From owner-freebsd-security Sun Jun 10 7:57: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id BDAA937B40C for ; Sun, 10 Jun 2001 07:56:58 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 82010 invoked by uid 1000); 10 Jun 2001 14:57:18 -0000 Date: Sun, 10 Jun 2001 16:57:18 +0200 From: "Karsten W. Rohrbach" To: Glen Foster Cc: security@freebsd.org Subject: Re: Q: suiddir on ~ftp/incoming? Message-ID: <20010610165718.D80709@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Glen Foster , security@freebsd.org References: <15138.23131.648658.477266@audio.gfoster.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5p8PegU4iirBW1oA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15138.23131.648658.477266@audio.gfoster.com>; from gfoster@gfoster.com on Sat, Jun 09, 2001 at 01:18:19PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5p8PegU4iirBW1oA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable if you need an incoming directory, thinkining about mode 0333 is way okay, you should consider writing the files themselves mode 0000 and change them later when moving them out of incoming and into place. this quenches the w4r3z d00dz pretty effectively. /k Glen Foster(gfoster@gfoster.com)@2001.06.09 13:18:19 +0000: > Standard ftpd on a not-so-old 4.3-S. With the less-than-sterling > record of more featureful FTP servers, I'd like to find a way to stick > with old faithful. >=20 > Is it a bad idea to make a directory, ~ftp/incoming, with perms=3D5333, > on an anonymous FTP server as a "dropbox" for uploading? No untrusted > shell accounts on the machine in question. >=20 > As most who try to provide drop boxes discover, warez d00dz quickly > find them and manage to fill them up with bit strings that, according > to some, are worth billions of dollars each and every year. They do > this by the mechanism of creating a directory that is owned by "ftp," > with which and in they can play their little games at will. >=20 > The intention is, by enforcing suiddir, the directories and files they > create won't be listable, thus removing much of the raison d'etre for > their creation. >=20 > Of course, the "filler" will still be able to write, fill up the disk, > etc. but the hordes who follow after will be dissuaded and not consume > all your mbufs with their requests. >=20 > Anybody done this? Results over time? >=20 > Yes, it is a form of STO easily defeated by miscreants keeping a > directory of uploaded files and sharing it with customers. But, in > practice, is it worthwhile to do? >=20 > Any insight would be appreciated, > Glen Foster >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > A Puritan is someone who is deathly afraid that someone, somewhere, is > having fun. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --5p8PegU4iirBW1oA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7I4rOM0BPTilkv0YRAtKSAKCmoZomCobkGFhS2eMhC5g3JQyk7ACeKB6P LBk04jZkDjOEp+AgnvEc1ts= =y9AR -----END PGP SIGNATURE----- --5p8PegU4iirBW1oA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 3: 6:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp013.mail.yahoo.com (smtp013.mail.yahoo.com [216.136.173.57]) by hub.freebsd.org (Postfix) with SMTP id B5C3C37B401 for ; Mon, 11 Jun 2001 03:06:26 -0700 (PDT) (envelope-from educatee2001@yahoo.com) Received: from co3018900-a.belrs1.nsw.optushome.com.au (HELO co3018900a) (203.164.78.30) by smtp.mail.vip.sc5.yahoo.com with SMTP; 11 Jun 2001 10:06:26 -0000 X-Apparently-From: Message-ID: <002f01c0f25e$a41a5290$0100c8c8@co3018900a> From: "educatee2001" To: "FreeBSD security" Subject: Do you know any open source software which can so these security protection? Date: Mon, 11 Jun 2001 20:09:44 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wonder if there is any software in open source and can run in FreeBSd which could do something like the following. I appreciate your recomendation as I am new in BSD world. 1. Software that allows you you grant or deny access to any software that attempts to use your internet connection. You can build a list of trusted applications or specify which programs will have to ask permissions every time they attempt to connect. 