From owner-freebsd-security Sun Mar 26 5:30:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from nscache2.x-treme.gr (mail1.x-treme.gr [212.120.196.23]) by hub.freebsd.org (Postfix) with ESMTP id 8D79D37B797 for ; Sun, 26 Mar 2000 05:30:05 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat41.x-treme.gr [212.120.197.233]) by nscache2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id QAA24201; Sun, 26 Mar 2000 16:29:46 +0300 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id QAA06227; Sun, 26 Mar 2000 16:17:22 +0300 (EEST) (envelope-from charon) Date: Sun, 26 Mar 2000 16:17:22 +0300 From: Giorgos Keramidas To: John Fitzgibbon Cc: freebsd-security@FreeBSD.ORG Subject: Re: Publishing Firewall Logs Message-ID: <20000326161722.A5903@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <003801bf9688$87418540$040ba8c0@fitz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <003801bf9688$87418540$040ba8c0@fitz>; from fitz@jfitz.com on Sat, Mar 25, 2000 at 10:31:10AM -0800 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Mar 25, 2000 at 10:31:10AM -0800, John Fitzgibbon wrote: > > I decided to start publishing my firewall logs on the web > http://63.194.217.126/logs/ > > My thinking is that to identify the root, (excuse the pun), source of > distributed attacks, administrators need access to a broad set of logs. This could help, some times. But it can only help when packets that we need to identify, were not forged at their source. > I'm aware of the obvious counter-argument that any information you > make available creates a risk. I'm also aware of this, and I always was, but I still chose to publish on the web the way my ipfw rules were written. Having someone know by first hand what's allowed and what not, is a bit too much of information to give. However, I've received so many personal e-mails that thanked me for `having such a helpful page on ipfw' or something along these lines, that I think it's worth the risk :) > This is basically what I'm looking for feedback on -- Is this > information useful? The obvious counter-counter-argument of what you mentioned, is also useful here. "Any kind of information is useful now or `possibly' useful in the future." What you're discussing of doing, is dangerous though. Despite the fact that it would be nice to know that a certain IP address has been the source of several distributed attacks during the past few months/years, there is always the danger of 'blacklisting' the wrong people. I have to admit, that in giving the information away, you have not made any implicit assumptions on the way it should be used, or what could be done with it. However, it would be a very sad thing if using such information as evidence would result on someone being accused of being the source of distributed attacks, especially if the accused one had nothing to do with it, apart from being the network 'bridge' for the packets comprising the attack. As it should be obvious by now, having the information readily available is one thing. Dictating how and why it should be used is most of the time another, totally different thing. Just thing of the efforts done to stop spammers. The information is there. The lists of open relays are there. Anyone who wants to use them can go ahead and blackhole entire domains, company networks, hell even entire countries. The worst problems of these efforts though start when they start trying to think of a 'policy' for adding something to their list, and removing it after some checks have been done and passed successfully. What I mean here is, let's suppose you receive a lot of strange packets from the dialup users of an ISP. And you publish these logs. Then the ISP, having read your online logs, tries to stop such attacks, and fixes their router access lists, dropping those strange packets on the floor. Do you remove the relevant logs from the Web? Do you leave them as they are, and post a notice saying something to the effect of "but the nice and friendly techies of ISP A.B.C. did their best and stopped such attempts on their source"? Of course, it could get even trickier. Having some ISP block the strange packets, once they see your logs. Then they would post a notice to you, asking you in varying degrees of kindness, to remove the logs from the web. You fail to remove the logs in a reasonable amount of time, and they sue you, with a charge of spreading libels, and hurting their reputation. I do support the availability of such information, but please take care to avoid problems like those described above. Even a simple disclaimer paragraph stating that you're not suggesting in any way the use of this information, or that you do not take any responsibility on what others might do with it, would probably be enough. Then again, I'm no lawyer, and I'm probably mistaken in hypotheses about anything legal. - Giorgos Keramidas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 5:38:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B7D9D37B762; Sun, 26 Mar 2000 05:38:26 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id PAA18292; Sun, 26 Mar 2000 15:38:25 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: security@freebsd.org Subject: Installing modules schg From: Dag-Erling Smorgrav Date: 26 Mar 2000 15:38:25 +0200 Message-ID: Lines: 22 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Any objections to the following patch? Index: bsd.kmod.mk =================================================================== RCS file: /home/ncvs/src/share/mk/bsd.kmod.mk,v retrieving revision 1.75 diff -u -r1.75 bsd.kmod.mk --- bsd.kmod.mk 2000/01/28 11:26:46 1.75 +++ bsd.kmod.mk 2000/03/26 13:37:30 @@ -203,7 +203,7 @@ afterinstall: .endif -_INSTALLFLAGS:= ${INSTALLFLAGS} +_INSTALLFLAGS:= ${INSTALLFLAGS} -fschg .for ie in ${INSTALLFLAGS_EDIT} _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} .endfor DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 6:22:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id 2820E37B724 for ; Sun, 26 Mar 2000 06:22:45 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id PAA53090; Sun, 26 Mar 2000 15:19:28 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id PAA32703; Sun, 26 Mar 2000 15:19:26 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003261419.PAA32703@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Dag-Erling Smorgrav Cc: security@FreeBSD.org, brian@hak.lan.awfulhak.org Subject: Re: Installing modules schg In-Reply-To: Message from Dag-Erling Smorgrav of "26 Mar 2000 15:38:25 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 26 Mar 2000 15:19:26 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Any objections to the following patch? Yes... why ? As Warner & I pointed out recently, you've gotta schg everything touched before securelevel is set if you wanna do it properly. > Index: bsd.kmod.mk > =================================================================== > RCS file: /home/ncvs/src/share/mk/bsd.kmod.mk,v > retrieving revision 1.75 > diff -u -r1.75 bsd.kmod.mk > --- bsd.kmod.mk 2000/01/28 11:26:46 1.75 > +++ bsd.kmod.mk 2000/03/26 13:37:30 > @@ -203,7 +203,7 @@ > afterinstall: > .endif > > -_INSTALLFLAGS:= ${INSTALLFLAGS} > +_INSTALLFLAGS:= ${INSTALLFLAGS} -fschg > .for ie in ${INSTALLFLAGS_EDIT} > _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} > .endfor > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 6:56:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from florence.pavilion.net (florence.pavilion.net [212.74.0.25]) by hub.freebsd.org (Postfix) with ESMTP id 3535C37BBE1 for ; Sun, 26 Mar 2000 06:56:33 -0800 (PST) (envelope-from joe@florence.pavilion.net) Received: (from joe@localhost) by florence.pavilion.net (8.9.3/8.8.8) id PAA41134; Sun, 26 Mar 2000 15:55:08 +0100 (BST) (envelope-from joe) Date: Sun, 26 Mar 2000 15:55:08 +0100 From: Josef Karthauser To: Brian Somers Cc: Dag-Erling Smorgrav , security@FreeBSD.ORG, brian@hak.lan.awfulhak.org Subject: Re: Installing modules schg Message-ID: <20000326155508.B39911@florence.pavilion.net> References: <200003261419.PAA32703@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200003261419.PAA32703@hak.lan.Awfulhak.org> X-NCC-RegID: uk.pavilion Organisation: Pavilion Internet plc, Lees House, 21-23 Dyke Road, Brighton, England Phone: +44-845-333-5000 Fax: +44-845-333-5001 Mobile: +44-403-596893 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Mar 26, 2000 at 03:19:26PM +0100, Brian Somers wrote: > > Any objections to the following patch? > > Yes... why ? As Warner & I pointed out recently, you've gotta schg > everything touched before securelevel is set if you wanna do it > properly. I intend to have a go at this when I return from holiday - in two weeks or so. Joe -- Josef Karthauser FreeBSD: Take the red pill and we'll show you just how Technical Manager deep the rabbit hole goes. (http://www.uk.freebsd.org) Pavilion Internet plc. [joe@pavilion.net, joe@freebsd.org, joe@tao.org.uk] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 9:24:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from lucifer.bart.nl (lucifer.bart.nl [194.158.168.74]) by hub.freebsd.org (Postfix) with ESMTP id 6E8AB37BA1E for ; Sun, 26 Mar 2000 09:24:24 -0800 (PST) (envelope-from asmodai@lucifer.bart.nl) Received: (from asmodai@localhost) by lucifer.bart.nl (8.9.3/8.9.3) id TAA72590; Sun, 26 Mar 2000 19:24:15 +0200 (CEST) (envelope-from asmodai) Date: Sun, 26 Mar 2000 19:24:15 +0200 From: Jeroen Ruigrok van der Werven To: Dag-Erling Smorgrav Cc: security@FreeBSD.org Subject: Re: Installing modules schg Message-ID: <20000326192415.B72480@lucifer.bart.nl> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from des@flood.ping.uio.no on Sun, Mar 26, 2000 at 03:38:25PM +0200 Organisation: bART Internet Services B.V. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -On [20000326 15:45], Dag-Erling Smorgrav (des@flood.ping.uio.no) wrote: >-_INSTALLFLAGS:= ${INSTALLFLAGS} >+_INSTALLFLAGS:= ${INSTALLFLAGS} -fschg From a security aspect this is a common sense change. I am in favor of adding it. -- Jeroen Ruigrok van der Werven Network- and systemadministrator VIA NET.WORKS The Netherlands BSD: Technical excellence at its best http://www.bart.nl When Silence cries... Is it what I feel? Or is it what you really long to be..? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 10:52:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id F2C2337B8E2 for ; Sun, 26 Mar 2000 10:52:55 -0800 (PST) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.10.0.Beta11/8.10.0.Beta6) with ESMTP id e2QIqaq81339; Sun, 26 Mar 2000 11:52:36 -0700 (MST) Message-Id: <200003261852.e2QIqaq81339@orthanc.ab.ca> To: Brian Somers Cc: security@FreeBSD.ORG Subject: Re: Installing modules schg In-reply-to: Your message of "Sun, 26 Mar 2000 15:19:26 +0100." <200003261419.PAA32703@hak.lan.Awfulhak.org> Date: Sun, 26 Mar 2000 11:52:35 -0700 From: Lyndon Nerenberg Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "Brian" == Brian Somers writes: Brian> Yes... why ? As Warner & I pointed out recently, you've Brian> gotta schg everything touched before securelevel is set if Brian> you wanna do it properly. Okay, I'm in the process of doing this for one of our firewalls. If I submit the list of files falling under this umbrella, would the changes get committed? --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 15: 4:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id 28DC437BA3C for ; Sun, 26 Mar 2000 15:04:17 -0800 (PST) (envelope-from fitz@jfitz.com) Received: from fitz (adsl-63-194-217-126.dsl.snfc21.pacbell.net [63.194.217.126]) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with SMTP id PAA07497; Sun, 26 Mar 2000 15:03:12 -0800 (PST) Message-ID: <001701bf9777$9481cc20$040ba8c0@fitz> From: "John Fitzgibbon" To: Cc: References: <003801bf9688$87418540$040ba8c0@fitz> <20000326161722.A5903@hades.hell.gr> Subject: Re: Publishing Firewall Logs Date: Sun, 26 Mar 2000 15:03:47 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Giorgos, Thanks for the well thought out response. I'm inclined to agree that I should put a disclaimer with the logs -- I'm not suggesting that these IP addresses are trying to "attack" me, or are "bad". In fact the most common log events are "ident" requests, which are most likely "legitimate". I believe strongly in freedom of information. How people choose to interpret the information is up to them. My hope would be that sys admins can use this information, (which may or may not be forged at source, redirected, etc., etc...), to help them track down sources of distributed attacks. As you say, it would be a shame to see the information misinterpreted, like assuming that any IP that's ever hit a closed port is automatically a "cracker". I would resist removing information from the logs unless forced to do so by court order, (and I'd probably fight that too), as I think that diluting the information dilutes our ability to extract knowledge. As I said in an offline reply yesterday, if you visit my house, I believe I have the right to say "you visited my house". I do not have the right to say "you visited my house, so you must be a criminal", and I am not trying to do so. Fitz. ----- Original Message ----- From: "Giorgos Keramidas" To: "John Fitzgibbon" Cc: Sent: Sunday, March 26, 2000 5:17 AM Subject: Re: Publishing Firewall Logs > On Sat, Mar 25, 2000 at 10:31:10AM -0800, John Fitzgibbon wrote: > > > > I decided to start publishing my firewall logs on the web > > http://63.194.217.126/logs/ > > > > My thinking is that to identify the root, (excuse the pun), source of > > distributed attacks, administrators need access to a broad set of logs. > > This could help, some times. But it can only help when packets that we > need to identify, were not forged at their source. > > > I'm aware of the obvious counter-argument that any information you > > make available creates a risk. > > I'm also aware of this, and I always was, but I still chose to publish > on the web the way my ipfw rules were written. Having someone know by > first hand what's allowed and what not, is a bit too much of information > to give. However, I've received so many personal e-mails that thanked > me for `having such a helpful page on ipfw' or something along these > lines, that I think it's worth the risk :) > > > This is basically what I'm looking for feedback on -- Is this > > information useful? > > The obvious counter-counter-argument of what you mentioned, is also > useful here. "Any kind of information is useful now or `possibly' > useful in the future." > > What you're discussing of doing, is dangerous though. Despite the fact > that it would be nice to know that a certain IP address has been the > source of several distributed attacks during the past few months/years, > there is always the danger of 'blacklisting' the wrong people. > > I have to admit, that in giving the information away, you have not made > any implicit assumptions on the way it should be used, or what could be > done with it. However, it would be a very sad thing if using such > information as evidence would result on someone being accused of being > the source of distributed attacks, especially if the accused one had > nothing to do with it, apart from being the network 'bridge' for the > packets comprising the attack. > > As it should be obvious by now, having the information readily available > is one thing. Dictating how and why it should be used is most of the > time another, totally different thing. Just thing of the efforts done > to stop spammers. The information is there. The lists of open relays > are there. Anyone who wants to use them can go ahead and blackhole > entire domains, company networks, hell even entire countries. > > The worst problems of these efforts though start when they start trying > to think of a 'policy' for adding something to their list, and removing > it after some checks have been done and passed successfully. What I > mean here is, let's suppose you receive a lot of strange packets from > the dialup users of an ISP. And you publish these logs. Then the ISP, > having read your online logs, tries to stop such attacks, and fixes > their router access lists, dropping those strange packets on the floor. > Do you remove the relevant logs from the Web? Do you leave them as they > are, and post a notice saying something to the effect of "but the nice > and friendly techies of ISP A.B.C. did their best and stopped such > attempts on their source"? > > Of course, it could get even trickier. Having some ISP block the > strange packets, once they see your logs. Then they would post a notice > to you, asking you in varying degrees of kindness, to remove the logs > from the web. You fail to remove the logs in a reasonable amount of > time, and they sue you, with a charge of spreading libels, and hurting > their reputation. > > I do support the availability of such information, but please take care > to avoid problems like those described above. Even a simple disclaimer > paragraph stating that you're not suggesting in any way the use of this > information, or that you do not take any responsibility on what others > might do with it, would probably be enough. Then again, I'm no lawyer, > and I'm probably mistaken in hypotheses about anything legal. > > - Giorgos Keramidas > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 15: 4:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from nscache2.x-treme.gr (mail1.x-treme.gr [212.120.196.23]) by hub.freebsd.org (Postfix) with ESMTP id 8662337BAA4 for ; Sun, 26 Mar 2000 15:04:24 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (pat47.x-treme.gr [212.120.197.239]) by nscache2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id CAA04303; Mon, 27 Mar 2000 02:04:03 +0300 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id SAA07317; Sun, 26 Mar 2000 18:42:45 +0300 (EEST) (envelope-from charon) Date: Sun, 26 Mar 2000 18:42:45 +0300 From: Giorgos Keramidas To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: Installing modules schg Message-ID: <20000326184245.C6866@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from des@flood.ping.uio.no on Sun, Mar 26, 2000 at 03:38:25PM +0200 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Mar 26, 2000 at 03:38:25PM +0200, Dag-Erling Smorgrav wrote: > Any objections to the following patch? > > Index: bsd.kmod.mk > =================================================================== > RCS file: /home/ncvs/src/share/mk/bsd.kmod.mk,v No, no objections for this ;) What happens during an `install' though if some older version is already installed noschg? I hope it won't fail because it will not be able to write over the old modules. