kian Mohageri" To: "GreenX FreeBSD" In-Reply-To: <44680266.2090007@azimut-tour.ru> MIME-Version: 1.0 References: <44680266.2090007@azimut-tour.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 05:26:16 -0000 On 5/14/06, GreenX FreeBSD wrote: > > They work, but there are some things not arranging me: > - If to change port http for any other empty port (on http post, I have > working apache) source IP does not get in the table though state it is > created. I would assume this is because those those stateful tracking options you're using can only be used on connections that have completed the three-way handshake--you're probably trying to use this on a port where nothing is listening. http://www.openbsd.org/faq/pf/filter.html#stateopts I'd advise against what you're trying to do. It won't make your box more secure. Kian From owner-freebsd-pf@FreeBSD.ORG Mon May 15 11:02:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 924B916A400 for ; Mon, 15 May 2006 11:02:55 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F43343D49 for ; Mon, 15 May 2006 11:02:55 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4FB2tlg075288 for ; Mon, 15 May 2006 11:02:55 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4FB2sgU075282 for freebsd-pf@freebsd.org; Mon, 15 May 2006 11:02:54 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 15 May 2006 11:02:54 GMT Message-Id: <200605151102.k4FB2sgU075282@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 11:02:55 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency f [2005/07/31] kern/84370 pf [modules] Unload pf.ko cause page fault f [2005/09/13] kern/86072 pf [pf] Packet Filter rule not working prope o [2006/02/07] kern/92949 pf [pf] PF + ALTQ problems with latency o [2006/02/18] sparc64/93530pf Incorrect checksums when using pf's route o [2006/02/25] kern/93829 pf [carp] pfsync state time problem with CAR 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [pf] [patch] /etc/pf.os doesn't match Fre o [2006/02/25] kern/93825 pf [pf] pf reply-to doesn't work o [2006/04/21] bin/96150 pf pfctl(8) -k non-functional o [2006/05/09] kern/97057 pf IPSEC + pf stateful filtering does not wo 4 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon May 15 11:54:53 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A727A16A400; Mon, 15 May 2006 11:54:53 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id E797543D46; Mon, 15 May 2006 11:54:52 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k4FBsnbr028960 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 15 May 2006 13:54:49 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k4FBsmgL012282; Mon, 15 May 2006 13:54:48 +0200 (MEST) Date: Mon, 15 May 2006 13:54:48 +0200 From: Daniel Hartmeier To: Andrew Thompson Message-ID: <20060515115448.GE9739@insomnia.benzedrine.cx> References: <20060402054532.GF17711@egr.msu.edu> <20060404145704.GW2684@insomnia.benzedrine.cx> <20060404153443.GX2684@insomnia.benzedrine.cx> <200604051441.16865.max@love2party.net> <20060405130645.GB5683@insomnia.benzedrine.cx> <20060416053023.GD56603@heff.fud.org.nz> <20060508154929.GS30200@egr.msu.edu> <20060508182723.GG9739@insomnia.benzedrine.cx> <20060515022441.GE93207@heff.fud.org.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060515022441.GE93207@heff.fud.org.nz> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: broken ip checksum after frag reassemble of nfs READDIR? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 11:54:53 -0000 On Mon, May 15, 2006 at 02:24:41PM +1200, Andrew Thompson wrote: > Looks good to me and it looks like its working for Adam. Did you want to > commit this Daniel?, ive made a few comments below. Commited to HEAD including your changes. Daniel From owner-freebsd-pf@FreeBSD.ORG Mon May 15 12:28:09 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBD2D16A4A0 for ; Mon, 15 May 2006 12:28:09 +0000 (UTC) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (azimutprint.ru [217.15.145.