2. Warning security system to monitors the TCP/IP ports on your computer and gives an alert when it detects a connection. A TCP/UDP port listenerIt resolves the IP Address of the remote system, via a domain name server, whether you are on the Internet or on a Corporate Network. It logs the date, time, IP address, port number and host used by anyone trying to get into your system 3. Software that allow one to manage the ports to open/close in FreeBSD. Say if I need to open certain port in BSD for third party program, how can I do so? I appreciate your idea on this. Thank you. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 3:19:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from kalaid.f2f.com.ua (kalaid.f2f.com.ua [62.149.0.33]) by hub.freebsd.org (Postfix) with ESMTP id BA73837B409 for ; Mon, 11 Jun 2001 03:19:07 -0700 (PDT) (envelope-from never@uic-in.net) Received: from mail.uic-in.net (root@[212.35.189.4]) by kalaid.f2f.com.ua (8.11.3/8.11.1) with ESMTP id f5BAKw137976; Mon, 11 Jun 2001 13:20:58 +0300 (EEST) (envelope-from never@uic-in.net) Received: from never.uic-in.net (never.uic-in.net [212.35.189.13]) by mail.uic-in.net (8.11.3/8.11.3) with ESMTP id f5BAJ1o39326; Mon, 11 Jun 2001 13:19:01 +0300 (EEST) (envelope-from never@uic-in.net) Date: Mon, 11 Jun 2001 13:19:01 +0300 From: Nevermind X-Mailer: The Bat! (v1.51) Business Reply-To: Nevermind Organization: UIC Group X-Priority: 3 (Normal) Message-ID: <148140566704.20010611131901@uic-in.net> To: "educatee2001" Cc: "FreeBSD security" Subject: Re: Do you know any open source software which can so these security protection? In-Reply-To: <002f01c0f25e$a41a5290$0100c8c8@co3018900a> References: <002f01c0f25e$a41a5290$0100c8c8@co3018900a> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org e> I wonder if there is any software in open source and can run in FreeBSd e> which could do something like the following. I appreciate your recomendation e> as I am new in BSD world. e> 2. Warning security system to monitors the TCP/IP ports on your computer and e> gives an alert when it detects a connection. A TCP/UDP port listenerIt e> resolves the IP Address of the remote system, via a domain name server, e> whether you are on the Internet or on a Corporate Network. It logs the date, e> time, IP address, port number and host used by anyone trying to get into e> your system /usr/ports/secutity/snort e> 3. Software that allow one to manage the ports to open/close in FreeBSD. Say e> if I need to open certain port in BSD for third party program, how can I do e> so? You need to use standard FreeBSD's ipfw. To enable it you should add to your kernel config following lines: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 and recompile and install new kernel. Be careful, beacuse default rule for IPFW is "deny ip from any to any", so you should make your ipfw rulelist before you reboot you computer. At least add as rule number 100 "allow ip from any to any". This could be done by setting firewall_enable="YES" firewall_type="open" in your /etc/rc.conf and after building, installing new kernel (you can find the way you can do it in handbook) setting above variables in /etc/rc.conf reboot your computer with new kernel and then start playing with different allow/pass/deny/reject rules in ipfw. man ipfw -- Nevermind mailto:never@uic-in.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 7:47:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from human.mail.nl.easynet.net (human.mail.nl.easynet.net [212.0.226.88]) by hub.freebsd.org (Postfix) with ESMTP id 0829937B409 for ; Mon, 11 Jun 2001 07:47:34 -0700 (PDT) (envelope-from robin@bequbed.com) Received: from b0l9005 (unknown [212.0.242.36]) by human.mail.nl.easynet.net (Postfix) with SMTP id 07D8AEAC2 for ; Mon, 11 Jun 2001 16:47:32 +0200 (MEST) From: "Robin Huiser" To: Subject: FW: ipfw, natd and routing question Date: Mon, 11 Jun 2001 16:47:29 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I hope someone can help me with this problem I'm trying to solve. I think the answer is trivial, but so far I 'm stuck. Our FreeBSD 4.2-STABLE firewall has three network cards as shown below: -- DMZ / EXT--FIREWALL--- \ -- LAN -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240 -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240 -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24 I use NAT to 'route' traffic from the LAN to the Internet I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet So far, so good. But... how do I prevent the NAT to 'translate' the IP addresses when a session is set up from