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > See the headers of this message for my public key fignerprint. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 15:57:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from awfulhak.org (tun.AwfulHak.org [194.242.139.173]) by hub.freebsd.org (Postfix) with ESMTP id CF87637BA81 for ; Sun, 26 Mar 2000 15:57:47 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA54612; Mon, 27 Mar 2000 00:54:50 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA01201; Mon, 27 Mar 2000 00:54:49 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003262354.AAA01201@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Lyndon Nerenberg Cc: Brian Somers , security@FreeBSD.ORG, "Josef L. Karthauser" Subject: Re: Installing modules schg In-Reply-To: Message from Lyndon Nerenberg of "Sun, 26 Mar 2000 11:52:35 PDT." <200003261852.e2QIqaq81339@orthanc.ab.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 27 Mar 2000 00:54:49 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >>>>> "Brian" == Brian Somers writes: > > Brian> Yes... why ? As Warner & I pointed out recently, you've > Brian> gotta schg everything touched before securelevel is set if > Brian> you wanna do it properly. > > Okay, I'm in the process of doing this for one of our firewalls. If > I submit the list of files falling under this umbrella, would the > changes get committed? I think you're best talking to joe@FreeBSD.org (cc'd). He's more interested in this side of things. > --lyndon -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 16:24: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 15AC337B6A6 for ; Sun, 26 Mar 2000 16:23:53 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id TAA07668; Sun, 26 Mar 2000 19:23:39 -0500 (EST) (envelope-from robert@cyrus.watson.org) Date: Sun, 26 Mar 2000 19:23:38 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Dag-Erling Smorgrav Cc: security@freebsd.org Subject: Re: Installing modules schg In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd like to see people hold off on patches to introduce new schg files until at least the following are discussed in full: 1) Is schg appropriate for all systems? Should use of schg be restricted to ``USE_SCHG=yes''? What POLA crud are we going to introduce through additional schg? Will we break upgrades, etc? 2) Are we adding schg to files in a methodical way, or slapping it on when we think it might be appropriate? Is the goal to use securelevels, or is the goal to limit the effects of root compromise, etc, etc? Does adding schg to these files help? Is it enough? I don't see that there's any point in introducing new administrative and development hurdles unless we're sure we're going to get it right and have a tangible useful result :-). Before adding schg, I'd like to see a list of all files touched in any way prior to raising the securelevel, particularly reads. The best way to think about securelevel from a security-theoretic standpoint is that it is a very narrow subset of a mandatory Biba integrity policy, with two classes: kernel, and userland. If the goal of securelevel is to improve recovery prospects given root compromise, we have to ask ourselves if we even offer the recovery tools to take advantage of securelevel effectively. If the goal is to provide a clamped-down system, why not use jail? Securelevel offers a number of useful possibilities, but it has long languished as other sections of the system have been updated, and few people have implemented a production system based on it. So my recommendation is that this not be committed at this time. Robert On 26 Mar 2000, Dag-Erling Smorgrav wrote: > Any objections to the following patch? > > Index: bsd.kmod.mk > =================================================================== > RCS file: /home/ncvs/src/share/mk/bsd.kmod.mk,v > retrieving revision 1.75 > diff -u -r1.75 bsd.kmod.mk > --- bsd.kmod.mk 2000/01/28 11:26:46 1.75 > +++ bsd.kmod.mk 2000/03/26 13:37:30 > @@ -203,7 +203,7 @@ > afterinstall: > .endif > > -_INSTALLFLAGS:= ${INSTALLFLAGS} > +_INSTALLFLAGS:= ${INSTALLFLAGS} -fschg > .for ie in ${INSTALLFLAGS_EDIT} > _INSTALLFLAGS:= ${_INSTALLFLAGS${ie}} > .endfor > > DES > -- > Dag-Erling Smorgrav - des@flood.ping.uio.no > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Mar 26 23:41:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 7E3DC37BBC3 for ; Sun, 26 Mar 2000 23:40:59 -0800 (PST) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.13 #1) id 12ZU86-000BlL-00; Mon, 27 Mar 2000 09:40:06 +0200 From: Sheldon Hearn To: Brad Guillory Cc: Michael DeMutis , freebsd-security@FreeBSD.ORG Subject: Re: Deny based on IP - TCP Wrapper In-reply-to: Your message of "Fri, 24 Mar 2000 16:17:44 CST." <20000324161743.M53604@baileylink.net> Date: Mon, 27 Mar 2000 09:40:05 +0200 Message-ID: <45218.954142805@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 24 Mar 2000 16:17:44 CST, Brad Guillory wrote: > You should look in man under hosts_options(5) and the files > /etc/hosts.allow. > > The /etc/hosts.deny file is no longer used so if someone point you there > just ignore them ;-). Are you sure it's not used? Are you just saying that because of the comment you read in /etc/hosts.allow or have you checked that hosts.deny isn't read? The last time I checked, hosts_access(3) _did_ use rules from /etc/hosts.deny. This leads me to suspect that the comment in /etc/hosts.allow is just a usage convention. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 0:43:45 2000 Delivered-To: freebsd-security@freebsd.org Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.1.175]) by hub.freebsd.org (Postfix) with ESMTP id 456E937B7A9 for ; Mon, 27 Mar 2000 00:43:30 -0800 (PST) (envelope-from sheldonh@axl.ops.uunet.co.za) Received: from sheldonh (helo=axl.ops.uunet.co.za) by axl.ops.uunet.co.za with local-esmtp (Exim 3.13 #1) id 12ZV7G-000CiL-00; Mon, 27 Mar 2000 10:43:18 +0200 From: Sheldon Hearn To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: Installing modules schg In-reply-to: Your message of "26 Mar 2000 15:38:25 +0200." Date: Mon, 27 Mar 2000 10:43:18 +0200 Message-ID: <48876.954146598@axl.ops.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 26 Mar 2000 15:38:25 +0200, Dag-Erling Smorgrav wrote: > Any objections to the following patch? When you ``make world'' with this set, are the existing files noschg'd before the new copies are installed? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 2:23:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7351C37BC4D for ; Mon, 27 Mar 2000 02:23:44 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA21043; Mon, 27 Mar 2000 12:23:34 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Sheldon Hearn Cc: security@FreeBSD.ORG Subject: Re: Installing modules schg References: <48876.954146598@axl.ops.uunet.co.za> From: Dag-Erling Smorgrav Date: 27 Mar 2000 12:23:33 +0200 In-Reply-To: Sheldon Hearn's message of "Mon, 27 Mar 2000 10:43:18 +0200" Message-ID: Lines: 11 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sheldon Hearn writes: > On 26 Mar 2000 15:38:25 +0200, Dag-Erling Smorgrav wrote: > > Any objections to the following patch? > When you ``make world'' with this set, are the existing files noschg'd > before the new copies are installed? Puh-lease. 'man install'. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 4: 0:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from isr4033.urh.uiuc.edu (isr4033.urh.uiuc.edu [130.126.208.49]) by hub.freebsd.org (Postfix) with SMTP id 221D037BAC5 for ; Mon, 27 Mar 2000 04:00:18 -0800 (PST) (envelope-from ftobin@uiuc.edu) Received: (qmail 69601 invoked by uid 1000); 27 Mar 2000 12:00:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Mar 2000 12:00:16 -0000 Date: Mon, 27 Mar 2000 06:00:16 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr4033.urh.uiuc.edu To: security@FreeBSD.ORG Subject: Re: Installing modules schg In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav, at 12:23 +0200 on 27 Mar 2000, wrote: > > When you ``make world'' with this set, are the existing files noschg'd > > before the new copies are installed? > > Puh-lease. 'man install'. Actually, the manpage is not the clear on the issue. I see in the introduction: "If the target file already exists, it is overwritten if permissions allow." "Permissions allow"? Not exactly nailing the nail's head if we are talking about flags. Further on I see: -f Specify the target's file flags; see chflags(1) for a list of possible flags and their meanings. This doesn't talk about what happens if the file exists. Further I see: "By default, install preserves all file flags, with the exception of the ``nodump'' flag." "Preserves all file flags" doesn't exactly explain to what extent install will go to to clear the current flags so it can get its job done. -- Frank Tobin http://www.uiuc.edu/~ftobin/ "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 8:56:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id 62ACC37B863 for ; Mon, 27 Mar 2000 08:56:46 -0800 (PST) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id MAA30586 for ; Mon, 27 Mar 2000 12:03:18 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 27 Mar 2000 12:03:18 -0500 (EST) From: Blake Matheny To: freebsd-security@freebsd.org Subject: Firewall Rules Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a standard dual homed firewall that has the following options compiled in the kernel: options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT I added the following rule to my firewall rules list to disallow 1 workstation from having access to the internet: ipfw add deny tcp from 192.168.2.1/24 to any setup ipfw add deny tcp from 192.168.2.1/24 to any This machine is running nat and routed. Although these rules are loaded as shown by ipfw list this machine still has access to the internet, is this a flaw in my syntax, implementation, or what? Thanks. Blake Matheny Network Engineer Bussert Consulting To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 12:42:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from home.ephemeron.org (dt090n4a.san.rr.com [204.210.46.74]) by hub.freebsd.org (Postfix) with ESMTP id 0AEBE37C0FD for ; Mon, 27 Mar 2000 12:42:02 -0800 (PST) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.9.3/8.9.3) with ESMTP id MAA15704; Mon, 27 Mar 2000 12:41:45 -0800 (PST) (envelope-from bigby@ephemeron.org) Date: Mon, 27 Mar 2000 12:41:45 -0800 (PST) From: Bigby Findrake To: Blake Matheny Cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall Rules In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Mar 2000, Blake Matheny wrote: > I have a standard dual homed firewall that has the following options > compiled in the kernel: > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPDIVERT > I added the following rule to my firewall rules list to disallow 1 > workstation from having access to the internet: > ipfw add deny tcp from 192.168.2.1/24 to any setup > ipfw add deny tcp from 192.168.2.1/24 to any > This machine is running nat and routed. Although these rules are loaded as > shown by ipfw list this machine still has access to the internet, is this > a flaw in my syntax, implementation, or what? Thanks. 1. The above rules don't cover udp packets. You should use the keywords "ip" or "all" instead of "tcp" if you wanted to block all traffic. 2. Rule #1 is covered by rule #2, i.e. it's unnecessary. 3. The above rules only cover machines who's IPs first 24 bits come out to be 192.168.2. If your target machine's IP does not start out with 192.168.2 then your implementation is flawed. What is the target's IP address? How do you know that the target is accessing the internet through the firewall? Those rules don't do what you think they do, but they should prevent a good amount of internet traffic, given that the IP address of the target is in the right range. Unless you have specialized needs, ou might want to consider using 2 rules, one the blocks incoming to the target and one that blocks outgoing from the target, such as: ipfw add 10000 deny all from 192.168.2.1/24 to any ipfw add 11000 deny all from any to 192.168.2.1/24 Those are pretty general rules (i.e. they cover a lot of ground), and you might not want to block that much traffic. /-------------------------------------------------------------------------/ Under deadline pressure for the next week. If you want something, it can wait. Unless it's blind screaming paroxysmally hedonistic ... finger bigby@ephemeron.org for my pgpkey or http://home.ephemeron.org/~bigby/pgp_key.txt e-mail bigby@pager.ephemeron.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 19:52:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from neon.delete.org (cx638115-b.sthngtn1.ct.home.com [24.2.165.123]) by hub.freebsd.org (Postfix) with ESMTP id 68C0437BAFC for ; Mon, 27 Mar 2000 19:52:25 -0800 (PST) (envelope-from alex@delete.org) Received: from localhost (alex@localhost) by neon.delete.org (8.10.0.Beta6/8.10.0.Beta6) with ESMTP id e2S3scH11434 for ; Mon, 27 Mar 2000 22:54:38 -0500 (EST) Date: Mon, 27 Mar 2000 22:54:38 -0500 (EST) From: Alex Michlin X-Sender: alex@cx638115-b.sthngtn1.ct.home.com To: security@FreeBSD.ORG Subject: pamd with logons In-Reply-To: <4.1.20000324144943.00a05470@mail.rz.fh-wilhelmshaven.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How can I specify in pamd to deny all logons except for a select few? I've seen in the past someone adding a user account using a ftp exploit. I want to deny all logons except for my uid? Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 21:46:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from mc-qout4.whowhere.com (mc-qout4.whowhere.com [209.185.123.18]) by hub.freebsd.org (Postfix) with SMTP id 1760B37B5F1 for ; Mon, 27 Mar 2000 21:46:46 -0800 (PST) (envelope-from vikashb@my-deja.com) Received: from Unknown/Local ([?.?.?.?]) by my-deja.com; Mon Mar 27 21:45:43 2000 To: freebsd-security@FreeBSD.ORG Date: Mon, 27 Mar 2000 21:45:43 -0800 From: " " Message-ID: Mime-Version: 1.0 X-Sent-Mail: off X-Mailer: MailCity Service Subject: natd question X-Sender-Ip: 196.34.250.5 Organization: My Deja Email (http://www.my-deja.com:80) Content-Type: text/plain; charset=us-ascii Content-Language: en Content-Length: 1473 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings Could some one please assist me with a natd configuration ? I have a FreeBSD 3.2 box with 2 nics. The one nic has an ip address of 192.168.29.21 and an alias address of 192.168.29.20 ( netmask 255.255.255.0 ), the other nic has an ip address of 192.168.1.22 ( netmask 255.255.255.0 ). I need to divert all ip traffic destined for 192.168.29.21 to 192.168.1.21 and all ip traffic destined for 192.168.29.20 to 192.168.1.20 since these are the only two servers that need to be accessed the users in the 192.168.29 subnet. I have tried the following rules and I have had no success : =============== natd.conf ======================= redirect_address 192.168.1.21 192.168.29.21 redirect_address 192.168.1.20 192.168.29.21 ============================================== I can get the natd to work only on this rule "redirect_address 192.186.1.21 0.0.0.0", but this results in the other machine being inaccessible. I have tried this rule set : ============================================== redirect_port tcp 192.168.1.20:telnet 192.168.29.20:telnet redirect_port tcp 192.168.1.21:telnet 192.168.29.21:telnet ============================================== but this only results in the one machine (192.168.29.20) been accessible Can this be done with natd. Is that any other software / configuration I should look at ? Thanks Vikash --== Sent via Deja.com http://www.deja.com/ ==-- Share what you know. Learn what you don't. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 22: 5:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id C616637BD5B for ; Mon, 27 Mar 2000 22:05:13 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FS400HF4BF40G@mta1.snfc21.pbi.net> for freebsd-security@freebsd.org; Mon, 27 Mar 2000 22:01:54 -0800 (PST) Date: Mon, 27 Mar 2000 22:06:25 -0800 From: The Mad Scientist Subject: syslogd compatibility X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.20000327220609.00927f00@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, It seems that syslogd on -stable rejects any syslog packets if they do not originate from udp port 514. One of the machines I have is a sparc running 2.8 and its syslogd sends messages from a random high-numbered port. I've poked through the mailing list archives a little and didn't see anything relevant. Is there an undocumented command-line/conf file that will fix the problem? I'm not much of a hacker, but from the syslogd.c code I think I can see the relevant part that drops the packets. Would getting rid of these lines do the trick (~line 1802 in /usr/src/usr.sbin/syslogd/syslogd.c)? if (ntohs(ap->port) != 0 && ap->port != sin->sin_port) { dprintf("rejected in rule %d due to port mismatch.\n", i); continue; } Am I correct in assuming that the idea here is to put more trust in remote syslogds running as root? Are there any other security implications with removing this check? From syslogd -a 10.0.0.0/8 -vv -d cvthname(10.0.1.4) validate: dgram from IP 10.0.1.4, port 32803, name splitbrain.; rejected in rule 0 due to port mismatch. I also don't see any logs of these rejected packets... My FreeBSD machine is: FreeBSD watchtower 3.4-STABLE FreeBSD 3.4-STABLE #2: Tue Mar 7 21:50:38 PST 2000 root@watchtower:/usr/src/sys/compile/WATCHTOWER i386 The Solaris box is: SunOS splitbrain 5.8 Generic sun4m sparc SUNW,SPARCstation-10 Thanks for the help. -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 27 23:11:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from queeg.ludd.luth.se (queeg.ludd.luth.se [130.240.16.109]) by hub.freebsd.org (Postfix) with ESMTP id AA0E537B6AC for ; Mon, 27 Mar 2000 23:11:42 -0800 (PST) (envelope-from johan@ludd.luth.se) Received: from speedy.ludd.luth.se (johan@speedy.ludd.luth.se [130.240.16.164]) by queeg.ludd.luth.se (8.9.3/8.9.3) with ESMTP id JAA17435; Tue, 28 Mar 2000 09:11:36 +0200 (CEST) Date: Tue, 28 Mar 2000 09:11:36 +0200 (CEST) From: Johan Larsson To: The Mad Scientist Cc: freebsd-security@FreeBSD.ORG Subject: Re: syslogd compatibility In-Reply-To: <4.1.20000327220609.00927f00@mail.thegrid.net> Message-ID: X-uri: http://www.ludd.luth.se/users/johan/ MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Mar 2000, The Mad Scientist wrote: > All, > It seems that syslogd on -stable rejects any syslog packets if they do not > originate from udp port 514. One of the machines I have is a sparc running > 2.8 and its syslogd sends messages from a random high-numbered port. I've > poked through the mailing list archives a little and didn't see anything > relevant. Is there an undocumented command-line/conf file that will fix > the problem? I'm not much of a hacker, but from the syslogd.c code I think > I can see the relevant part that drops the packets. Would getting rid of > these lines do the trick (~line 1802 in /usr/src/usr.sbin/syslogd/syslogd.c)? > > if (ntohs(ap->port) != 0 && ap->port != sin->sin_port) { > dprintf("rejected in rule %d due to port mismatch.\n", i); > continue; > } > > Am I correct in assuming that the idea here is to put more trust in remote > syslogds running as root? Are there any other security implications with > removing this check? You shouldn't do that, instead use the :service argument to -a i.e. -a IPofSUN/32:* (* can be substituted to the portnumber if that's known). If you read the manpage you should see this :-) > > >From syslogd -a 10.0.0.0/8 -vv -d > > cvthname(10.0.1.4) > validate: dgram from IP 10.0.1.4, port 32803, name splitbrain.; > rejected in rule 0 due to port mismatch. > > I also don't see any logs of these rejected packets... > > My FreeBSD machine is: > FreeBSD watchtower 3.4-STABLE FreeBSD 3.4-STABLE #2: Tue Mar 7 21:50:38 > PST 2000 root@watchtower:/usr/src/sys/compile/WATCHTOWER i386 > > The Solaris box is: > SunOS splitbrain 5.8 Generic sun4m sparc SUNW,SPARCstation-10 > > Thanks for the help. > -Dean > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Johan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 1:35: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from hera.ik.bme.hu (hera.ik.bme.hu [152.66.243.132]) by hub.freebsd.org (Postfix) with ESMTP id 33EF137BCF7 for ; Tue, 28 Mar 2000 01:34:48 -0800 (PST) (envelope-from mohacsi@hera.ik.bme.hu) Received: from localhost (mohacsi@localhost) by hera.ik.bme.hu (8.9.3/8.9.3) with ESMTP id LAA12090 for ; Tue, 28 Mar 2000 11:34:46 +0200 (MET DST) Date: Tue, 28 Mar 2000 11:34:45 +0200 (MET DST) From: Mohacsi Janos To: freebsd-security@freebsd.org Subject: US encryption regulations and FreeBSD crypto programs Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Sirs, According to the new US encryption regulations (Jan 14, 2000) the massmarket encryption products, employing key lengths up to 64 bits require the one-time technical review and classification. See: http://www.cdt.org/publications/pp_6.02.shtml And also non retail products can be exported after review, with license. Exporting prohibited only to 7 terrorist countries. Some company is already taken some steps: http://www.microsoft.com/exporting/ http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp http://www.pgp.com/asp_set/products/tns/jump_page_011800.asp Community of the FreeBSD should also move forward. Submitting for review of the FreeBSD source code, and shipping with an almost unified crypto stuffs of FreeBSD either US and either international users. As far as I know the currently used DES uses 56 bit keylength. 3DES and blowfish could be pushed through (Microsoft succeed with 128 bit encryption in Internet Explorer). The only difference between the US and International version would be the RSA (that could be removed in September 2000). Are there any volunteer lawyer and FreeBSD fan, who could move forward this project. (Probably a lawyer from BSDI). This way FreeBSD could be leader in the Open Source Community shipping open-source strong crypto products for everywhere in the world. Thanks, Janos Mohacsi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 2:15:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.mail.yahoo.com (smtp.mail.yahoo.com [128.11.68.32]) by hub.freebsd.org (Postfix) with SMTP id E995037B903 for ; Tue, 28 Mar 2000 02:15:08 -0800 (PST) (envelope-from hbenedict_fbsd@yahoo.com) Received: from ppp53-jkt3.indosat.net.id (HELO radiance) (202.155.28.180) by smtp.mail.yahoo.com with SMTP; 28 Mar 2000 02:14:58 -0800 X-Apparently-From: Message-ID: <200003281716310750.0075B3CA@smtp.mail.yahoo.com> References: <200003281125420050.0039848C@smtp.mail.yahoo.com> <200003281709490530.006F9035@smtp.indosat.net.id> <200003281713040510.00728A06@smtp.indosat.net.id> X-Mailer: Calypso Version 3.00.00.14 (3) Date: Tue, 28 Mar 2000 17:16:31 +0700 From: "Benedict H" To: freebsd-security@freebsd.org Subject: Gateway problem Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====_95423859129358=_" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=====_95423859129358=_ Content-Type: text/plain; charset="us-ascii" Hi, I'm trying to get my FreeBSD 3.3 box up and running as a gateway between 2 local subnets. I have already recompile the kernel with the IPFIREWALL, IPFIREWALL_FORWARD, IPFILTER, DUMMYNET, and BRIDGE options. Currently the firewall rule is allow all from any to any. subnet1 -- gw -- subnet2 Here's what I've got at the console when I type netstat -r: localhost localhost UH 0 1 lo0 192.168.1/26 link#3 UC 0 0 ep0 gw UHLW 0 2 lo0 192.168.1.5 UHLW 1 1550 ep0 694 192.168.2/26 link#1 UC 0 0 xl0 gw UHLW 0 136 lo0 192.168.2.63 ff:ff:ff:ff:ff:ff UHLWb 1 1 xl0 But I encountered a problem, when I ping from gw box to host1 box, I always have the responses back to me in about 10 to 40 seconds. Then in the host1 machine, I type "tcpdump -i ep0" at the console and I think host1 runs correctly, because it always reply immediately after it gets the echo request. When I unplugged my xl0 device out of the machine, everything goes well. Anyone, please help me fix this problem. Thank you Benedict --=====_95423859129358=_ Content-Type: text/html; charset="us-ascii"
Hi,
 

I'm trying to get my FreeBSD 3.3 box up and running as a gateway between
2 local subnets. I have already recompile the kernel with the IPFIREWALL,
IPFIREWALL_FORWARD, IPFILTER, DUMMYNET, and BRIDGE options.
Currently the firewall rule is allow all from any to any.
 
            subnet1 -- gw -- subnet2
 

Here's what I've got at the console when I type netstat -r:
 
localhost       localhost           UH    0   1   lo0
192.168.1/26    link#3              UC    0   0   ep0
gw              <gw ep0 ether addr> UHLW  0   2   lo0
192.168.1.5     <host1 ether addr>  UHLW  1  1550 ep0  694
192.168.2/26    link#1              UC    0   0   xl0
gw              <gw xl0 ether addr> UHLW  0   136 lo0
192.168.2.63    ff:ff:ff:ff:ff:ff   UHLWb 1   1   xl0
 
But I encountered a problem, when I ping from gw box to host1 box,
I always have the responses back to me in about 10 to 40 seconds.
Then in the host1 machine, I type "tcpdump -i ep0" at the console
and I think host1 runs correctly, because it always reply immediately
after it gets the echo request.
 
When I unplugged my xl0 device out of the machine, everything goes well.
 
 
 

Anyone, please help me fix this problem.
 

Thank you
 

Benedict
--=====_95423859129358=_-- __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 4:38:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id CA87237BE30 for ; Tue, 28 Mar 2000 04:38:30 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA07237; Tue, 28 Mar 2000 09:38:37 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200003281238.JAA07237@ns1.via-net-works.net.ar> Subject: Re: natd question In-Reply-To: from "owner-freebsd-security@FreeBSD.ORG" at "Mar 27, 0 09:45:43 pm" To: vikashb@my-Deja.com Date: Tue, 28 Mar 2000 09:38:37 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might want to tcpdump each interface to see what kind of traffic is being generated. Also, make sure your firewall rules aren't dropping the packets (figuring the right rules is sometimes very tricky). I have had success in the past using redirect_port tcp internal_address Regards. En un mensaje anterior, owner-freebsd-security@FreeBSD.ORG escribió: > Greetings > > Could some one please assist me with a natd configuration ? [...] > Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 4:41:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7C42A37BE26 for ; Tue, 28 Mar 2000 04:41:53 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA24990; Tue, 28 Mar 2000 14:41:47 +0200 (CEST) (envelope-from des@flood.ping.uio.no) To: Frank Tobin Cc: security@FreeBSD.ORG Subject: Re: Installing modules schg References: From: Dag-Erling Smorgrav Date: 28 Mar 2000 14:41:46 +0200 In-Reply-To: Frank Tobin's message of "Mon, 27 Mar 2000 06:00:16 -0600 (CST)" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Frank Tobin writes: > [...] > "Preserves all file flags" doesn't exactly explain to what extent install > will go to to clear the current flags so it can get its job done. Apologies. In brief: it can at least handle the case where the previously existing file was schg. This is done routinely by various Makefiles in the cases of ld-elf.so.1, mail.local, rcp and friends, and kernels. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 6:19: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 0EFEB37BDE6 for ; Tue, 28 Mar 2000 06:19:01 -0800 (PST) (envelope-from dmartin@origen.com) Received: from origen.com (dubhe.origen [192.168.0.5]) by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id IAA65162; Tue, 28 Mar 2000 08:18:39 -0600 (CST) (envelope-from dmartin@origen.com) Message-ID: <38E0BF25.12B112C5@origen.com> Date: Tue, 28 Mar 2000 08:18:13 -0600 From: Richard Martin X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: John Fitzgibbon Cc: keramida@ceid.upatras.gr, freebsd-security@FreeBSD.ORG Subject: Re: Publishing Firewall Logs References: <003801bf9688$87418540$040ba8c0@fitz> <20000326161722.A5903@hades.hell.gr> <001701bf9777$9481cc20$040ba8c0@fitz> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just a postscript here on a different thought. My question is on usefulness of the information in the logs. We log most of the deny packets on our firewalls and these are reviewed frequently. We run down the more serious looking ones, and I must say that in my experience about 60% of the scans that we get are from bogus IPs. Some are also quite clever, using unused IP addresses in our network. Until there is a more global use of outbound packet checking by ISPs, I am afraid that a lot of people may just be filling up their hosts.allow file with chaff. I would likewise bet the information in the logs contains a lot of spoofed IPs. -- Richard Martin dmartin@origen.com OriGen, inc. Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 7:13: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f24.law8.hotmail.com [216.33.241.24]) by hub.freebsd.org (Postfix) with SMTP id E495737BE7E for ; Tue, 28 Mar 2000 07:12:59 -0800 (PST) (envelope-from hjeffrey@hotmail.com) Received: (qmail 89245 invoked by uid 0); 28 Mar 2000 15:12:54 -0000 Message-ID: <20000328151254.89244.qmail@hotmail.com> Received: from 130.11.112.22 by www.hotmail.com with HTTP; Tue, 28 Mar 2000 07:12:53 PST X-Originating-IP: [130.11.112.22] From: "Jeff Hamilton" To: freebsd-net@freebsd.org, freebsd-security@freebsd.org Subject: FreeBSD as VPN server for Win2000 Clients Date: Tue, 28 Mar 2000 07:12:53 PST Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I am interested in setting up FreeBSD to act as a VPN server for remote users running Windows 2000 Professional. I am restricted to using the VPN support that is built-in to Win2000, so I can't purchase any addon products. My boss would also much prefer a free solution on the FreeBSD end. Is this possible to do? If so, how do I get started? Thanks. Jeff hjeffrey@hotmail.com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 7:29:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id E7FD937BF09 for ; Tue, 28 Mar 2000 07:29:52 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from ezo.net (c3-1f245.neo.rr.com [24.93.235.245]) by lily.ezo.net (8.8.7/8.8.7) with ESMTP id KAA16396 for ; Tue, 28 Mar 2000 10:29:33 -0500 (EST) Message-ID: <38E0CFFC.7EF8D379@ezo.net> Date: Tue, 28 Mar 2000 10:30:04 -0500 From: Jim Flowers Organization: EZNets, Inc. X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: US encryption regulations and FreeBSD crypto programs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I (my client) have (has) been able to obtain approval for a VPN Access Controller (VIP/Link) that includes configuration of freebsd and the skip-1.0 port under the US Company and subsidiary exclusion about a year ago. Paperwork and one-time review was minimal and granted quite quickly (less than a month). Covers multiple countries. Paperwork available to whoever takes this on, if desired. Jim Flowers Mohacsi Janos wrote: > > Dear Sirs, > > According to the new US encryption regulations (Jan 14, 2000) the > massmarket encryption products, employing key lengths up to 64 bits > require the one-time technical review and classification. > See: http://www.cdt.org/publications/pp_6.02.shtml > > And also non retail products can be exported after review, with license. > Exporting prohibited only to 7 terrorist countries. > > Some company is already taken some steps: > http://www.microsoft.com/exporting/ > http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp > http://www.pgp.com/asp_set/products/tns/jump_page_011800.asp > > Community of the FreeBSD should also move forward. Submitting for review > of the FreeBSD source code, and shipping with an almost unified crypto > stuffs of FreeBSD either US and either international users. As far as I > know the currently used DES uses 56 bit keylength. 