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B3B643D45 for ; Mon, 15 May 2006 12:28:08 +0000 (GMT) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (localhost [127.0.0.1]) by crom.azimutprint.ru (Postfix) with ESMTP id 6E51CB852; Mon, 15 May 2006 16:28:04 +0400 (MSD) Received: from [127.0.0.1] (greencomp.azimutprint.ru [192.168.1.2]) by crom.azimutprint.ru (Postfix) with ESMTP id 07D12B851; Mon, 15 May 2006 16:28:04 +0400 (MSD) Message-ID: <446873D3.7090703@azimut-tour.ru> Date: Mon, 15 May 2006 16:28:03 +0400 From: GreenX FreeBSD User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Kian Mohageri , freebsd-pf@freebsd.org References: <44680266.2090007@azimut-tour.ru> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 12:28:10 -0000 Kian Mohageri пишет: > you're probably trying to use this on a port where nothing is listening. Yes, I understand it, and I about it have written in my letter. I think above that how to make so that worked on not listening port. It is possible certainly, simply to redirect on any something responding service. But for this purpose foreign service is besides necessary. > I'd advise against what you're trying to do. It won't make your box > more secure. Why? Simply so, on ssh you will not come any more. If I am not mistaken, probability of that the scanner will begin the check with "key" port, and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE). If he will not make itthis, he can be caught on max-src-conn-rate concerning public services, and to put for his forward from all ports on ssh localhost. Best regards, GreenX. From owner-freebsd-pf@FreeBSD.ORG Mon May 15 16:07:40 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0307A16AC53 for ; Mon, 15 May 2006 16:07:40 +0000 (UTC) (envelope-from bill.marquette@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71E1443D76 for ; Mon, 15 May 2006 16:07:37 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so5330nfc for ; Mon, 15 May 2006 09:07:36 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=r/UD34o8FGSvh4O/MBD8Wbg6Fq7bLXM1tS9de8YBZGbRC5LBR+lHQ/cQJYelR/d+e8lMf3IGTzUxvcWZndQAJc2J0/4Whr9sYhmo3avFo6BSCs19Yx2P2/aWnDvjT2oe672GDaAdk9lnTYLvsl/s6rTu8tLKJOvU+yk8bWRUxE0= Received: by 10.48.242.16 with SMTP id p16mr2475765nfh; Mon, 15 May 2006 09:07:36 -0700 (PDT) Received: by 10.48.254.10 with HTTP; Mon, 15 May 2006 09:07:36 -0700 (PDT) Message-ID: <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> Date: Mon, 15 May 2006 11:07:36 -0500 From: "Bill Marquette" To: "GreenX FreeBSD" In-Reply-To: <446873D3.7090703@azimut-tour.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 16:07:40 -0000 On 5/15/06, GreenX FreeBSD wrote: > > I'd advise against what you're trying to do. It won't make your box > > more secure. > Why? > Simply so, on ssh you will not come any more. > If I am not mistaken, probability of that the scanner will begin the > check with "key" port, > and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE). > If he will not make itthis, he can be caught on max-src-conn-rate > concerning public services, > and to put for his forward from all ports on ssh localhost. And you always connect from a trusted network? Presumably the answer to this is no, else you'd just put rules in to allow the trusted network to connect. Port-knocking is security through obscurity at it's best and at a minimum is wide open to replay attacks. If the concern is simply that you don't want someone brute forcing an account, force the use of SSH authorized keys. Run a script watching the logs for anyone failing logins and add those addresses to a block list. --Bill From owner-freebsd-pf@FreeBSD.ORG Mon May 15 16:23:26 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A50D216AF13 for ; Mon, 15 May 2006 16:23:26 +0000 (UTC) (envelope-from viktor.vasilev@stud.tu-darmstadt.de) Received: from lnx131.hrz.tu-darmstadt.de (lnx131.hrz.tu-darmstadt.de [130.83.174.