the DMZ segment to a host somewhere on the Internet? I want all traffic to be routed from the DMZ subnet to the Internet... I've tried to alter the natd rule, without any success. The rules I tried didn't work or had bad side effects, so I moved back to the standard natd rule, but everything gets NAT-ed now... Some examples I tried: # # The rule below works, but the it causes TCP/IP timeouts and a *very* slow # connection between the DMZ and EXT subnets... # ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any via ${natd_interface} # # The rule below doesn't work at all (?) Don't know why... # ${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via ${natd_interface} Please advise... Cheers -- Robin __________________________________________________________________ Robin Huiser robin@bequbed.com BeQubed N.V. http://www.bequbed.com Veenwal 130 tel: +31 (30) 6023 626 (OFFICE) 3432 ZE +31 (6) 2061 9842 (MOBILE) Nieuwegein fax: +31 (30) 6586 090 The Netherlands __________________________________________________________________ ======================Confidential Disclaimer===================== The information contained in this communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed. You should not copy, disclose or distribute this communication without the authority of BeQubed N.V. BeQubed is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. BeQubed does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies. In carrying out its engagements, BeQubed applies general terms and conditions, which contain a clause that limits its liability. A copy of these terms and conditions is available on request free of charge. ================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 8: 2: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from pippo.dada.it (giovit.dada.it [195.110.97.5]) by hub.freebsd.org (Postfix) with ESMTP id CF6CA37B40D for ; Mon, 11 Jun 2001 08:01:52 -0700 (PDT) (envelope-from drummino@yahoo.com) Received: (from root@localhost) by pippo.dada.it (8.11.3/8.11.3) id f5BF0rn00382; Mon, 11 Jun 2001 17:00:53 +0200 (CEST) (envelope-from drummino@yahoo.com) Date: Mon, 11 Jun 2001 17:00:53 +0200 From: Matteo To: Robin Huiser Cc: security@freebsd.org Subject: Re: FW: ipfw, natd and routing question Message-ID: <20010611170053.A356@pippo.dada.it> Reply-To: drummino@yahoo.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Robin Huiser on Mon, Jun 11, 2001 at 04:47:29PM +0200 X-Mailer: Mutt 1.2.5i on FreeBSD 4.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 11, 2001 at 04:47:29PM +0200, Robin Huiser wrote: > -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240 > -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240 > -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24 > But... how do I prevent the NAT to 'translate' the IP addresses when a > session is set up from the DMZ segment to a host somewhere on the Internet? > I want all traffic to be routed from the DMZ subnet to the Internet... Try with: ipfw add xxxxx fwd extinterface all from x.x.242.48/240 to any options IPFIREWALL_FORWARD in kernel. This rules must be previous of divert natd rules. Bye. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 9: 8: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 5600B37B407 for ; Mon, 11 Jun 2001 09:07:56 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id QAA02976; Mon, 11 Jun 2001 16:49:35 +0100 Date: Mon, 11 Jun 2001 16:49:35 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: educatee2001 Cc: FreeBSD security Subject: Re: Do you know any open source software which can so these security protection? In-Reply-To: <002f01c0f25e$a41a5290$0100c8c8@co3018900a> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > 1. Software that allows you you grant or deny access to any software that > ... Shouldn't TrustedBSD handle this? > 2. Warning security system to monitors the TCP/IP ports on your computer and > ... > your system Snort, from the ports tree. I have also found the #snort IRC channel on OpenProjects to be helpful > 3. Software that allow one to manage the ports to open/close in FreeBSD. Say > ... > so? ipf or ipfw firewalling, that comes as standard. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 11: 8:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from pltdpop4.ptld.uswest.net (ptldpop4.ptld.uswest.net [198.36.160.4]) by hub.freebsd.org (Postfix) with SMTP id AADEA37B40D for ; Mon, 11 Jun 2001 11:08:05 -0700 (PDT) (envelope-from randyd@active-c.com) Received: (qmail 33238 invoked by alias); 11 Jun 2001 18:08:05 -0000 Delivered-To: fixup-freebsd-security@FreeBSD.org@fixme Received: (qmail 33226 invoked by uid 0); 11 Jun 2001 18:08:04 -0000 Received: from unknown (HELO whatever) (63.229.139.185) by ptldpop4.ptld.uswest.net with SMTP; 11 Jun 2001 18:08:04 -0000 From: "Randy Danielson" To: "FreeBSD Security" Subject: IPFW question - connections to port 80 out are being denied Date: Mon, 11 Jun 2001 11:04:44 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, FreeBSD 4.3-stable, Intel 486 DX2-66 I have been working setting up a firewall using IPFW. I have several machines behind the firewall that need to have access to the net. My main issue is I do not understand why I am getting so many deny messages in my logs. Here are some of the errors I am getting: Jun 11 09:07:56 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1290 64.242.116.9:80 out via fxp1 Jun 11 09:07:57 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1284 64.242.116.7:80 out via fxp1 Jun 11 09:08:05 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1289 64.242.116.9:80 out via fxp1 Jun 11 09:08:05 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1288 64.242.116.7:80 out via fxp1 Jun 11 09:08:07 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1287 64.242.116.7:80 out via fxp1 Jun 11 09:08:07 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1285 64.242.116.7:80 out via fxp1 Jun 11 09:08:15 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1284 64.242.116.7:80 out via fxp1 Jun 11 09:08:15 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1290 64.242.116.9:80 out via fxp1 Jun 11 09:08:32 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1289 64.242.116.9:80 out via fxp1 Jun 11 09:08:32 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1288 64.242.116.7:80 out via fxp1 Jun 11 09:08:35 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1287 64.242.116.7:80 out via fxp1 Jun 11 09:08:36 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1380 64.242.116.7:80 out via fxp1 Jun 11 09:08:36 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1285 64.242.116.7:80 out via fxp1 Jun 11 09:08:47 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1378 64.242.116.7:80 out via fxp1 Jun 11 09:08:47 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1379 64.242.116.7:80 out via fxp1 Jun 11 09:08:51 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1284 64.242.116.7:80 out via fxp1 Jun 11 09:08:52 active-c /kernel: ipfw: 10000 Deny TCP 63.229.139.185:1290 64.242.116.9:80 out via fxp1 It would appear that my firewall machine is trying to make connections going out to port 80 on several different IP addresses and it is being denied. The part that confuses me is that I am able to browse the web from machines behind the firewall and I have rules that allow making connections out and then established connections to come back in. So what is going on? Here is my current rule set (if you notice anything I have done that leaves me vulnerable please let me know): 00101 divert 8668 ip from any to any via fxp1 00200 allow ip from any to any via lo0 00300 deny ip from any to 127.0.0.0/8 00400 deny ip from 127.0.0.0/8 to any 00500 deny log logamount 100 ip from 192.168.0.0/24 to any in recv fxp1 00501 deny log logamount 100 ip from 63.229.139.144:255.255.255.148 to any in recv fxp0 01000 allow ip from any to any via fxp0 01200 allow tcp from any to 63.229.139.185 80 01201 allow tcp from 63.229.139.185 80 to any 01202 allow tcp from 63.229.139.185 80 to any out xmit fxp1 02000 allow tcp from 198.36.160.1 53 to any in recv fxp1 02010 allow tcp from 204.147.80.5 53 to any in recv fxp1 02020 allow udp from 198.36.160.1 53 to any in recv fxp1 02030 allow udp from 204.147.80.5 53 to any in recv fxp1 02100 allow icmp from 198.36.160.1 to any in recv fxp1 02110 allow icmp from 204.147.80.5 to any in recv fxp1 02200 allow ip from 63.229.139.185 to 198.36.160.1 02210 allow ip from 63.229.139.185 to 198.36.160.2 02220 allow ip from 63.229.139.185 to 198.36.160.3 02230 allow ip from 63.229.139.185 to 198.36.160.4 02240 allow ip from 63.229.139.185 to 198.36.160.5 02250 allow ip from 198.36.160.1 to 63.229.139.185 02260 allow ip from 198.36.160.2 to 63.229.139.185 02270 allow