3DES and blowfish could > be pushed through (Microsoft succeed with 128 bit encryption in Internet > Explorer). The only difference between the US and International version > would be the RSA (that could be removed in September 2000). > > Are there any volunteer lawyer and FreeBSD fan, who could move forward this > project. (Probably a lawyer from BSDI). > > This way FreeBSD could be leader in the Open Source Community shipping > open-source strong crypto products for everywhere in the world. > > Thanks, > Janos Mohacsi > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 8:39:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from decoy.sfc.keio.ac.jp (decoy.sfc.keio.ac.jp [133.27.84.101]) by hub.freebsd.org (Postfix) with ESMTP id BD3E037BFC7; Tue, 28 Mar 2000 08:39:08 -0800 (PST) (envelope-from say@sfc.wide.ad.jp) Received: from deborah (decoy.sfc.keio.ac.jp [133.27.84.101]) by decoy.sfc.keio.ac.jp (8.9.3/8.9.3) with ESMTP id BAA90960; Wed, 29 Mar 2000 01:38:11 +0900 (JST) (envelope-from say@sfc.wide.ad.jp) Date: Wed, 29 Mar 2000 01:38:11 +0900 (JST) Message-Id: <200003281638.BAA90960@decoy.sfc.keio.ac.jp> From: ARIGA Seiji To: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000328151254.89244.qmail@hotmail.com> References: <20000328151254.89244.qmail@hotmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00 (beta 3) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Tue, 28 Mar 2000 07:12:53 PST "Jeff Hamilton" wrote: :I am interested in setting up FreeBSD to act as a VPN server for remote :users running Windows 2000 Professional. I am restricted to using the VPN :support that is built-in to Win2000, so I can't purchase any addon products. : My boss would also much prefer a free solution on the FreeBSD end. Some time before, I set up IPsec connection between KAME box and Windows2000 using racoon (KAME IKE daemon). You can use FreeBSD with KAME as VPN server using IPsec. # As far as IPsec concerned, KAME snap is more stable than KAME merged # in FreeBSD4, in my opinion. So you'd better use FreeBSD3 with KAME # snap for your purpose. -- ARIGA Seiji To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 8:52:23 2000 Delivered-To: freebsd-security@freebsd.org Received: from astralblue.com (adsl-209-76-108-39.dsl.snfc21.pacbell.net [209.76.108.39]) by hub.freebsd.org (Postfix) with ESMTP id 7851937C02C; Tue, 28 Mar 2000 08:52:09 -0800 (PST) (envelope-from ab@astralblue.com) Received: from localhost (ab@localhost) by astralblue.com (8.9.3/8.9.3) with ESMTP id IAA40035; Tue, 28 Mar 2000 08:52:03 -0800 (PST) (envelope-from ab@astralblue.com) Date: Tue, 28 Mar 2000 08:52:02 -0800 (PST) From: "Eugene M. Kim" To: Jeff Hamilton Cc: freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000328151254.89244.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There's also a free PPTP implementation called poptop; you can find it in /usr/ports/net/poptop. HTH, Eugene On Tue, 28 Mar 2000, Jeff Hamilton wrote: | Hi. | | I am interested in setting up FreeBSD to act as a VPN server for remote | users running Windows 2000 Professional. I am restricted to using the VPN | support that is built-in to Win2000, so I can't purchase any addon products. | My boss would also much prefer a free solution on the FreeBSD end. | | Is this possible to do? If so, how do I get started? | | Thanks. | | Jeff | hjeffrey@hotmail.com -- Eugene M. Kim "Is your music unpopular? Make it popular; make music which people like, or make people who like your music." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 9:41:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 28A1937B588 for ; Tue, 28 Mar 2000 09:41:49 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1526 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 28 Mar 2000 11:37:21 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Tue, 28 Mar 2000 11:37:20 -0600 (CST) From: James Wyatt To: Richard Martin Cc: John Fitzgibbon , keramida@ceid.upatras.gr, freebsd-security@FreeBSD.ORG Subject: Re: Publishing Firewall Logs In-Reply-To: <38E0BF25.12B112C5@origen.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Richard Martin wrote: [ ... ] > frequently. We run down the more serious looking ones, and I must say that in > my experience about 60% of the scans that we get are from bogus IPs. Some are > also quite clever, using unused IP addresses in our network. Until there is a > more global use of outbound packet checking by ISPs, I am afraid that a lot of > people may just be filling up their hosts.allow file with chaff. > > I would likewise bet the information in the logs contains a lot of spoofed > IPs. Thus you are providing a test anvil for their learning packet forging and knowing what makes it past your router filters into your host filters. That said, I've been thinking about making our logs viewable as well. It is a good training tool for my customers to see what they should expect. My 2 bits, literally - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 11:25:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 28EB937BFC6; Tue, 28 Mar 2000 11:25:28 -0800 (PST) (envelope-from mike@sentex.ca) Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id OAA66850; Tue, 28 Mar 2000 14:25:13 -0500 (EST) (envelope-from mike@sentex.ca) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by vinyl.sentex.ca (8.9.3/8.9.3) with SMTP id OAA29463; Tue, 28 Mar 2000 14:25:12 -0500 (EST) (envelope-from mike@sentex.ca) Message-Id: <3.0.5.32.20000328142245.01bcf4c0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 28 Mar 2000 14:22:45 -0500 To: "Jeff Hamilton" , freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000328151254.89244.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:12 AM 3/28/00 PST, Jeff Hamilton wrote: >Hi. > >I am interested in setting up FreeBSD to act as a VPN server for remote >users running Windows 2000 Professional. I am restricted to using the VPN >support that is built-in to Win2000, so I can't purchase any addon products. > My boss would also much prefer a free solution on the FreeBSD end. > >Is this possible to do? If so, how do I get started? 2 *possible* options... ptpp (aka point 2 point tunneling protocol), or ipsec. From the ports collection /usr/ports/net/poptop 1.0 Introduction ---------------- 1.1 About PoPToP PoPToP is the PPTP Server solution for Linux. PoPToP allows Linux servers to function seamlessly in the PPTP VPN environment. This enables administrators to leverage the considerable benefits of both Microsoft and Linux. The current pre-release version supports Windows 95/98/NT/2000 PPTP clients and PPTP Linux clients. PoPToP is free GNU software. PoPToP Home Page: http://www.moretonbay.com/vpn/pptp.html But I would try the IPsec route first... ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 11:27:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id 7F46237BFCC for ; Tue, 28 Mar 2000 11:27:15 -0800 (PST) (envelope-from mike@sentex.ca) Received: from vinyl.sentex.ca (vinyl.sentex.ca [209.112.4.14]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id OAA67135; Tue, 28 Mar 2000 14:27:03 -0500 (EST) (envelope-from mike@sentex.ca) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by vinyl.sentex.ca (8.9.3/8.9.3) with SMTP id OAA29559; Tue, 28 Mar 2000 14:27:03 -0500 (EST) (envelope-from mike@sentex.ca) Message-Id: <3.0.5.32.20000328142435.01f69b20@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Tue, 28 Mar 2000 14:24:35 -0500 To: ARIGA Seiji , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <200003281638.BAA90960@decoy.sfc.keio.ac.jp> References: <20000328151254.89244.qmail@hotmail.com> <20000328151254.89244.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:38 AM 3/29/00 +0900, ARIGA Seiji wrote: ># As far as IPsec concerned, KAME snap is more stable than KAME merged ># in FreeBSD4, in my opinion. So you'd better use FreeBSD3 with KAME ># snap for your purpose. > >-- >ARIGA Seiji Are there any plans to merge KAME snap into RELENG_4 any time soon ? ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel +1 519 651 3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 15:26:59 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.hellasnet.gr (mail.hellasnet.gr [212.54.192.3]) by hub.freebsd.org (Postfix) with ESMTP id 3C2C537B598 for ; Tue, 28 Mar 2000 15:26:55 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (ppp2.patr.hellasnet.gr [212.54.197.17]) by mail.hellasnet.gr (8.9.1/8.9.1) with ESMTP id BAA21961; Wed, 29 Mar 2000 01:25:35 +0200 (GMT) Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id CAA07292; Wed, 29 Mar 2000 02:26:52 +0300 (EEST) (envelope-from charon) Date: Wed, 29 Mar 2000 02:26:52 +0300 From: Giorgos Keramidas To: Dag-Erling Smorgrav Cc: Frank Tobin , security@FreeBSD.ORG Subject: Re: Installing modules schg Message-ID: <20000329022652.F6783@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from des@flood.ping.uio.no on Tue, Mar 28, 2000 at 02:41:46PM +0200 X-PGP-Fingerprint: 62 45 D1 C9 26 F9 95 06 D6 21 2A C8 8C 16 C0 8E Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 28, 2000 at 02:41:46PM +0200, Dag-Erling Smorgrav wrote: > Frank Tobin writes: > > [...] > > "Preserves all file flags" doesn't exactly explain to what extent install > > will go to to clear the current flags so it can get its job done. > > Apologies. > > In brief: it can at least handle the case where the previously > existing file was schg. This is done routinely by various Makefiles in > the cases of ld-elf.so.1, mail.local, rcp and friends, and kernels. I'm glad to hear this, since I had seen the relevant section of the kernel makefile, and it uses chflags before calling install. It had me worrying for a while, that installing modules schg once, would break the installation for the next time :/ The part of the kernel Makefile that made me think that way looks like: .if exists(${DESTDIR}/${KERNEL}) -chflags noschg ${DESTDIR}/${KERNEL} mv ${DESTDIR}/${KERNEL} ${DESTDIR}/${KERNEL}.old .endif install -c -m 555 -o root -g wheel -fschg \ ${KERNEL}${.TARGET:S/install//} ${DESTDIR}/${KERNEL} But now I can see that it's not because of install, that chflags was required. It's because of mv(1), which I tried on my schg /kernel and saw it failing, just before posting this. Thanks Dag-Erling, for clarifying this. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr> See the headers of this message for my public key fingeprint. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 15:31:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from ariel.efis.ucr.ac.cr (ariel.efis.ucr.ac.cr [163.178.110.206]) by hub.freebsd.org (Postfix) with ESMTP id 8358737C0A1 for ; Tue, 28 Mar 2000 15:30:57 -0800 (PST) (envelope-from jmejia@ariel.efis.ucr.ac.cr) Received: from localhost (jmejia@localhost) by ariel.efis.ucr.ac.cr (8.9.3/8.9.3) with ESMTP id RAA15928; Tue, 28 Mar 2000 17:27:02 -0600 Date: Tue, 28 Mar 2000 17:27:02 -0600 (CST) From: "Jimmy M. Fernandez" To: Mohacsi Janos Cc: freebsd-security@FreeBSD.ORG Subject: Re: US encryption regulations and FreeBSD crypto programs In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Mohacsi Janos wrote: | |Dear Sirs, | | According to the new US encryption regulations (Jan 14, 2000) the |massmarket encryption products, employing key lengths up to 64 bits |require the one-time technical review and classification. |See: http://www.cdt.org/publications/pp_6.02.shtml | |And also non retail products can be exported after review, with license. |Exporting prohibited only to 7 terrorist countries. | It Is patetic the US definitions of terrorist countries...Commonly that means, Non US compatible... Fortunatly not all the US citizens share the same opinion. JImmy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 17:18:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-039.npt-sdsl.stargate.net [208.223.229.39]) by hub.freebsd.org (Postfix) with ESMTP id 5F62037C083 for ; Tue, 28 Mar 2000 17:18:25 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id BAA76128 for ; Wed, 29 Mar 2000 01:18:20 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> Date: Tue, 28 Mar 2000 20:18:23 -0500 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: FTP with firewall rules Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm looking for some input on how to set up FTP through an IPFW firewall so that you don't have to run passive mode. Passive mode makes things like building ports difficult. I believe that the problem is that the return connection set up by an FTP server to the client comes from port 20. To open up "any 20" to high port numbers on your system seems like a problem to me. Is there a secure way to do this? -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 17:35:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id 32CC237BEAE for ; Tue, 28 Mar 2000 17:35:14 -0800 (PST) (envelope-from batie@agora.rdrop.com) Received: (from batie@localhost) by agora.rdrop.com (8.8.7/8.8.7) id RAA24318; Tue, 28 Mar 2000 17:35:00 -0800 (PST) (envelope-from batie) Message-ID: <20000328173500.33325@rdrop.com> Date: Tue, 28 Mar 2000 17:35:00 -0800 From: Alan Batie To: Jim Durham Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-md5; boundary=1yeeQ81UyVL57Vl7 X-Mailer: Mutt 0.88 In-Reply-To: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us>; from Jim Durham on Tue, Mar 28, 2000 at 08:18:23PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii On Tue, Mar 28, 2000 at 08:18:23PM -0500, Jim Durham wrote: > Passive mode makes things like building ports difficult. export FTP_PASSIVE_MODE=YES > Is there a secure way to do this? Depends on how low you want to define "secure" as... -- Alan Batie ______ www.rdrop.com/users/batie Me batie@agora.rdrop.com \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOOFdw4v4wNua7QglAQGtIAP9HF27GvfnEDaMD3NDHWMXJ+7Q2Vqp14bh hX4wvKTunfdTbGSwhTyAGEjJ4lsW1tB9Z/6j0NBrPDF9u7P3737icoQ82t/czGIf Ca8Ow7kGWa7BnbDniSIaHSS/wf057LlbTL05gxFdmICOsRvrVJ/8DdiP8EiU+Hsl WGjLofSLy1E= =Ox+j -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 19:11:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (Postfix) with ESMTP id 69C8D37B61D; Tue, 28 Mar 2000 19:11:33 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.3/frmug-2.5/nospam) with UUCP id FAA11560; Wed, 29 Mar 2000 05:11:30 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (Postfix, from userid 101) id B54898796; Wed, 29 Mar 2000 00:41:05 +0200 (CEST) Date: Wed, 29 Mar 2000 00:41:05 +0200 From: Ollivier Robert To: freebsd-security@FreeBSD.ORG Cc: shin@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients Message-ID: <20000329004105.A75091@keltia.freenix.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG, shin@FreeBSD.org References: <20000328151254.89244.qmail@hotmail.com> <20000328151254.89244.qmail@hotmail.com> <200003281638.BAA90960@decoy.sfc.keio.ac.jp> <3.0.5.32.20000328142435.01f69b20@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.9i In-Reply-To: <3.0.5.32.20000328142435.01f69b20@marble.sentex.ca>; from mike@sentex.ca on Tue, Mar 28, 2000 at 02:24:35PM -0500 X-Operating-System: FreeBSD 4.0-CURRENT/ELF AMD-K6/200 & 2x PPro/200 SMP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Mike Tancsa: > Are there any plans to merge KAME snap into RELENG_4 any time soon ? Last time I talked to shin-san (Cc:-ed), soon. There are a few very interesting things in the latest snaps (like Mobile/IPv6) that were waiting for the release to go out. I hope shin-san will incorporate this (and other things like NFS/IPv6) soon :) Expect them in 5.0-C before of course. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 4.0-CURRENT #78: Sun Feb 27 15:32:39 CET 2000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 19:47:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5F5F537BF30; Tue, 28 Mar 2000 19:47:46 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id TAA31075; Tue, 28 Mar 2000 19:47:46 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 28 Mar 2000 19:47:46 -0800 (PST) From: Kris Kennaway To: Mike Tancsa Cc: Jeff Hamilton , freebsd-net@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <3.0.5.32.20000328142245.01bcf4c0@marble.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Mike Tancsa wrote: > 2 *possible* options... ptpp (aka point 2 point tunneling protocol), or > ipsec. pptp isn't exactly a secure protocol, so you're much better server going with ipsec unless you can't for some reason. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 21:35:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id B1BFE37BAB8 for ; Tue, 28 Mar 2000 21:35:12 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustidentd@obie.softweyr.com [204.68.178.33]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA28280; Tue, 28 Mar 2000 22:34:41 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <38E19663.46871B22@softweyr.com> Date: Tue, 28 Mar 2000 22:36:36 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Jimmy M. Fernandez" Cc: Mohacsi Janos , freebsd-security@FreeBSD.ORG Subject: Re: US encryption regulations and FreeBSD crypto programs References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Jimmy M. Fernandez" wrote: > > It Is patetic the US definitions of terrorist countries...Commonly that > means, Non US compatible... > Fortunatly not all the US citizens share the same opinion. 