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79DBD43D70 for ; Mon, 15 May 2006 16:23:19 +0000 (GMT) (envelope-from viktor.vasilev@stud.tu-darmstadt.de) Received: from mailserver3.hrz.tu-darmstadt.de (lnx115.hrz.tu-darmstadt.de [130.83.174.27]) by lnx131.hrz.tu-darmstadt.de (8.13.4/8.12.10) with ESMTP id k4FGNIQD031003 for ; Mon, 15 May 2006 18:23:18 +0200 Received: from [130.83.20.203] (helo=ABC216.ram1st.wh.tu-darmstadt.de) by mailserver3.hrz.tu-darmstadt.de with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1Fffqo-0007Ug-AT for freebsd-pf@freebsd.org; Mon, 15 May 2006 18:23:18 +0200 From: Viktor Vasilev To: freebsd-pf@freebsd.org Date: Mon, 15 May 2006 18:23:12 +0200 User-Agent: KMail/1.9.1 References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> In-Reply-To: <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1201643.hAShjM7gJN"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 16:23:28 -0000 --nextPart1201643.hAShjM7gJN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 15 May 2006 18:07 Bill Marquette wrote: > On 5/15/06, GreenX FreeBSD wrote: > > > I'd advise against what you're trying to do. It won't make your box > > > more secure. > > > > Why? > > Simply so, on ssh you will not come any more. > > If I am not mistaken, probability of that the scanner will begin the > > check with "key" port, > > and further at once will check up sshd is equal - 1 / (0xFFFF*0xFFFE). > > If he will not make itthis, he can be caught on max-src-conn-rate > > concerning public services, > > and to put for his forward from all ports on ssh localhost. > > And you always connect from a trusted network? Presumably the answer > to this is no, else you'd just put rules in to allow the trusted > network to connect. Port-knocking is security through obscurity at > it's best and at a minimum is wide open to replay attacks. > > If the concern is simply that you don't want someone brute forcing an > account, force the use of SSH authorized keys. Run a script watching > the logs for anyone failing logins and add those addresses to a block > list. There is a nice and easy way to blocking ssh brute-force attempts with pf=20 only: http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html Cheers, Vik =2D-=20 PGP Key: 0xE09DC8D8/6799 4011 EBDE 6412 05A1 090C DBDF 5887 E09D C8D8 Signed/encrypted mail welcome! --nextPart1201643.hAShjM7gJN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBEaKr1299Yh+CdyNgRAtazAJsErUhBbcBHkBUc/1HcPfXy9v/C4gCfdlrE D/Ojr0MPxwTKF+LRZXkJAsk= =s9Sm -----END PGP SIGNATURE----- --nextPart1201643.hAShjM7gJN-- From owner-freebsd-pf@FreeBSD.ORG Mon May 15 23:17:47 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84E7116B2C8 for ; Mon, 15 May 2006 23:17:47 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF3D743D48 for ; Mon, 15 May 2006 23:17:46 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so1213668pya for ; Mon, 15 May 2006 16:17:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Yb37uoyZl9jioAJV0QvLBzNagSPEA12HB2YHjApyJfORg/qWejlZGwsyqN1eDaZHjhSp99EOnvVDeAKMTOb02xzhbDulldA8xExNcwf3Z3Ym0xaNjsnsQzyjhijbj0s1Khod3/uN8Vg0QdLOa4dfuk070WhP8HfjdFFCagEP4zY= Received: by 10.35.36.13 with SMTP id o13mr438894pyj; Mon, 15 May 2006 16:17:45 -0700 (PDT) Received: by 10.35.37.8 with HTTP; Mon, 15 May 2006 16:17:45 -0700 (PDT) Message-ID: Date: Mon, 15 May 2006 16:17:45 -0700 From: "Kian Mohageri" To: "Viktor Vasilev" In-Reply-To: <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> MIME-Version: 1.0 References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 23:17:52 -0000 > > There is a nice and easy way to blocking ssh brute-force attempts with pf > only: > > http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html Exactly. This is a much cleaner solution than portknocking to stop brute force attacks. I recently implemented this on a few of my servers. From owner-freebsd-pf@FreeBSD.ORG Mon May 15 23:25:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF46316B37D for ; Mon, 15 May 2006 23:25:44 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 196CF43D48 for ; Mon, 15 May 2006 23:25:44 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.183.228] (helo=vampire.homelinux.org) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FfmRb0ixv-0001Yp; Tue, 