ip from 198.36.160.3 to 63.229.139.185 02280 allow ip from 198.36.160.4 to 63.229.139.185 02290 allow ip from 198.36.160.5 to 63.229.139.185 02291 allow tcp from any to 207.225.159.6 119 out 02291 allow tcp from any to 207.225.159.8 119 out 02400 allow ip from 63.229.139.185 to 64.173.56.98 02500 allow tcp from 64.173.56.98 20 to 192.168.0.2 03000 check-state 03100 allow tcp from any to any in established 03200 allow tcp from any to any keep-state out setup 03500 allow udp from any to any out 10000 deny log logamount 100 ip from any to any 65535 deny ip from any to any Thanks in advance for any assistance. Randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 11:35:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 8132137B435 for ; Mon, 11 Jun 2001 11:35:09 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GES3LV00.FMW; Mon, 11 Jun 2001 11:34:43 -0700 Message-ID: <3B250F5B.5D8A576E@globalstar.com> Date: Mon, 11 Jun 2001 11:35:07 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Robin Huiser Cc: freebsd-security@FreeBSD.ORG Subject: Re: FW: ipfw, natd and routing question References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Robin Huiser wrote: > > Hi all, > > I hope someone can help me with this problem I'm trying to solve. I think > the answer is trivial, but so far I 'm stuck. > > Our FreeBSD 4.2-STABLE firewall has three network cards as shown below: > > -- DMZ > / > EXT--FIREWALL--- > \ > -- LAN > > -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240 > -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240 > -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24 > > I use NAT to 'route' traffic from the LAN to the Internet > I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet > > So far, so good. > > But... how do I prevent the NAT to 'translate' the IP addresses when a > session is set up from the DMZ segment to a host somewhere on the Internet? > I want all traffic to be routed from the DMZ subnet to the Internet... > > I've tried to alter the natd rule, without any success. > The rules I tried didn't work or had bad side effects, so I moved back to > the standard natd rule, but everything gets NAT-ed now... > > Some examples I tried: > > # > # The rule below works, but the it causes TCP/IP timeouts and a *very* slow > # connection between the DMZ and EXT subnets... > # > ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any > via ${natd_interface} This should really work. I do not understand why it would slow things down. It is having bad interactions with other rules? Traffic coming out of your extranet does not go through natd(8). The return traffic does go throught natd(8), but since there is no entry in the NAT table generated by outgoing traffic, the packets are not modified. Is your NAT table _huge?_ I would expect other performance issues if this rule made trouble becasue of that. > # > # The rule below doesn't work at all (?) Don't know why... > # > ${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via > ${natd_interface} > > Please advise... This one will not work since packets coming back from the Internet do not get run through natd(8). However, the easiest thing to do is probably to put all of your rules that apply to traffic to and from your extranet _before_ the divert(4) rule. Depending on performance issues, this approach may be good (most of your traffic is from the extranet), bad (most traffic is from the private network), or not matter (if your firewall machine is over-powered for the job, who cares, go with what is easiest to administrate). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 12:43: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 57CEE37B40B for ; Mon, 11 Jun 2001 12:42:56 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id LAA16024 for ; Mon, 11 Jun 2001 11:40:16 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma016022; Mon, 11 Jun 01 11:40:08 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id LAA00178 for ; Mon, 11 Jun 2001 11:40:08 -0500 (CDT) Message-ID: <3B24F469.13D59538@centtech.com> Date: Mon, 11 Jun 2001 11:40:09 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: IPFILTER byte/packet counting Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Using IPFILTER with a bridge, can ipf count packets and bytes going to/from an ip? I see things like dummynet (which only works with ipfw?). Does