22 CFR 126.1 says: (a) It is the policy of the United States to deny licenses, other approvals, exports and imports of defense articles and defense services, destined for or originating in certain countries. This policy applies to: Albania, Armenia, Azerbaijan, Bulgaria, Byelarus, Cambodia, Cuba, Estonia, Georgia, Iran, Iraq, Libya, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Mongolia, North Korea, Romania, Russia, South Africa, Syria, Tajikistan, Turkmenistan, Ukraine, Uzbekistan and Vietnam. This policy also applies to countries with respect to which the United States maintains an arms embargo (e.g., Burma, China, Liberia, Somalia, the Sudan, the former Yugoslavia, and Zaire) or for whenever an export would not otherwise be in furtherance of world peace and the security and foreign policy of the United States. If we could just get those damned South African terrorists off the FreeBSD security staff, we'd be in a lot better shape on this front. (Yes, this *is* a joke) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 28 22:34:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id ED37137B66F for ; Tue, 28 Mar 2000 22:34:36 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id WAA00864; Tue, 28 Mar 2000 22:34:33 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Message-ID: <002601bf9948$d9152580$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: "Wes Peters" Cc: Subject: Re: US encryption regulations and FreeBSD crypto programs Date: Tue, 28 Mar 2000 22:34:34 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > (a) It is the policy of the United States to deny licenses, other approvals, >exports and imports of defense articles and defense services, destined for or >originating in certain countries. This policy applies to: Albania, Armenia, >Azerbaijan, Bulgaria, Byelarus, Cambodia, Cuba, Estonia, Georgia, Iran, Iraq, >Libya, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Mongolia, North >Korea, Romania, Russia, South Africa, Syria, Tajikistan, Turkmenistan, Ukraine, >Uzbekistan and Vietnam. This policy also applies to countries with respect to >which the United States maintains an arms embargo (e.g., Burma, China, Liberia, >Somalia, the Sudan, the former Yugoslavia, and Zaire) or for whenever an export >would not otherwise be in furtherance of world peace and the security and >foreign policy of the United States. > You'll be happy to know that South Africa is officially off the list in the current 22 CFR 126.1 (http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=22&PART=126&SECTI ON=1&YEAR=1999&TYPE=TEXT): (a) General. It is the policy of the United States to deny licenses, other approvals, exports and imports of defense articles and defense services, destined for or originating in certain countries. This policy applies to Afghanistan, Armenia, Azerbaijan, Belarus, Cuba, Iran, Iraq, Libya, North Korea, Syria, Tajikistan, Ukraine, and Vietnam. This policy also applies to countries with respect to which the United States maintains an arms embargo (e.g. Burma, China, the Federal Republic of Yugoslavia (Serbia and Montenegro), Haiti, Liberia, Rwanda, Somalia, Sudan and Zaire) or whenever an export would not otherwise be in furtherance of world peace and the security and foreign policy of the United States.... --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 0:57:27 2000 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (obie.softweyr.com [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id 9D0C237BE85 for ; Wed, 29 Mar 2000 00:57:22 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (Foolstrustidentd@obie.softweyr.com [204.68.178.33]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id BAA28727; Wed, 29 Mar 2000 01:57:17 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <38E1C5DF.6317ACCF@softweyr.com> Date: Wed, 29 Mar 2000 01:59:11 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: "Dan O'Connor" Cc: freebsd-security@FreeBSD.ORG Subject: Re: US encryption regulations and FreeBSD crypto programs References: <002601bf9948$d9152580$0200000a@danco> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dan O'Connor wrote: > > You'll be happy to know that South Africa is officially off the list in the > current 22 CFR 126.1 > (http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=22&PART=126&SECTI > ON=1&YEAR=1999&TYPE=TEXT): > > (a) General. It is the policy of the United States to deny licenses, > other approvals, exports and imports of defense articles and defense > services, destined for or originating in certain countries. This policy > applies to Afghanistan, Armenia, Azerbaijan, Belarus, Cuba, Iran, Iraq, > Libya, North Korea, Syria, Tajikistan, Ukraine, and Vietnam. Good grief, they even took Cambodia off there! And what did poor little Belarus do to get lumped in with the likes of Libya, Iraq, and Iran? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 1:23: 1 2000 Delivered-To: freebsd-security@freebsd.org Received: from vidle.i.cz (vidle.i.cz [193.179.36.138]) by hub.freebsd.org (Postfix) with ESMTP id 05F9A37B5E2 for ; Wed, 29 Mar 2000 01:22:16 -0800 (PST) (envelope-from mm@i.cz) Received: from ns.i.cz (brana.i.cz [193.179.36.134]) by vidle.i.cz (Postfix) with ESMTP id B8F1430706 for ; Wed, 29 Mar 2000 11:22:14 +0200 (CEST) Received: from woody.i.cz (woody.i.cz [192.168.18.29]) by ns.i.cz (Postfix) with ESMTP id 4396036416 for ; Wed, 29 Mar 2000 11:22:14 +0200 (CEST) Content-Length: 559 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <38E1C5DF.6317ACCF@softweyr.com> Date: Wed, 29 Mar 2000 11:22:14 +0200 (MET DST) Reply-To: mm@i.cz From: Martin Machacek To: freebsd-security@FreeBSD.ORG Subject: Re: US encryption regulations and FreeBSD crypto programs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 29-Mar-00 Wes Peters wrote: > And what did poor little Belarus do to get lumped in with the likes of Libya, > Iraq, and Iran? That's probably because of their self elected president Lukashschenko who is still in charge despite the fact that his election period ended two years ago. I also don't see why poor Belarusians have to be punished because of their dictator-like president but that seems to be american way of dealing with such things :-). Well, this is getting waaay of topic for this list, isn't it? Martin --- [PGP KeyID F3F409C4] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 1:24:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from access.sanet.ge (access.sanet.ge [212.72.130.51]) by hub.freebsd.org (Postfix) with ESMTP id 019D137BEE0 for ; Wed, 29 Mar 2000 01:24:05 -0800 (PST) (envelope-from bm@access.sanet.ge) Received: from localhost (bm@localhost) by access.sanet.ge (8.9.3/8.9.3) with ESMTP id OAA10583; Wed, 29 Mar 2000 14:29:22 +0500 (GET) Date: Wed, 29 Mar 2000 14:29:22 +0500 (GET) From: Andrew Novikov To: Wes Peters Cc: "Dan O'Connor" , freebsd-security@FreeBSD.ORG Subject: Re: US encryption regulations and FreeBSD crypto programs In-Reply-To: <38E1C5DF.6317ACCF@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Software should be free, isn't it ? Including encryption software ? Ha ? ---------------------------------------- Andrew Novikov Chief Engineer Sa*Net Network http://www.sanet.ge Email: bm@access.sanet.ge, bm@sanet.ge On Wed, 29 Mar 2000, Wes Peters wrote: > Dan O'Connor wrote: > > > > You'll be happy to know that South Africa is officially off the list in the > > current 22 CFR 126.1 > > (http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?TITLE=22&PART=126&SECTI > > ON=1&YEAR=1999&TYPE=TEXT): > > > > (a) General. It is the policy of the United States to deny licenses, > > other approvals, exports and imports of defense articles and defense > > services, destined for or originating in certain countries. This policy > > applies to Afghanistan, Armenia, Azerbaijan, Belarus, Cuba, Iran, Iraq, > > Libya, North Korea, Syria, Tajikistan, Ukraine, and Vietnam. > > Good grief, they even took Cambodia off there! And what did poor little > Belarus do to get lumped in with the likes of Libya, Iraq, and Iran? > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > wes@softweyr.com http://softweyr.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 4:16:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id B570737BB82 for ; Wed, 29 Mar 2000 04:16:35 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA25820; Wed, 29 Mar 2000 09:16:45 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200003291216.JAA25820@ns1.via-net-works.net.ar> Subject: Re: FTP with firewall rules In-Reply-To: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> from Jim Durham at "Mar 28, 0 08:18:23 pm" To: durham@w2xo.pgh.pa.us (Jim Durham) Date: Wed, 29 Mar 2000 09:16:45 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What I have done is to configure FTPd to use ports between 40000 and 44999 (wu-ftpd allows it to be done easily; don't know others) and then: allow tcp from any to my_ip 40000-44999 in setup It's not the best, but still better than nothing. Anyway, remember that on passive FTP the client opens a TCP con. from >1024 to 21 and, the servers picks a port (in the mentioned range in this case), tells it to the client and then the client connects from >1024 to this port. Port 20 is using in normal FTP: the client connects from >1024 to 21 and the server connects from >1024 to 20 on the client for the data connection. (Warning: this is from the top of my head, I don't have "Building Internet FWs" or similar around right now.) Regards! En un mensaje anterior, Jim Durham escribió: > I'm looking for some input on how to set up > FTP through an IPFW firewall so that you don't > have to run passive mode. > > Passive mode makes things like building ports difficult. > > I believe that the problem is that the return connection > set up by an FTP server to the client comes from port 20. > To open up "any 20" to high port numbers on your > system seems like a problem to me. Is there a secure > way to do this? Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 6:42:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from fgwmail7.fujitsu.co.jp (fgwmail7.fujitsu.co.jp [192.51.44.37]) by hub.freebsd.org (Postfix) with ESMTP id 98B1237B731; Wed, 29 Mar 2000 06:42:18 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from m1.gw.fujitsu.co.jp by fgwmail7.fujitsu.co.jp (8.9.3/3.7W-MX0002-Fujitsu Gateway) id XAA02875; Wed, 29 Mar 2000 23:42:00 +0900 (JST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from incapgw.fujitsu.co.jp by m1.gw.fujitsu.co.jp (8.9.3/3.7W-0003-Fujitsu Domain Master) id XAA17651; Wed, 29 Mar 2000 23:41:55 +0900 (JST) Received: from localhost ([192.168.245.170]) by incapgw.fujitsu.co.jp (8.9.3/3.7W-0002) id XAA04174; Wed, 29 Mar 2000 23:41:53 +0900 (JST) To: roberto@keltia.freenix.fr Cc: freebsd-security@FreeBSD.ORG, shin@FreeBSD.ORG Subject: Re: FreeBSD as VPN server for Win2000 Clients In-Reply-To: <20000329004105.A75091@keltia.freenix.fr> References: <200003281638.BAA90960@decoy.sfc.keio.ac.jp> <3.0.5.32.20000328142435.01f69b20@marble.sentex.ca> <20000329004105.A75091@keltia.freenix.fr> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20000329234254S.shin@nd.net.fujitsu.co.jp> Date: Wed, 29 Mar 2000 23:42:54 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 15 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Last time I talked to shin-san (Cc:-ed), soon. > > There are a few very interesting things in the latest snaps (like Mobile/IPv6) > that were waiting for the release to go out. I hope shin-san will incorporate > this (and other things like NFS/IPv6) soon :) > > Expect them in 5.0-C before of course. > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr I might prepare Mobile/IPv6 patches for interesting people at first. Please wait some more. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 9:30:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.everyday.cx (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 54E7537B5FF for ; Wed, 29 Mar 2000 09:30:16 -0800 (PST) (envelope-from pccb@yahoo.com) Received: from bambam.objtech.com (bambam.objtech.com [192.168.111.1]) by mail.everyday.cx (Postfix) with ESMTP id 4015618F6 for ; Wed, 29 Mar 2000 12:30:09 -0500 (EST) Date: Wed, 29 Mar 2000 12:30:08 -0500 From: Pierre Chiu X-Mailer: The Bat! (v1.39) Educational Reply-To: Pierre Chiu Organization: ObjTech Corporation X-Priority: 3 (Normal) Message-ID: <4520.000329@yahoo.com> To: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In FreeBSD 4.0, ipfw supports stateful inspection. I think this is very useful for running ftp server and would works for both active and passive setup. Can somebody share their rulesets with us? > What I have done is to configure FTPd to use ports between 40000 and > 44999 (wu-ftpd allows it to be done easily; don't know others) and then: > > allow tcp from any to my_ip 40000-44999 in setup > > It's not the best, but still better than nothing. > > Anyway, remember that on passive FTP the client opens a TCP con. from >>1024 to 21 and, the servers picks a port (in the mentioned range in > this case), tells it to the client and then the client connects from >>1024 to this port. > > Port 20 is using in normal FTP: the client connects from >1024 to 21 > and the server connects from >1024 to 20 on the client for the data > connection. > > (Warning: this is from the top of my head, I don't have "Building > Internet FWs" or similar around right now.) > > Regards! > > En un mensaje anterior, Jim Durham escribió: >> I'm looking for some input on how to set up >> FTP through an IPFW firewall so that you don't >> have to run passive mode. >> >> Passive mode makes things like building ports difficult. >> >> I believe that the problem is that the return connection >> set up by an FTP server to the client comes from port 20. >> To open up "any 20" to high port numbers on your >> system seems like a problem to me. Is there a secure >> way to do this? > > > > > Fernando P. Schapachnik > Administración de la red > VIA NET.WORKS ARGENTINA S.A. > fernando@via-net-works.net.ar > (54-11) 4323-3333 > > -- Pierre \\|// (o o) +-----------oOOo-(_)-oOOo----------------+ EMail : mailto:pccb(at)yahoo(dot)com PGPkey: http://www.everyday.cx/pgpkey.txt +========================================+ paradigm shift...without a clutch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 9:59:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from agora.rdrop.com (agora.rdrop.com [199.2.210.241]) by hub.freebsd.org (Postfix) with ESMTP id 569BF37C0CA for ; Wed, 29 Mar 2000 09:58:52 -0800 (PST) (envelope-from batie@agora.rdrop.com) Received: (from batie@localhost) by agora.rdrop.com (8.8.7/8.8.7) id JAA20444; Wed, 29 Mar 2000 09:58:46 -0800 (PST) (envelope-from batie) Message-ID: <20000329095845.54716@rdrop.com> Date: Wed, 29 Mar 2000 09:58:45 -0800 From: Alan Batie To: Pierre Chiu Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules References: <4520.000329@yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-md5; boundary="k+w/mQv8wyuph6w0" X-Mailer: Mutt 0.88 In-Reply-To: <4520.000329@yahoo.com>; from Pierre Chiu on Wed, Mar 29, 2000 at 12:30:08PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --k+w/mQv8wyuph6w0 Content-Type: text/plain; charset=us-ascii On Wed, Mar 29, 2000 at 12:30:08PM -0500, Pierre Chiu wrote: > In FreeBSD 4.0, ipfw supports stateful inspection. > > I think this is very useful for running ftp server and would works for both > active and passive setup. As I read the man page, that doesn't mean what it sounds like you think it means. To do active mode ftp properly, ipfw would need to parse the contents of the packets on the ftp control channel and dynamically allow the corresponding incoming connection. There's no indication that this parsing capability is present. On the other hand, it's not clear just what keep-state/check-state do either; what is the difference between the example: ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from my-net to any setup keep-state and ipfw add allow tcp from any to my-net established ipfw add allow tcp from my-net to any Both only allow outgoing connections. I suppose in the latter case, it would be possible to send in packets that pretend to be "established" but I'm not sure what that would get a hacker... -- Alan Batie ______ www.rdrop.com/users/batie Me batie@agora.rdrop.com \ / www.qrd.org The Triangle PGPFP DE 3C 29 17 C0 49 7A \ / www.pgpi.com The Weird Numbers 27 40 A5 3C 37 4A DA 52 B9 \/ www.anti-spam.net NO SPAM! --k+w/mQv8wyuph6w0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOOJEVIv4wNua7QglAQEJ6AP/RfDsgwnD0ZA8xveITcmNyt+vT8hIwy0g 8bRLfOqNhGBWZ1nXf7IUT6HH9e8vMZ3A64fI6LGcZejgU6/CcuYEPGoQxNO3zY+H khl8bfujX/PgQHNoF9ufPSXCFaGDGu0B0d/w7PaiCcALv+yT2P9TCQ7/4YpBRK4L dRbo6aF1yo0= =S9jl -----END PGP SIGNATURE----- --k+w/mQv8wyuph6w0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 11:16:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from grace.speakeasy.org (grace.speakeasy.org [216.254.