16 May 2006 01:25:43 +0200 Received: (qmail 81120 invoked from network); 15 May 2006 23:26:09 -0000 Received: from localhost (HELO mail.abi01.homeunix.org) (192.168.4.64) by localhost with SMTP; 15 May 2006 23:26:09 -0000 Received: from 192.168.4.1 (SquirrelMail authenticated user mlaier) by mail.abi01.homeunix.org with HTTP; Tue, 16 May 2006 01:25:42 +0200 (CEST) Message-ID: <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> In-Reply-To: References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> Date: Tue, 16 May 2006 01:25:42 +0200 (CEST) From: "Max Laier" To: "Kian Mohageri" User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 23:25:49 -0000 On Tue, May 16, 2006 1:17 am, Kian Mohageri wrote: >> >> There is a nice and easy way to blocking ssh brute-force attempts with >> pf >> only: >> >> http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html > > > > Exactly. This is a much cleaner solution than portknocking to stop brute > force attacks. I recently implemented this on a few of my servers. You have to be aware that this otoh might open you to DoS attacks. People spoofing connections from your address will lock you out from your own server. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Tue May 16 01:29:30 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C745C16A9B2 for ; Tue, 16 May 2006 01:29:30 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0995643D68 for ; Tue, 16 May 2006 01:29:25 +0000 (GMT) (envelope-from sullrich@gmail.com) Received: by py-out-1112.google.com with SMTP id e30so1235620pya for ; Mon, 15 May 2006 18:29:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J/XahJBp7uBZKHDZE1eTlPs8wrRKf/tmMx9BGahFK72SbUstb6k8naeOdRAemYeVVZ29gRB/CwrcYqWsE2vJXLmTD+CTAcRFbJ3lii+a6CHwlelUGpKaNWQ6hBt9BXiVCC7btc5h1Y52zSPvC7nq9KTz+C2O95Xgj+/xSMDRCMk= Received: by 10.35.36.13 with SMTP id o13mr566608pyj; Mon, 15 May 2006 18:29:25 -0700 (PDT) Received: by 10.35.94.6 with HTTP; Mon, 15 May 2006 18:29:25 -0700 (PDT) Message-ID: Date: Mon, 15 May 2006 21:29:25 -0400 From: "Scott Ullrich" To: "Max Laier" In-Reply-To: <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 01:29:31 -0000 On 5/15/06, Max Laier wrote: > You have to be aware that this otoh might open you to DoS attacks. Peopl= e > spoofing connections from your address will lock you out from your own > server. An alternative is available for PF that monitors the ssh syslog. Take a look at: http://pfsense.com/cgi-bin/cvsweb.cgi/tools/pfPorts/sshlockout_pf/files/ssh= lockout_pf.c?rev=3D1.1 Scott From owner-freebsd-pf@FreeBSD.ORG Tue May 16 01:54:48 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AC9C16A58A for ; Tue, 16 May 2006 01:54:48 +0000 (UTC) (envelope-from lyndon@orthanc.ca) Received: from orthanc.ca (orthanc.ca [209.89.70.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C0E543D5A for ; Tue, 16 May 2006 01:54:46 +0000 (GMT) (envelope-from lyndon@orthanc.ca) Received: from [192.168.15.2] (d154-5-28-131.bchsia.telus.net [154.5.28.131]) (authenticated bits=0) by orthanc.ca (8.13.4/8.13.4) with ESMTP id k4G1sgBS007764 for ; Mon, 15 May 2006 19:54:42 -0600 (MDT) (envelope-from lyndon@orthanc.ca) Mime-Version: 1.0 (Apple Message framework v750) In-Reply-To: References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <340DFC1B-2620-4997-B495-67FA88F8662F@orthanc.ca> Content-Transfer-Encoding: 7bit From: Lyndon Nerenberg Date: Mon, 15 May 2006 18:54:40 -0700 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.750) X-Spam-Status: No, score=1.