anyone have a good url of a howto or information on this? I basically need to see usage (in bytes really) to/from certain ip's behind my ipf/bridging firewall. Eric -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 12:58: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id 0D8B737B407 for ; Mon, 11 Jun 2001 12:58:02 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GES009KC7BZIF@mta4.rcsntx.swbell.net> for freebsd-security@freebsd.org; Mon, 11 Jun 2001 14:55:12 -0500 (CDT) Date: Mon, 11 Jun 2001 14:52:14 -0500 From: Ryan Subject: Re: IPFILTER byte/packet counting To: freebsd-security@freebsd.org Message-id: <000401c0f2b0$0331dfe0$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <3B24F469.13D59538@centtech.com> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.obfuscation.org/ipf/ this is the only link that i have Along with ipf you can use ipfmon which shows the following packet infomation [root@rolln /home/mhx$] ipfstat input packets: blocked 461 passed 46857 nomatch 0 counted 0 short 0 output packets: blocked 0 passed 47234 nomatch 0 counted 0 short 0 input packets logged: blocked 461 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 17 output 0 fragment state(in): kept 0 lost 0 fragment state(out): kept 0 lost 0 packet state(in): kept 257 lost 0 packet state(out): kept 256 lost 0 ICMP replies: 454 TCP RSTs sent: 6 Invalid source(in): 0 Result cache hits(in): 332 (out): 4 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 460 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) i hope that helps none ----- Original Message ----- From: "Eric Anderson" To: Sent: Monday, June 11, 2001 11:40 AM Subject: IPFILTER byte/packet counting > Using IPFILTER with a bridge, can ipf count packets and bytes going > to/from an ip? I see things like dummynet (which only works with > ipfw?). Does anyone have a good url of a howto or information on this? > I basically need to see usage (in bytes really) to/from certain ip's > behind my ipf/bridging firewall. > > Eric > > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > For every complex problem, there is a solution that is simple, neat, and > wrong. > -------------------------------------------------------------------------- ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 13:11: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 5030737B407 for ; Mon, 11 Jun 2001 13:11:00 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id PAA21392; Mon, 11 Jun 2001 15:10:32 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma021386; Mon, 11 Jun 01 15:10:02 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id PAA10308; Mon, 11 Jun 2001 15:10:02 -0500 (CDT) Message-ID: <3B25259B.404344DA@centtech.com> Date: Mon, 11 Jun 2001 15:10:03 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Ryan Cc: freebsd-security@freebsd.org Subject: Re: IPFILTER byte/packet counting References: <3B24F469.13D59538@centtech.com> <000401c0f2b0$0331dfe0$01000001@mhx800> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, I know about this. But what I really need it basically bytes passed in/out on a per rule basis. I need to graph (I'll use mrtg) the usage per machine behind the transparent firewall (running IPFILTER). Eric Ryan wrote: > > http://www.obfuscation.org/ipf/ > > this is the only link that i have > Along with ipf you can use ipfmon which shows the following packet > infomation > [root@rolln /home/mhx$] ipfstat > input packets: blocked 461 passed 46857 nomatch 0 counted 0 short 0 > output packets: blocked 0 passed 47234 nomatch 0 counted 0 short 0 > input packets logged: blocked 461 passed 0 > output packets logged: blocked 0 passed 0 > packets logged: input 0 output 0 > log failures: input 17 output 0 > fragment state(in): kept 0 lost 0 > fragment state(out): kept 0 lost 0 > packet state(in): kept 257 lost 0 > packet state(out): kept 256 lost 0 > ICMP replies: 454 TCP RSTs sent: 6 > Invalid source(in): 0 > Result cache hits(in): 332 (out): 4 > IN Pullups succeeded: 0 failed: 0 > OUT Pullups succeeded: 0 failed: 0 > Fastroute successes: 460 failures: 0 > TCP cksum fails(in): 0 (out): 0 > Packet log flags set: (0) > > i hope that helps > > none > ----- Original Message ----- > From: "Eric Anderson" > To: > Sent: Monday, June 11, 2001 11:40 AM > Subject: IPFILTER byte/packet counting > > > Using IPFILTER with a bridge, can ipf count packets and bytes