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 0139137B63B for ; Wed, 29 Mar 2000 11:15:58 -0800 (PST) (envelope-from scotte@speakeasy.org) Received: from localhost (scotte@localhost) by grace.speakeasy.org (8.10.0/8.10.0) with ESMTP id e2TJFnn04368 for ; Wed, 29 Mar 2000 11:15:53 -0800 Date: Wed, 29 Mar 2000 11:15:48 -0800 (PST) From: Scott To: freebsd-security@freebsd.org Subject: Help securing fresh install from CD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello to all: I have just ordered a new PC to install the January release of FreeBSD from CD. I was wondering how secure FreeBSD is out-of-the-box, and what additional steps I need to take in securing it. My experience has been with securing Linux and Solaris boxes - commenting out non-needed services in /etc/inetd.conf, looking for SUID and GUID programs, installing SSH, etc. What specifics are needed for FreeBSD, also considering this system will likely double as a firewall. Thanks. Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 16:49:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from web2.sea.nwserv.com (web2.sea.nwserv.com [216.145.16.2]) by hub.freebsd.org (Postfix) with ESMTP id E030E37B745 for ; Wed, 29 Mar 2000 16:49:24 -0800 (PST) (envelope-from asaddi@philosophysw.com) Received: from localhost (asaddi@localhost) by web2.sea.nwserv.com (8.9.3/8.9.3) with ESMTP id QAA78506; Wed, 29 Mar 2000 16:49:05 -0800 (PST) (envelope-from asaddi@philosophysw.com) Date: Wed, 29 Mar 2000 16:49:05 -0800 (PST) From: Allan Saddi X-Sender: asaddi@web2.sea.nwserv.com To: Alan Batie Cc: Pierre Chiu , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <20000329095845.54716@rdrop.com> Message-ID: Organization: Philosophy SoftWorks MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Mar 2000, Alan Batie wrote: > ...To do active mode ftp properly, ipfw would need to parse the > contents of the packets on the ftp control channel and dynamically allow > the corresponding incoming connection. There's no indication that this > parsing capability is present. Interestingly enough, sometime back, Eivind Eklund added a feature to allow libalias(3) to "punch holes" in an ipfw-based firewall. The code is apparently still there. Unfortunately, it seems like neither natd nor ppp take advantage of this feature. (Currently, there's no way to turn it on.) It would be a seemingly trivial modification... but maybe there's some reason why it was never incorporated into natd/ppp? -- Allan Saddi "The Earth is the cradle of mankind, asaddi@philosophysw.com but we cannot live in the cradle http://www.philosophysw.com/asaddi/ forever." - K.E. Tsiolkovsky To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 18:32:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 5B7E937B607 for ; Wed, 29 Mar 2000 18:32:36 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA18039; Wed, 29 Mar 2000 21:32:07 -0500 (EST) (envelope-from cjc) Date: Wed, 29 Mar 2000 21:32:07 -0500 From: "Crist J. Clark" To: Scott Cc: freebsd-security@FreeBSD.ORG Subject: Re: Help securing fresh install from CD Message-ID: <20000329213207.A17852@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from scotte@speakeasy.org on Wed, Mar 29, 2000 at 11:15:48AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 11:15:48AM -0800, Scott wrote: > Hello to all: > > I have just ordered a new PC to install the January release of FreeBSD from CD. > I was wondering how secure FreeBSD is out-of-the-box, > and what additional steps I need to take in securing it. > > My experience has been with securing Linux and Solaris boxes - > commenting out non-needed services in /etc/inetd.conf, looking for SUID and > GUID programs, installing SSH, etc. > > What specifics are needed for FreeBSD, also considering this system will likely > double as a firewall. Most of the same steps, edit inetd.conf and hosts.allow. OpenSSH is now part ofthe base system, so that is done for you. Check for uneeded suid and guid (uucp is one on my system, but I would be shocked to see someone find a hole in that after all of these years). What you might be more interested in is the 'schg' flag (man chflags) and securelevels (man init) in FreeBSD. For a firewall, there are kernel config options and sysctl options you need to consider to defeat or at least lessen the effect of certain remote DOS attacks (e.g. SYN attacks). -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 21:52:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id 9925137B6C6 for ; Wed, 29 Mar 2000 21:52:32 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id VAA07058; Wed, 29 Mar 2000 21:52:07 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Message-ID: <024001bf9a0c$157d9520$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: "Wes Peters" Cc: Subject: OT: US encryption regulations and FreeBSD crypto programs Date: Wed, 29 Mar 2000 21:52:07 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> (a) General. It is the policy of the United States to deny licenses, >> other approvals, exports and imports of defense articles and defense >> services, destined for or originating in certain countries. This policy >> applies to Afghanistan, Armenia, Azerbaijan, Belarus, Cuba, Iran, Iraq, >> Libya, North Korea, Syria, Tajikistan, Ukraine, and Vietnam. > >Good grief, they even took Cambodia off there! And what did poor little >Belarus do to get lumped in with the likes of Libya, Iraq, and Iran? Must have offended somebody at a State dinner or something. :-) --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 22: 3: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id 2210037B6C6 for ; Wed, 29 Mar 2000 22:02:58 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id WAA07151; Wed, 29 Mar 2000 22:02:49 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Message-ID: <024501bf9a0d$93f93b60$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: "Andrew Novikov" Cc: Subject: OT: US encryption regulations and FreeBSD crypto programs Date: Wed, 29 Mar 2000 22:02:49 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Software should be free, isn't it ? Including encryption software ? Ha ? No. Encyption software should not be free. The United States government is doing it's best to protect its citizens from all you foreigners out there who might want to attack us with strong encryption. Luckily, no one outside the U.S. knows how to build encryption software. Er, oops. Well, I'm sure the Government boys thought the export ban was a good idea at the time... :-) (As an apology to the rest of the world: I'm afraid we Americans have let our Government get way too far out of control. We have our work cut out for us to try rein it in...) --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Mar 29 23:57:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from dor.zaural.ru (dor.zaural.ru [195.161.56.129]) by hub.freebsd.org (Postfix) with ESMTP id EB3DE37B6F6 for ; Wed, 29 Mar 2000 23:57:07 -0800 (PST) (envelope-from serg@dor.zaural.ru) Received: (from serg@localhost) by dor.zaural.ru (8.9.3/8.9.3) id NAA41985; Thu, 30 Mar 2000 13:56:29 +0600 (YEKST) (envelope-from serg) From: "Sergey N. Voronkov" Message-Id: <200003300756.NAA41985@dor.zaural.ru> Subject: Re: OT: US encryption regulations and FreeBSD crypto programs In-Reply-To: <024501bf9a0d$93f93b60$0200000a@danco> from "Dan O'Connor" at "Mar 29, 2000 10:02:49 pm" To: "Dan O'Connor" Date: Thu, 30 Mar 2000 13:56:29 +0600 (YEKST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL68 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >Software should be free, isn't it ? Including encryption software ? Ha ? > > No. Encyption software should not be free. The United States government is > doing it's best to protect its citizens from all you foreigners out there > who might want to attack us with strong encryption. Luckily, no one outside It is true not for US only. In Russia it is also so named FAPSI, which is controlling all encription (and buisness-encription) related software. > the U.S. knows how to build encryption software. You are wrong. Have you seen somewhat about GOST? ;-)))) It's a word about russian encription software. In other hand, I was reading one article about encription from UK, Finland etc... I don't remember where it was published, but it is. Good Luck! Serg N. Voronkov. P.S.: It was known try to get across US export licenses - JAR & ARJ (last versions) from R. Jung which are using GOST as a strong encription algorothm. This software can used inside US and most other countries without any low related restrictions... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 2: 1:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 337CD37B71E for ; Thu, 30 Mar 2000 02:01:51 -0800 (PST) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by eltex.ru (8.9.3/8.9.3) with SMTP id OAA23250; Thu, 30 Mar 2000 14:01:01 +0400 (MSD) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Thu, 30 Mar 2000 13:57:56 +0400 Received: from undisclosed-intranet-sender id xma010916; Thu, 30 Mar 00 13:57:51 +0400 Date: Thu, 30 Mar 2000 13:59:01 +0400 Message-Id: <200003300959.NAA06486@paranoid.eltex.spb.ru> In-Reply-To: <200003300756.NAA41985@dor.zaural.ru> from ""Sergey N. Voronkov" " From: ark@eltex.ru Organization: "Klingon Imperial Intelligence Service" Subject: Re: OT: US encryption regulations and FreeBSD crypto programs To: serg@dor.zaural.ru Cc: freebsd-security@FreeBSD.ORG, dan@mostgraveconcern.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, GOST is slow, though. And it has some nasty limitations: it cannot be used as is to encrypt streamed data on the fly, AFAIR. There are workarounds, though. "Sergey N. Voronkov" said : > > the U.S. knows how to build encryption software. > > You are wrong. Have you seen somewhat about GOST? ;-)))) It's a word about > russian encription software. In other hand, I was reading one article about > encription from UK, Finland etc... I don't remember where it was published, > but it is. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBOOMlZKH/mIJW9LeBAQGVOgP+JzzLRN25ENCS79RvLKZ088Tg61NaNQpe 247DooScoSI3fMvsLItvIZ5JworoBkqhfgdmojuakuiD23ee6sBFkucXrrWKgHbP kOnRwiSIKMJMUUQL4Zz7Gpo3EorRznvO4d4bEYqFSh8hgj7syDy2d7OT6EGAMD6S QIRVdCTXoec= =A7Ly -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 6:17:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 1C67537B5F2 for ; Thu, 30 Mar 2000 06:17:25 -0800 (PST) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id LAA04481; Thu, 30 Mar 2000 11:16:47 -0300 (GMT) From: Fernando Schapachnik Message-Id: <200003301416.LAA04481@ns1.via-net-works.net.ar> Subject: Re: FTP with firewall rules In-Reply-To: <20000329095845.54716@rdrop.com> from Alan Batie at "Mar 29, 0 09:58:45 am" To: batie@rdrop.com (Alan Batie) Date: Thu, 30 Mar 2000 11:16:47 -0300 (GMT) Cc: pccb@yahoo.com, freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Alan Batie escribió: > On the other hand, it's not clear just what keep-state/check-state do > either; what is the difference between the example: > > ipfw add check-state > ipfw add deny tcp from any to any established > ipfw add allow tcp from my-net to any setup keep-state > > and > > ipfw add allow tcp from any to my-net established > ipfw add allow tcp from my-net to any This permits packets with ACK turned on, even if there wasn't a SYN before. The former doesn't. Regards. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 6:49:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id 4EC6137B7AE for ; Thu, 30 Mar 2000 06:49:31 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id GAA09105; Thu, 30 Mar 2000 06:49:15 -0800 (PST) (envelope-from dan@mostgraveconcern.com) Message-ID: <0ed601bf9a57$1fae1d80$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: "Sergey N. Voronkov" Cc: Subject: Re: OT: US encryption regulations and FreeBSD crypto programs Date: Thu, 30 Mar 2000 06:48:51 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> the U.S. knows how to build encryption software. > >You are wrong. Yes, it was a Joke... I was mearly attempting to point out the stupidity of U.S. export restrictions, which only serve to ensure that U.S. companies don't participate in the world-wide encryption marketplace... --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 8:33: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from loki.ideaglobal.com (loki.ideaglobal.com [194.36.20.54]) by hub.freebsd.org (Postfix) with ESMTP id 6B06637B820 for ; Thu, 30 Mar 2000 08:33:01 -0800 (PST) (envelope-from kiril@loki.ideaglobal.com) Received: (from kiril@localhost) by loki.ideaglobal.com (8.9.3/8.9.3) id QAA76073; Thu, 30 Mar 2000 16:38:00 GMT (envelope-from kiril) From: Kiril Mitev Message-Id: <200003301638.QAA76073@loki.ideaglobal.com> Subject: Re: OT: US encryption regulations and FreeBSD crypto programs In-Reply-To: <200003300756.NAA41985@dor.zaural.ru> from "Sergey N. Voronkov" at "Mar 30, 2000 1:56:29 pm" To: serg@dor.zaural.ru (Sergey N. Voronkov) Date: Thu, 30 Mar 2000 16:38:00 +0000 (GMT) Cc: dan@mostgraveconcern.com, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seryozha, on tolyko shutil .... > > >Software should be free, isn't it ? Including encryption software ? Ha ? > > > > No. Encyption software should not be free. The United States government is > > doing it's best to protect its citizens from all you foreigners out there > > who might want to attack us with strong encryption. Luckily, no one outside > > It is true not for US only. In Russia it is also so named FAPSI, which is > controlling all encription (and buisness-encription) related software. > > > the U.S. knows how to build encryption software. > > You are wrong. Have you seen somewhat about GOST? ;-)))) It's a word about > russian encription software. In other hand, I was reading one article about > encription from UK, Finland etc... I don't remember where it was published, > but it is. > > Good Luck! > > Serg N. Voronkov. > > P.S.: It was known try to get across US export licenses - JAR & ARJ > (last versions) from R. Jung which are using GOST as a strong encription > algorothm. This software can used inside US and most other countries > without any low related restrictions... -- Kiril Mitev, IT Operations Mgr, London IDEAglobal.com Standard Corporate Disclaimer applies, see http://www.ideaglobal.com/email-disclaimer.html for details. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 13:30:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.ncw.qc.ca [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 1B2E837B893 for ; Thu, 30 Mar 2000 13:30:21 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 3958 invoked from network); 27 Mar 2000 23:50:20 -0000 Received: from localhost.abuselabs.com (HELO localhost) (missnglnk@127.0.0.1) by localhost.abuselabs.com with SMTP; 27 Mar 2000 23:50:20 -0000 Date: Mon, 27 Mar 2000 18:50:20 -0500 (EST) From: Omachonu Ogali To: Blake Matheny Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try: ipfw add deny all from 192.168.2.1/24 to any On Mon, 27 Mar 2000, Blake Matheny wrote: > I have a standard dual homed firewall that has the following options > compiled in the kernel: > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPDIVERT > I added the following rule to my firewall rules list to disallow 1 > workstation from having access to the internet: > ipfw add deny tcp from 192.168.2.1/24 to any setup > ipfw add deny tcp from 192.168.2.1/24 to any > This machine is running nat and routed. Although these rules are loaded as > shown by ipfw list this machine still has access to the internet, is this > a flaw in my syntax, implementation, or what? Thanks. > > Blake Matheny > Network Engineer > Bussert Consulting > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 18:12:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 3EB0837C212 for ; Thu, 30 Mar 2000 18:12:50 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA21686; Thu, 30 Mar 2000 21:11:33 -0500 (EST) (envelope-from cjc) Date: Thu, 30 Mar 2000 21:11:32 -0500 From: "Crist J. Clark" To: "Dan O'Connor" Cc: "Sergey N. Voronkov" , freebsd-security@FreeBSD.ORG Subject: Re: OT: US encryption regulations and FreeBSD crypto programs Message-ID: <20000330211132.A21512@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <0ed601bf9a57$1fae1d80$0200000a@danco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <0ed601bf9a57$1fae1d80$0200000a@danco>; from dan@mostgraveconcern.com on Thu, Mar 30, 2000 at 06:48:51AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Mar 30, 2000 at 06:48:51AM -0800, Dan O'Connor wrote: > >> the U.S. knows how to build encryption software. > > > >You are wrong. > > Yes, it was a Joke... > > I was mearly attempting to point out the stupidity of U.S. export > restrictions, which only serve to ensure that U.S. companies don't > participate in the world-wide encryption marketplace... The train of thought goes that if USAian companies were allowed to export encryption software without restrictions, encryption would very quickly become a standard feature on _everything_ (domestic and abroad). However, since so many contries are completely or partially dependent on US technology (whether it be Windoze or hardware), they cannot go all encrypted in order for things to be compatible with products from the USA. Compatibility also keeps the USA from going all encrypted too, which Janet Reno likes. Basically, since the USA dominates the world-wide software marketplace but they can't play in the encyption market, the encryption market is not as big as it otherwise would be. Not that I agree with the policies, but that's the present rational behind them. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Mar 30 19:26:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from fortune.excite.com (fortune-rwcmta.excite.com [198.3.99.203]) by hub.freebsd.org (Postfix) with ESMTP id AB41237BC7A for ; Thu, 30 Mar 2000 19:26:37 -0800 (PST) (envelope-from sergiovf@excite.com) Received: from cheeks.excite.com ([199.172.152.207]) by fortune.excite.com (InterMail vM.4.01.02.39 201-229-119-122) with ESMTP id <20000331031840.PSAU4104.fortune.excite.com@cheeks.excite.com>; Thu, 30 Mar 2000 19:18:40 -0800 Message-ID: <18940469.954472720111.JavaMail.imail@cheeks.excite.com> Date: Thu, 30 Mar 2000 19:18:40 -0800 (PST) From: Sergio Valdes-Flores To: "Sergey N. Voronkov" , Dan O'Connor Subject: Re: OT: US encryption regulations and FreeBSD crypto programs Cc: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Excite Inbox X-Sender-Ip: 216.5.35.57 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org the whole history of American encryption, Sergey, comrad, hehe, owes a debt of gratitude to their foreign Canadians....damn those canadians....but then again, what world history or views do they teach our good folks over here...we third worldlers are all a bunch of savages still somehow, simply, we all first needed to be protestantsized and when that didn't work, now we all need to be 'dollarized'...;-) oh well, gimme some dough to break with you instead and be friends for real ;) This was also a joke, but inside it there are tidbits of truth. Good Luck ye all with TAMING THE US GOV"T, maybe we should GOST 'em!!! . Sergio On Thu, 30 Mar 2000 13:56:29 +0600 (YEKST), Sergey N. Voronkov wrote: > > >Software should be free, isn't it ? Including encryption software ? Ha ? > > > > No. Encyption software should not be free. The United States government is > > doing it's best to protect its citizens from all you foreigners out there > > who might want to attack us with strong encryption. Luckily, no one outside > > It is true not for US only. In Russia it is also so named FAPSI, which is > controlling all encription (and buisness-encription) related software. > > > the U.S. knows how to build encryption software. > > You are wrong. Have you seen somewhat about GOST? ;-)))) It's a word about > russian encription software. In other hand, I was reading one article about > encription from UK, Finland etc... I don't remember where it was published, > but it is. > > Good Luck! > > Serg N. Voronkov. > > P.S.: It was known try to get across US export licenses - JAR & ARJ > (last versions) from R. Jung which are using GOST as a strong encription > algorothm. This software can used inside US and most other countries > without any low related restrictions... > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message _______________________________________________________ Get 100% FREE Internet Access powered by Excite Visit http://freelane.excite.com/freeisp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 31 5:19:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 66CBB37B50C for ; Fri, 31 Mar 2000 05:19:45 -0800 (PST) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id PAA28803; Fri, 31 Mar 2000 15:19:41 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.9.3/8.8.8) id PAA00755; Fri, 31 Mar 2000 15:03:20 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <200003311303.PAA00755@CoDe.hu> Subject: Re: pamd with logons In-Reply-To: from Alex Michlin at "Mar 27, 0 10:54:38 pm" To: freebsd-security@freebsd.org Date: Fri, 31 Mar 2000 15:03:20 +0200 (CEST) Cc: alex@delete.org X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > How can I specify in pamd to deny all logons except for a select few? > I've seen in the past someone adding a user account using a ftp exploit. I > want to deny all logons except for my uid? It's not pamd (by the way, in BSD-land, it's only PAM), but normal login: man login.conf, eg. nologin, or shell=/usr/bin/false, etc. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 31 5:21:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 8125137BF20 for ; Fri, 31 Mar 2000 05:21:30 -0800 (PST) (envelope-from mencl@nenya.ms.mff.cuni.cz) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id PAA19721 for ; Fri, 31 Mar 2000 15:04:06 +0200 (MET DST) Date: Fri, 31 Mar 2000 15:04:06 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Mar 2000, Allan Saddi wrote: > On Wed, 29 Mar 2000, Alan Batie wrote: > > > ...To do active mode ftp properly, ipfw would need to parse the > > contents of the packets on the ftp control channel and dynamically allow > > the corresponding incoming connection. There's no indication that this > > parsing capability is present. > > Interestingly enough, sometime back, Eivind Eklund added a feature to > allow libalias(3) to "punch holes" in an ipfw-based firewall. The code is > apparently still there. Unfortunately, it seems like neither natd nor ppp > take advantage of this feature. (Currently, there's no way to turn it on.) > > It would be a seemingly trivial modification... but maybe there's some > reason why it was never incorporated into natd/ppp? The modification could be possibly "trivial", but would involve quite a lot of implementation. There're many protocols, which would have to be parsed at the application layer - ftp, talk/ntalk to name a few. Others might include the real audio protocols - but I do not know these well enough. A long time ago, I wrote a userland program that could "punch holes" for incoming data connections created by outgoing talk requests. But to have a firewall allowing correct operation of all outgoing "requests", you would have to explore all the protocols you wish to support, implement a filter which would scan either UDP packets or the TCP stream, and interact with the firewall setup. And also - you would have to develope some rules for selecting the proper filter. It is clear, that a connection to port 21 is a ftp control connection - but services might be running on arbitrary ports, and you might wish to support access to them too. And furthermore, you should take some security considerations about the effects of establishing such a firewall. By submitting a link to an ftp site (possibly in a forged html page), an attacker might open a hole in the firewall for himself. Yes, with a very limited range of possibilites, but this might be considered as a security risk by some admins. But still it might be better than allowing any TCP connection coming from port 20. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 31 7:58:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from usgate02.e-mail.com (usgate02.e-mail.com [204.146.55.142]) by hub.freebsd.org (Postfix) with ESMTP id 85C1337BAEA for ; Fri, 31 Mar 2000 07:58:00 -0800 (PST) (envelope-from Adam_Woodbeck@keykertusa.com) Received: Received: by usgate.e-mail.com with SMTP id PAA101088 for ; Fri, 31 Mar 2000 15:55:59 GMT Received: by SCH.ADVANTIS.COM (Soft-Switch LMS 3.2) with snapi via USCCRG01 id 0039010010682121; Fri, 31 Mar 2000 10:55:59 -0500 From: "Adam Woodbeck (KEYKERTUSA)" To: Subject: Firewall rules for an internet FTP server? Message-ID: <0039010010682121000002L112*@MHS> Date: Fri, 31 Mar 2000 10:55:59 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm putting an ftp server online soon and I'm wanted to get your input = on what ports you suggest I open up to the Internet. I have the firewall set u= p to use the "client" configuration. I've added a few lines to open up FTP to t= he Internet as well as allow other services to my local network. I've als= o added what I think will allow me to update the FTP server through CVS. Does = anyone suggest I change anything on this configuration or does it look pretty = complete? Thanks for the help! Adam # set these to your network and netmask and ip net=3D"10.0.0.0" mask=3D"255.255.255.0" ip=3D"10.0.0.10" # Allow ping to or from anyone. # ICMP flood protection compiled into the kernel. ${fwcmd} add pass icmp from ${ip} to any ${fwcmd} add pass icmp from any to ${ip} # Allow ftp access to or from anyone. ${fwcmd} add pass tcp from ${ip} 21 to any ${fwcmd} add pass tcp from any to ${ip} 21 ${fwcmd} add pass udp from ${ip} 21 to any ${fwcmd} add pass udp from any to ${ip} 21 # All CVS access ${fwcmd} add pass tcp from ${ip} 2401 to any ${fwcmn} add pass tcp from any to ${ip} 2401 ${fwcmd} add pass udp from ${ip} 2401 to any ${fwcmn} add pass udp from any to ${ip} 2401 ${fwcmd} add pass tcp from ${ip} 5999 to any ${fwcmn} add pass tcp from any to ${ip} 5999 # Allow ssh traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 22 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 22 ${fwcmd} add pass udp from ${ip} 22 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 22 # Allow smtp traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 25 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 25 ${fwcmd} add pass udp from ${ip} 25 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 25 # Allow domain traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 53 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 53 # Allow http traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 80 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 80 ${fwcmd} add pass udp from ${ip} 80 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 80 # Allow pop3 traffic to or from my own net. ${fwcmd} add pass tcp from ${ip} 110 to ${net}:${mask} ${fwcmd} add pass tcp from ${net}:${mask} to ${ip} 110 ${fwcmd} add pass udp from ${ip} 110 to ${net}:${mask} ${fwcmd} add pass udp from ${net}:${mask} to ${ip} 110 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any 53 to ${ip} ${fwcmd} add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to ${ip} ${fwcmd} add pass udp from ${ip} to any 123 # Everything else is denied by default = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Mar 31 9:14:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 3D89E37BCD8 for ; Fri, 31 Mar 2000 09:14:53 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Fri, 31 Mar 2000 10:14:52 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma026130; Fri, 31 Mar 00 10:14:22 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id KAA03612; Fri, 31 Mar 2000 10:12:37 -0700 (MST) Date: Fri, 31 Mar 2000 10:12:37 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Alan Batie Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <20000329095845.54716@rdrop.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Mar 2000, Alan Batie wrote: > To do active mode ftp properly, ipfw would need to parse the contents > of the packets on the ftp control channel and dynamically allow the > corresponding incoming connection. There's no indication that this > parsing capability is present. I know we're talking about IPFW here, but hasn't IP Filter (also included with FreeBSD) been supporting this very operation for quite a while now? Is there a reason why people would try to hack up IPFW to get it to do something when IP Filter already does it? The version of IP Filter bundled with FreeBSD has historically lagged the latest releases, so check out: http://coombs.anu.edu.au/~avalon/ for the newest release. I've been using IP Filter for some time and I've found it to be an excellent piece of software. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 7:12:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.mail.yahoo.com (smtp.mail.yahoo.com [128.11.68.32]) by hub.freebsd.org (Postfix) with SMTP id A437237B98C for ; Sat, 1 Apr 2000 07:12:35 -0800 (PST) (envelope-from hbenedict_fbsd@yahoo.com) Received: from unknown (HELO radiance) (165.21.86.24) by smtp.mail.yahoo.com with SMTP; 1 Apr 2000 07:12:34 -0800 X-Apparently-From: Message-ID: <200004012214220200.0074F6ED@smtp.mail.yahoo.com> X-Mailer: Calypso Version 3.00.00.14 (3) Date: Sat, 01 Apr 2000 22:14:22 +0700 From: "Benedict H" To: freebsd-questions@freebsd.org Subject: superuser Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org currently I use FreeBSD 3.3-RELEASE on my machine and I have problem in= creating a non-root user that can have privilege of superuser (specifically to run adduser) thanks Benny __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 10:26: 3 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.79.126]) by hub.freebsd.org (Postfix) with ESMTP id 6DC9337B7C3 for ; Sat, 1 Apr 2000 10:25:59 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.79.115]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA27790; Sat, 1 Apr 2000 11:25:56 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id LAA04705; Sat, 1 Apr 2000 11:25:55 -0700 (MST) (envelope-from nate) Date: Sat, 1 Apr 2000 11:25:55 -0700 (MST) Message-Id: <200004011825.LAA04705@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Jim Durham Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm looking for some input on how to set up > FTP through an IPFW firewall so that you don't > have to run passive mode. > > Passive mode makes things like building ports difficult. Why? I've got it setup that way (been that way for a couple of years), and things work fine. However, I do things a bit 'non-standard', and go hack the sources to both ftp and fetch to make passive mode the default on my boxes. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 10:42: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (roble.com [206.40.34.50]) by hub.freebsd.org (Postfix) with ESMTP id ADA0C37B9AE for ; Sat, 1 Apr 2000 10:41:54 -0800 (PST) (envelope-from sendmail@roble.com) Received: from roble2.roble.com (roble2.roble.com [206.40.34.52]) by roble.com (Roble1b) with SMTP id KAA28620 for ; Sat, 1 Apr 2000 10:41:55 -0800 (PST) Date: Sat, 1 Apr 2000 10:41:52 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Passive mode makes things like building ports difficult. Try adding this to /etc/make.conf: FTP_PASSIVE_MODE=YES FETCH_BEFORE_ARGS=-p -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 10:53:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 927FB37B993 for ; Sat, 1 Apr 2000 10:53:48 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id LAA00668; Sat, 1 Apr 2000 11:01:44 -0800 (PST) Date: Sat, 1 Apr 2000 11:01:44 -0800 From: Andre Gironda To: Nate Williams Cc: Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <20000401110144.A319@toaster.sun4c.net> References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> <200004011825.LAA04705@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <200004011825.LAA04705@nomad.yogotech.com>; from Nate Williams on Sat, Apr 01, 2000 at 11:25:55AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org export/setenv http_proxy! of course, you have to find all of the distfiles manually, since only about 4% of them have an http site to download the source from. it works though, but i doubt it's what you are looking for. i had to do this behind a firewall/proxy architecture that did not allow ftp. why not try fwtk or socks5 or something else? i do kind of agree though. I like the options in freebsd to install via http_proxy, but i don't think there's an option for ftp_proxy. it all works really well, it just doesn't flow. i guess better integration between ftp and sysinstall and ports would be nice. also, all these different security models for downloading are interesting.. but what really are the differences? i guess it's just better to support everything than have only one simple way of getting freebsd, freebsd source, and/or ports. dre On Sat, Apr 01, 2000 at 11:25:55AM -0700, Nate Williams wrote: > > I'm looking for some input on how to set up > > FTP through an IPFW firewall so that you don't > > have to run passive mode. > > > > Passive mode makes things like building ports difficult. > > Why? I've got it setup that way (been that way for a couple of years), > and things work fine. However, I do things a bit 'non-standard', and go > hack the sources to both ftp and fetch to make passive mode the > default on my boxes. :) > > Nate > -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 10:56:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.79.126]) by hub.freebsd.org (Postfix) with ESMTP id 0CBC237B5C5 for ; Sat, 1 Apr 2000 10:56:27 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.79.115]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA28053; Sat, 1 Apr 2000 11:56:22 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id LAA04865; Sat, 1 Apr 2000 11:56:21 -0700 (MST) (envelope-from nate) Date: Sat, 1 Apr 2000 11:56:21 -0700 (MST) Message-Id: <200004011856.LAA04865@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Andre Gironda Cc: Nate Williams , Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <20000401110144.A319@toaster.sun4c.net> References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> <200004011825.LAA04705@nomad.yogotech.com> <20000401110144.A319@toaster.sun4c.