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on orthanc.ca Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 01:54:48 -0000 On May 15, 2006, at 6:29 PM, Scott Ullrich wrote: >> You have to be aware that this otoh might open you to DoS >> attacks. People >> spoofing connections from your address will lock you out from your >> own >> server. > > An alternative is available for PF that monitors the ssh syslog. > > Take a look at: > http://pfsense.com/cgi-bin/cvsweb.cgi/tools/pfPorts/sshlockout_pf/ > files/sshlockout_pf.c?rev=1.1 /usr/ports/security/bruteforceblocker also filters based on syslog data; it lets you configure IP addresses that will never be blocked, so you can prevent this sort of DOS attack. --lyndon From owner-freebsd-pf@FreeBSD.ORG Tue May 16 05:01:06 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE55716A55D for ; Tue, 16 May 2006 05:01:06 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D1C143D45 for ; Tue, 16 May 2006 05:01:06 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so647004uge for ; Mon, 15 May 2006 22:01:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SookBQ9yme2AkUNLRcR7ICmZzj9uXT9K4Fk0qu+lySCSCmbrRIDFBAILmKdoVzCnGPapKoyXVnOvz4z+z+05ZKnpURGXcIgOY83dXJUvyKh1P0I7biKYnrjAJdsOV1gowTFtABXC6jDzQWEizYAVyE9gf3CZW/jqJ3KAc/BtGL4= Received: by 10.78.20.13 with SMTP id 13mr788929hut; Mon, 15 May 2006 22:01:05 -0700 (PDT) Received: by 10.78.58.20 with HTTP; Mon, 15 May 2006 22:01:04 -0700 (PDT) Message-ID: Date: Tue, 16 May 2006 00:01:05 -0500 From: "Travis H." To: "Max Laier" In-Reply-To: <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 05:01:12 -0000 > You have to be aware that this otoh might open you to DoS attacks. Peopl= e > spoofing connections from your address will lock you out from your own > server. It requires spoofing a full TCP connect, which is more difficult than most DoS types are willing to do. Even harder if you're doing "reassemble tcp" to protect the weak hosts's SYN packets. I've never heard a report of this kind of DoS in practice. --=20 "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Tue May 16 05:04:08 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37BBF16A4EF for ; Tue, 16 May 2006 05:04:08 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.FreeBSD.org (Postfix) with ESMTP id 884E843D46 for ; Tue, 16 May 2006 05:04:07 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so647278uge for ; Mon, 15 May 2006 22:04:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RKS5vVikinN7ZxDHiymXimg8UJgAAF3jff6AeaNOm7Izv7CwzZN/FHuVCG8aaPfAfBXmE1iP7oNbFK+aRFWttQhqJ0kcdUcCr/TxiJi9N8vBhFMT1OgGAJHPWi4CAJfEsjwaETTX3tEZuig0BahVE7QXfWMC75Cjr7aDV/63dh4= Received: by 10.78.67.20 with SMTP id p20mr1361628hua; Mon, 15 May 2006 22:04:04 -0700 (PDT) Received: by 10.78.58.20 with HTTP; Mon, 15 May 2006 22:04:04 -0700 (PDT) Message-ID: Date: Tue, 16 May 2006 00:04:04 -0500 From: "Travis H." To: "Lyndon Nerenberg" In-Reply-To: <340DFC1B-2620-4997-B495-67FA88F8662F@orthanc.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <44680266.2090007@azimut-tour.ru> <446873D3.7090703@azimut-tour.ru> <55e8a96c0605150907k49af4454t5d0431ea036e11bc@mail.gmail.com> <200605151823.17265.viktor.vasilev@stud.tu-darmstadt.de> <55278.192.168.4.1.1147735542.squirrel@mail.abi01.homeunix.org> <340DFC1B-2620-4997-B495-67FA88F8662F@orthanc.ca> Cc: freebsd-pf@freebsd.org Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 05:04:53 -0000 I also have plans to write a sniffer to detect this kind of misuse without log-parsing, and the idea is to implement it at your gateway choke-point so it can detect it against any inbound connection, regardless of the ultimate source. Sorry to mention vaporware, but I'm pretty close to finishing it -- I have a sniffer that detects bittorrent traffic behind NAT and sets up rdr rules to support it. It's also a logical step to do port knocking (a/k/a single packet authentication) by sniffing the pflog interface and capturing the full content of blocked packets. I intend to do that as well. --=20 "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-pf@FreeBSD.ORG Tue May 16 05:50:44 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D74116A41B for ; Tue, 16 May 2006 05:50:44 +0000 (UTC) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (azimutprint.ru [217.15.145.118]) by mx1.FreeBSD.org (Postfix) with ESMTP id B215343D49 for ; Tue, 16 May 2006 05:50:43 +0000 (GMT) (envelope-from freebsd@azimut-tour.ru) Received: from