going > > to/from an ip? I see things like dummynet (which only works with > > ipfw?). Does anyone have a good url of a howto or information on this? > > I basically need to see usage (in bytes really) to/from certain ip's > > behind my ipf/bridging firewall. > > > > Eric > > > > > > -- > > -------------------------------------------------------------------------- > ----- > > Eric Anderson anderson@centtech.com Centaur Technology (512) > > 418-5792 > > For every complex problem, there is a solution that is simple, neat, and > > wrong. > > -------------------------------------------------------------------------- > ----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 13:16: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id C8B5937B403 for ; Mon, 11 Jun 2001 13:15:59 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GES001AL81E7G@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Mon, 11 Jun 2001 15:10:26 -0500 (CDT) Date: Mon, 11 Jun 2001 15:10:33 -0500 From: Ryan Subject: Re: IPFILTER byte/packet counting To: freebsd-security@freebsd.org Message-id: <000401c0f2b2$930e1cd0$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <3B24F469.13D59538@centtech.com> <000401c0f2b0$0331dfe0$01000001@mhx800> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Along with ipf you can use ipfmon which shows the following packet > infomation ipfmon = ipfstat my bad... ipfmon will let you watch all the packets being blocked Ryan ----- Original Message ----- From: "Ryan" To: Sent: Monday, June 11, 2001 2:52 PM Subject: Re: IPFILTER byte/packet counting > http://www.obfuscation.org/ipf/ > > this is the only link that i have > Along with ipf you can use ipfmon which shows the following packet > infomation > [root@rolln /home/mhx$] ipfstat > input packets: blocked 461 passed 46857 nomatch 0 counted 0 short 0 > output packets: blocked 0 passed 47234 nomatch 0 counted 0 short 0 > input packets logged: blocked 461 passed 0 > output packets logged: blocked 0 passed 0 > packets logged: input 0 output 0 > log failures: input 17 output 0 > fragment state(in): kept 0 lost 0 > fragment state(out): kept 0 lost 0 > packet state(in): kept 257 lost 0 > packet state(out): kept 256 lost 0 > ICMP replies: 454 TCP RSTs sent: 6 > Invalid source(in): 0 > Result cache hits(in): 332 (out): 4 > IN Pullups succeeded: 0 failed: 0 > OUT Pullups succeeded: 0 failed: 0 > Fastroute successes: 460 failures: 0 > TCP cksum fails(in): 0 (out): 0 > Packet log flags set: (0) > > i hope that helps > > > none > ----- Original Message ----- > From: "Eric Anderson" > To: > Sent: Monday, June 11, 2001 11:40 AM > Subject: IPFILTER byte/packet counting > > > > Using IPFILTER with a bridge, can ipf count packets and bytes going > > to/from an ip? I see things like dummynet (which only works with > > ipfw?). Does anyone have a good url of a howto or information on this? > > I basically need to see usage (in bytes really) to/from certain ip's > > behind my ipf/bridging firewall. > > > > Eric > > > > > > -- > > -------------------------------------------------------------------------- > ----- > > Eric Anderson anderson@centtech.com Centaur Technology (512) > > 418-5792 > > For every complex problem, there is a solution that is simple, neat, and > > wrong. > > -------------------------------------------------------------------------- > ----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 13:20:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id 8A4BE37B401 for ; Mon, 11 Jun 2001 13:20:30 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GES0026L86CBE@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Mon, 11 Jun 2001 15:13:25 -0500 (CDT) Date: Mon, 11 Jun 2001 15:13:33 -0500 From: Ryan Subject: Re: IPFILTER byte/packet counting To: freebsd-security@freebsd.org Message-id: <000d01c0f2b2$fda1e540$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <3B24F469.13D59538@centtech.com> <000401c0f2b0$0331dfe0$01000001@mhx800> <3B25259B.404344DA@centtech.com> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Then you want to get some good connection monitoring software.. ANy suggestions any1? ----- Original Message ----- From: "Eric Anderson" To: "Ryan" Cc: Sent: Monday, June 11, 2001 3:10 PM Subject: Re: IPFILTER byte/packet counting > Well, I know about this. But what I really need it basically bytes > passed in/out on a per rule basis. I need