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > export/setenv http_proxy! Huh? > of course, you have to find all of the distfiles manually, since only > about 4% of them have an http site to download the source from. That's irrelevant. You can still download *ALL* of them via passive-mode ftp. I have yet to find a site that didn't let me download with ftp in passive mode, so if you are *truly* interested in security, then you certainly don't want to open up so people can use active-mode ftp from behind your firewall. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 11: 8:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 0843537B7C4 for ; Sat, 1 Apr 2000 11:08:22 -0800 (PST) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 12bTFL-000Kzp-00; Sat, 01 Apr 2000 21:07:47 +0200 Date: Sat, 1 Apr 2000 21:07:47 +0200 From: Neil Blakey-Milner To: Nate Williams Cc: Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <20000401210746.A80313@mithrandr.moria.org> References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> <200004011825.LAA04705@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200004011825.LAA04705@nomad.yogotech.com> Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat 2000-04-01 (11:25), Nate Williams wrote: > > Passive mode makes things like building ports difficult. > > Why? I've got it setup that way (been that way for a couple of years), > and things work fine. However, I do things a bit 'non-standard', and go > hack the sources to both ftp and fetch to make passive mode the > default on my boxes. :) You need only set the environment variable FTP_PASSIVE_MODE these days to get this behaviour. Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 11:10:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.79.126]) by hub.freebsd.org (Postfix) with ESMTP id 581B937BA79 for ; Sat, 1 Apr 2000 11:10:53 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.79.115]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA28203; Sat, 1 Apr 2000 12:10:45 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA05897; Sat, 1 Apr 2000 12:10:43 -0700 (MST) (envelope-from nate) Date: Sat, 1 Apr 2000 12:10:43 -0700 (MST) Message-Id: <200004011910.MAA05897@nomad.yogotech.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Neil Blakey-Milner Cc: Nate Williams , Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <20000401210746.A80313@mithrandr.moria.org> References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> <200004011825.LAA04705@nomad.yogotech.com> <20000401210746.A80313@mithrandr.moria.org> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Passive mode makes things like building ports difficult. > > > > Why? I've got it setup that way (been that way for a couple of years), > > and things work fine. However, I do things a bit 'non-standard', and go > > hack the sources to both ftp and fetch to make passive mode the > > default on my boxes. :) > > You need only set the environment variable FTP_PASSIVE_MODE these days > to get this behaviour. Like I said, rather than mess with the environment, I just make it the default. Too often the users don't have it set, so by making it the default everything 'Just Works'. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 11:14:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id A458237C35D for ; Sat, 1 Apr 2000 11:14:03 -0800 (PST) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 12bTKw-000L1e-00; Sat, 01 Apr 2000 21:13:34 +0200 Date: Sat, 1 Apr 2000 21:13:34 +0200 From: Neil Blakey-Milner To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <20000401211334.B80313@mithrandr.moria.org> References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> <200004011825.LAA04705@nomad.yogotech.com> <20000401210746.A80313@mithrandr.moria.org> <200004011910.MAA05897@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200004011910.MAA05897@nomad.yogotech.com> Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat 2000-04-01 (12:10), Nate Williams wrote: > > You need only set the environment variable FTP_PASSIVE_MODE these days > > to get this behaviour. > > Like I said, rather than mess with the environment, I just make it the > default. Too often the users don't have it set, so by making it the > default everything 'Just Works'. Ah. In that case, login.conf is probably what people should use. In fact, these days it is already set in login.conf. Neil -- Neil Blakey-Milner nbm@rucus.ru.ac.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 11:27:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from web1005.mail.yahoo.com (web1005.mail.yahoo.com [128.11.23.95]) by hub.freebsd.org (Postfix) with SMTP id A95D237B7C4 for ; Sat, 1 Apr 2000 11:27:33 -0800 (PST) (envelope-from binxist@yahoo.com) Received: (qmail 1665 invoked by uid 60001); 1 Apr 2000 19:27:32 -0000 Message-ID: <20000401192732.1664.qmail@web1005.mail.yahoo.com> Received: from [216.165.152.43] by web1005.mail.yahoo.com; Sat, 01 Apr 2000 11:27:32 PST Date: Sat, 1 Apr 2000 11:27:32 -0800 (PST) From: Russell Frame Subject: Re: FTP with firewall rules To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org /etc/rc.local FTP_PASSIVE_MODE="YES" export FTP_PASSIVE_MODE There, users don't have to worry about setting this up and no need to recompile. Netscape, ftp, ports, whatever....work. Couldn't be simpler. - Russell C. Frame > Like I said, rather than mess with the environment, I just make it the > default. Too often the users don't have it set, so by making it the > default everything 'Just Works'. > > > > > Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 12:13:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from europe.std.com (europe.std.com [199.172.62.20]) by hub.freebsd.org (Postfix) with ESMTP id A525A37B664 for ; Sat, 1 Apr 2000 12:13:09 -0800 (PST) (envelope-from lowell@world.std.com) Received: from world.std.com (lowell@world-f.std.com [199.172.62.5]) by europe.std.com (8.9.3/8.9.3) with ESMTP id PAA06541; Sat, 1 Apr 2000 15:13:07 -0500 (EST) Received: (from lowell@localhost) by world.std.com (8.9.3/8.9.3) id PAA02447; Sat, 1 Apr 2000 15:13:03 -0500 (EST) To: "Adam Woodbeck (KEYKERTUSA)" , freebsd-security@freebsd.org Reply-To: freebsd-security@freebsd.org Subject: Re: Firewall rules for an internet FTP server? References: <0039010010682121000002L112*@MHS> From: Lowell Gilbert Date: 01 Apr 2000 15:13:03 -0500 In-Reply-To: "Adam Woodbeck's message of Fri, 31 Mar 2000 10:55:59 -0500 Message-ID: Lines: 23 X-Mailer: Gnus v5.5/Emacs 20.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Adam Woodbeck (KEYKERTUSA)" writes: > I'm putting an ftp server online soon and I'm wanted to get your input on what > ports you suggest I open up to the Internet. I have the firewall set up to use > the "client" configuration. I've added a few lines to open up FTP to the > Internet as well as allow other services to my local network. I've also added > what I think will allow me to update the FTP server through CVS. Does anyone > suggest I change anything on this configuration or does it look pretty complete? > Thanks for the help! It looks pretty good from a quick eyeballing, but that's no guarantee. However, some of the rules are redundant. Although this isn't necessarily a problem, it does make everything a little slower. If you start having problems with the CPU load on the machine (or the latency in the NAT/router machine), you might want to tune it a bit for speed. Specifically, putting the rule that allows the "established" TCP connections earlier in the ruleset (and maybe even doing the same with the one that allows all outgoing TCP setups) would make this a lot more efficient. Don't worry much about efficiency unless you know it's a problem, though. Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 14:31: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 28F5D37BCE6 for ; Sat, 1 Apr 2000 14:31:06 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id PAA81053; Sat, 1 Apr 2000 15:31:04 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id PAA48314; Sat, 1 Apr 2000 15:30:31 -0700 (MST) Message-Id: <200004012230.PAA48314@harmony.village.org> To: nate@yogotech.com (Nate Williams) Subject: Re: FTP with firewall rules Cc: Jim Durham , freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sat, 01 Apr 2000 11:25:55 MST." <200004011825.LAA04705@nomad.yogotech.com> References: <200004011825.LAA04705@nomad.yogotech.com> <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> Date: Sat, 01 Apr 2000 15:30:31 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200004011825.LAA04705@nomad.yogotech.com> Nate Williams writes: : Why? I've got it setup that way (been that way for a couple of years), : and things work fine. However, I do things a bit 'non-standard', and go : hack the sources to both ftp and fetch to make passive mode the : default on my boxes. :) I have had the following in my /etc/make.conf for a very long time: FETCH_CMD=runsocks ftp -p FETCH_BEFORE_ARGS= FETCH_AFTER_ARGS= But I do have to sometimes hack port Makefiles that set before/after args... Like Nate said. What's the problem with passive mode? I'm doing it over socks, which adds a whole layer of added complexity. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 15: 2:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2230937BC43 for ; Sat, 1 Apr 2000 15:02:33 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1600 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sat, 1 Apr 2000 17:02:18 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Sat, 1 Apr 2000 17:02:17 -0600 (CST) From: James Wyatt To: Nate Williams Cc: Andre Gironda , Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <200004011856.LAA04865@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 1 Apr 2000, Nate Williams wrote: > > export/setenv http_proxy! > > Huh? > > > of course, you have to find all of the distfiles manually, since only > > about 4% of them have an http site to download the source from. > > That's irrelevant. You can still download *ALL* of them via > passive-mode ftp. I have yet to find a site that didn't let me download > with ftp in passive mode, so if you are *truly* interested in security, > then you certainly don't want to open up so people can use active-mode > ftp from behind your firewall. Andre said his was a special case and that "it works though, but i doubt it's what you are looking for. i had to do this behind a firewall/proxy architecture that did not allow ftp." I took it to mean "*he* *has* to use HTTP to fetch because his firewall doesn't support *any* ftp" and that if there is some problem with active FTP it might still work. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 16: 9: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-039.npt-sdsl.stargate.net [208.223.229.39]) by hub.freebsd.org (Postfix) with ESMTP id 8ABC337BCE8 for ; Sat, 1 Apr 2000 16:09:02 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id AAA98277; Sun, 2 Apr 2000 00:08:10 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <38E68F70.128DDBFB@w2xo.pgh.pa.us> Date: Sat, 01 Apr 2000 19:08:16 -0500 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules References: <38E159DF.3D7E5DF6@w2xo.pgh.pa.us> <200004011825.LAA04705@nomad.yogotech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > > > I'm looking for some input on how to set up > > FTP through an IPFW firewall so that you don't > > have to run passive mode. > > > > Passive mode makes things like building ports difficult. > > Why? I've got it setup that way (been that way for a couple of years), > and things work fine. However, I do things a bit 'non-standard', and go > hack the sources to both ftp and fetch to make passive mode the > default on my boxes. :) > > Nate Did that once. Then you have to do it with every upgrade. -- Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 16:12: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from w2xo.pgh.pa.us (ipl-229-039.npt-sdsl.stargate.net [208.223.229.39]) by hub.freebsd.org (Postfix) with ESMTP id 489A337BD0A for ; Sat, 1 Apr 2000 16:11:59 -0800 (PST) (envelope-from durham@w2xo.pgh.pa.us) Received: from w2xo.pgh.pa.us (shazam.w2xo.pgh.pa.us [192.168.5.3]) by w2xo.pgh.pa.us (8.9.3/8.9.3) with ESMTP id AAA98296; Sun, 2 Apr 2000 00:11:54 GMT (envelope-from durham@w2xo.pgh.pa.us) Message-ID: <38E69050.362142E3@w2xo.pgh.pa.us> Date: Sat, 01 Apr 2000 19:12:00 -0500 From: Jim Durham Organization: dis- X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: FTP with firewall rules References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote: > > > Passive mode makes things like building ports difficult. > > Try adding this to /etc/make.conf: > > FTP_PASSIVE_MODE=YES > FETCH_BEFORE_ARGS=-p > > -- > This is a good tip. Thanks. I will probably do this, but I was just hoping that a someone had a rule set that would be relatively secure (I realize there is no absolute here). About all I've been able to accomplish is to put the rule late in the rule set so that a lot of things are disallowed before hand. Jim Durham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 20: 0:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id ABAD737B9A6 for ; Sat, 1 Apr 2000 20:00:11 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3+openldap/8.9.3) id UAA00960; Sat, 1 Apr 2000 20:08:28 -0800 (PST) Date: Sat, 1 Apr 2000 20:08:28 -0800 From: Andre Gironda To: James Wyatt Cc: Nate Williams , Andre Gironda , Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules Message-ID: <20000401200828.B319@toaster.sun4c.net> References: <200004011856.LAA04865@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: ; from James Wyatt on Sat, Apr 01, 2000 at 05:02:17PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, that's exactly it. Piercing firewalls is not always as simple as passive vs active ftp. Proxies are a great idea in most cases, although I think they're a bit restrictive. But then again, do you really want people using programs like httptunnel and creating a potential security problem? Have you seen http://www.detached.net/mailtunnel.html ? Guess that means that UUCP mail through a dial up connection isn't really that bad of an idea. Controlling what data is *really* going through your network is more complex than you think. Especially in this day and age. dre On Sat, Apr 01, 2000 at 05:02:17PM -0600, James Wyatt wrote: > On Sat, 1 Apr 2000, Nate Williams wrote: > > > export/setenv http_proxy! > > > > Huh? > > > > > of course, you have to find all of the distfiles manually, since only > > > about 4% of them have an http site to download the source from. > > > > That's irrelevant. You can still download *ALL* of them via > > passive-mode ftp. I have yet to find a site that didn't let me download > > with ftp in passive mode, so if you are *truly* interested in security, > > then you certainly don't want to open up so people can use active-mode > > ftp from behind your firewall. > > Andre said his was a special case and that "it works though, but i doubt > it's what you are looking for. i had to do this behind a firewall/proxy > architecture that did not allow ftp." > > I took it to mean "*he* *has* to use HTTP to fetch because his firewall > doesn't support *any* ftp" and that if there is some problem with active > FTP it might still work. - Jy@ -- This program has been brought to you by the language C and the number F. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 1 22:41: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from hydrant.intranova.net (hydrant.ncw.qc.ca [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 3556C37B5A9 for ; Sat, 1 Apr 2000 22:40:47 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 7433 invoked from network); 2 Apr 2000 06:44:10 -0000 Received: from localhost.abuselabs.com (HELO localhost) (missnglnk@127.0.0.1) by localhost.abuselabs.com with SMTP; 2 Apr 2000 06:44:10 -0000 Date: Sun, 2 Apr 2000 01:44:10 -0500 (EST) From: Omachonu Ogali To: Nate Williams Cc: Jim Durham , freebsd-security@FreeBSD.ORG Subject: Re: FTP with firewall rules In-Reply-To: <200004011825.LAA04705@nomad.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why hack FTP when you can use 'pftp', why hack 'fetch' when you can set the environment variable for passive mode...just thought you'd like to know. On Sat, 1 Apr 2000, Nate Williams wrote: > > I'm looking for some input on how to set up > > FTP through an IPFW firewall so that you don't > > have to run passive mode. > > > > Passive mode makes things like building ports difficult. > > Why? I've got it setup that way (been that way for a couple of years), > and things work fine. However, I do things a bit 'non-standard', and go > hack the sources to both ftp and fetch to make passive mode the > default on my boxes. :) > > > > Nate > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message