azimutprint.ru (localhost [127.0.0.1]) by crom.azimutprint.ru (Postfix) with ESMTP id 8CF00B851 for ; Tue, 16 May 2006 09:50:38 +0400 (MSD) Received: from [127.0.0.1] (greencomp.azimutprint.ru [192.168.1.2]) by crom.azimutprint.ru (Postfix) with ESMTP id 3D9A9B822 for ; Tue, 16 May 2006 09:50:37 +0400 (MSD) Message-ID: <4469682D.7060101@azimut-tour.ru> Date: Tue, 16 May 2006 09:50:37 +0400 From: GreenX FreeBSD User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: Re: promt solution with max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 05:50:47 -0000 > Run a script watching the logs for anyone failing logins and add those addresses to a block list. > --Bill It is useless work, now I am not going to leave border of Russia is already in 10 times less than potential addresses, but all the same very much, it is a lot of. :) > There is a nice and easy way to blocking ssh brute-force attempts with pf only: > http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html > --Vik From translation of this article I also was puzzled with the given question :) By the way he here: http://wiki.bsdportal.ru/doc:grblocksshbroteforce To: Max Laier, Scott Ullrich, Lyndon Nerenberg. What for to put the foreign program if it can be made means most PF? Best regards, GReenX. From owner-freebsd-pf@FreeBSD.ORG Tue May 16 12:13:43 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE68816A417; Tue, 16 May 2006 12:13:43 +0000 (UTC) (envelope-from jinmei@isl.rdc.toshiba.co.jp) Received: from shuttle.wide.toshiba.co.jp (shuttle.wide.toshiba.co.jp [202.249.10.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD7D043D5A; Tue, 16 May 2006 12:13:42 +0000 (GMT) (envelope-from jinmei@isl.rdc.toshiba.co.jp) Received: from impact.jinmei.org (unknown [3ffe:501:100f:1010:d435:78f6:660a:b974]) by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id AF2F61521A; Tue, 16 May 2006 21:13:41 +0900 (JST) Date: Tue, 16 May 2006 21:13:32 +0900 Message-ID: From: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= To: Hideki Yamamoto In-Reply-To: <20060508.054451.41688849.yamamoto436@oki.com> References: <20060508.054451.41688849.yamamoto436@oki.com> User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI) Organization: Research & Development Center, Toshiba Corp., Kawasaki, Japan. MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: IPv6 raw socket to send original udp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 12:13:45 -0000 >>>>> On Mon, 08 May 2006 05:44:51 +0900 (JST), >>>>> Hideki Yamamoto said: > I wonder if IPv6 raw socket can be used only for ICMPv6. No, you can use any non built-in protocols on an IPv6 raw socket. In fact, IPv6 PIM daemons use IPv6 raw sockets for IPPROTO_PIM. But... > I would like to use IPv6 raw socket for original udp packet. you cannot do this, and, even if it's a PIM packet (for example), I'm afraid the socket does not meet your requirement: you cannot specify an arbitrary source address for the packets, which I guess is one of your goals. With the IPv6 socket API you can only specify a node's own address as the source address of outgoing packets sent from an AF_INET6 socket. This is a deliberate design choice of the API (RFC2292 or RFC3542). I don't know the original intent of IP_HDRINCL, that is, whether it intentionally allows the specification of an arbitrary source address, but at least one clear purpose of this option is to allow the user to specify the value of some specific fields of the IP header. Since RFC3542 (and RFC3493) provide dedicated API knobs for this purpose, however, we don't need to provide an IPv6 version of IP_HDRINCL. So, if a program needs to specify an arbitrary source IPv6 address for outgoing packets, it should use other "packet injection" interface such as BPF. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp From owner-freebsd-pf@FreeBSD.ORG Wed May 17 09:41:18 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D97B816A426; Wed, 17 May 2006 09:41:18 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6B9643D4C; Wed, 17 May 2006 09:41:17 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 54A0D46CD8; Wed, 17 May 2006 05:41:17 -0400 (EDT) Date: Wed, 17 May 2006 10:41:17 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: JINMEI Tatuya / =?ISO-2022-JP?B?GyRCP0BMQEMjOkgbKEI=?= In-Reply-To: Message-ID: <20060517103906.P49041@fledge.watson.org> References: <20060508.054451.41688849.yamamoto436@oki.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1849780989-1147858877=:49041" Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: IPv6 raw socket to send original udp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2006 09:41:28 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1849780989-1147858877=:49041 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Tue, 16 May 2006, JINMEI Tatuya / [ISO-2022-JP] =BF=C0=CC=C0=C3=A3=BA=C8= wrote: > So, if a program needs to specify an arbitrary source IPv6 address for=20 > outgoing packets, it should use other "packet injection" interface such a= s=20 > BPF. One problem with using BPF for packet injection in IPv4 is that it requires= =20 the sender to provide the link layer encapsulation, make the routing decisi= on,=20 and perform any address resolution. Using raw sockets with the full header= =20 option allows the sender to generate a datagram from an arbitrary source ye= t=20 not perform those routing and link layer activities, which require more=20 intimate knowledge of the link type. It might be desirable to add a socket= =20 option to allow the specification of the source address in order to allow= =20 packet replay tools, etc, to work without link layer knowledge. Robert N M Watson --0-1849780989-1147858877=:49041-- From owner-freebsd-pf@FreeBSD.ORG Wed May 17 19:40:20 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A015B16AA01 for ; Wed, 17 May 2006 19:40:20 +0000 (UTC) (envelope-from nobody@everest.mxhost.ro) Received: from everest.mxhost.ro (everest.mxhost.ro [193.203.204.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AA5143D46 for ; Wed, 17 May 2006 19:40:20 +0000 (GMT) (envelope-from nobody@everest.mxhost.ro) Received: from nobody by everest.mxhost.ro with local (Exim 4.52) id 1FgRqu-000302-Q8 for freebsd-pf@freebsd.org; Wed, 17 May 2006 22:38:36 +0300 To: freebsd-pf@freebsd.org From: eBay Inc. Content-Transfer-Encoding: 8bit Message-Id: Date: Wed, 17 May 2006 22:38:36 +0300 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - everest.mxhost.ro X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - everest.mxhost.ro X-Source: X-Source-Args: X-Source-Dir: MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Account suspended. Please update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2006 19:40:21 -0000 Dear eBay member We recently noticed one or more attempts to log in to your eBay account from a foreign IP address by a third party without your authorization. If you recently accessed your account while traveling,the unusual log in attempts may have been initiated by you. If you are the rightfull holder of the account, click on the link below and fill the form and then submit as we need to verify your identity . [1]http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignIn The log in attempt was made from: IP address: 205.188.209.166 ISP host: cache-dq04.proxy.aol.com Your account is temporarily suspended If you received this notice and you are not the authorized account holder, please be aware that it is in violation of eBay policy to represent oneself as another eBay user. Such action may also be in violation of local, national, and/or international law. eBay is committed to assist law enforcement with any inquires related to attempts to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law. *Please do not respond to this e-mail as your reply will not be received. Thanks for your patience as we work together to protect your account. Regards, Safeharbor Department eBay Inc. References 1. http://www.php-mania.org/ebay/aw-cgi/eBayISAPI.dllSignIn-ssPageName-hhsin.php