to graph (I'll use mrtg) the > usage per machine behind the transparent firewall (running IPFILTER). > > > Eric > > > > Ryan wrote: > > > > http://www.obfuscation.org/ipf/ > > > > this is the only link that i have > > Along with ipf you can use ipfmon which shows the following packet > > infomation > > [root@rolln /home/mhx$] ipfstat > > input packets: blocked 461 passed 46857 nomatch 0 counted 0 short 0 > > output packets: blocked 0 passed 47234 nomatch 0 counted 0 short 0 > > input packets logged: blocked 461 passed 0 > > output packets logged: blocked 0 passed 0 > > packets logged: input 0 output 0 > > log failures: input 17 output 0 > > fragment state(in): kept 0 lost 0 > > fragment state(out): kept 0 lost 0 > > packet state(in): kept 257 lost 0 > > packet state(out): kept 256 lost 0 > > ICMP replies: 454 TCP RSTs sent: 6 > > Invalid source(in): 0 > > Result cache hits(in): 332 (out): 4 > > IN Pullups succeeded: 0 failed: 0 > > OUT Pullups succeeded: 0 failed: 0 > > Fastroute successes: 460 failures: 0 > > TCP cksum fails(in): 0 (out): 0 > > Packet log flags set: (0) > > > > i hope that helps > > > > none > > ----- Original Message ----- > > From: "Eric Anderson" > > To: > > Sent: Monday, June 11, 2001 11:40 AM > > Subject: IPFILTER byte/packet counting > > > > > Using IPFILTER with a bridge, can ipf count packets and bytes going > > > to/from an ip? I see things like dummynet (which only works with > > > ipfw?). Does anyone have a good url of a howto or information on this? > > > I basically need to see usage (in bytes really) to/from certain ip's > > > behind my ipf/bridging firewall. > > > > > > Eric > > > > > > > > > -- > > > -------------------------------------------------------------------------- > > ----- > > > Eric Anderson anderson@centtech.com Centaur Technology (512) > > > 418-5792 > > > For every complex problem, there is a solution that is simple, neat, and > > > wrong. > > > -------------------------------------------------------------------------- > > ----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > For every complex problem, there is a solution that is simple, neat, and > wrong. > -------------------------------------------------------------------------- ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 13:51: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from heimdall.inter.net.il (heimdall.inter.net.il [192.114.186.17]) by hub.freebsd.org (Postfix) with ESMTP id B60B937B403 for ; Mon, 11 Jun 2001 13:51:03 -0700 (PDT) (envelope-from bk532@iname.com) Received: from bk532nb.local.net (diup-210-18.inter.net.il [213.8.210.18]) by heimdall.inter.net.il (Mirapoint) with ESMTP id ARG56504; Mon, 11 Jun 2001 23:49:55 +0300 (IDT) Received: (from boris@localhost) by bk532nb.local.net (8.11.3/8.11.3) id f5BKm5A17549; Mon, 11 Jun 2001 23:48:05 +0300 (IDT) (envelope-from boris) Date: Mon, 11 Jun 2001 23:48:05 +0300 From: Boris Karnaukh To: Eric Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFILTER byte/packet counting Message-ID: <20010611234805.A17537@bk532nb.local.net> Mail-Followup-To: Boris Karnaukh , Eric Anderson , freebsd-security@FreeBSD.ORG References: <3B24F469.13D59538@centtech.com> <000401c0f2b0$0331dfe0$01000001@mhx800> <3B25259B.404344DA@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B25259B.404344DA@centtech.com>; from anderson@centtech.com on Mon, Jun 11, 2001 at 03:10:03PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 11, 2001 at 03:10:03PM -0500, Eric Anderson wrote: > Well, I know about this. But what I really need it basically bytes > passed in/out on a per rule basis. I need to graph (I'll use mrtg) the > usage per machine behind the transparent firewall (running IPFILTER). > ipfstat -hnio -- Boris Karnaukh (mailto:bk532@iname.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 14: 8:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id D23D837B405 for ; Mon, 11 Jun 2001 14:08:32 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id QAA22768; Mon, 11 Jun 2001 16:04:36 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma022721; Mon, 11 Jun 01 16:04:23 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id QAA13132; Mon, 11 Jun 2001 16:04:23 -0500 (CDT) Message-ID: <3B253258.304226B8@centtech.com> Date: Mon, 11 Jun 2001 16:04:24 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Boris Karnaukh Cc: freebsd-security@freebsd.org Subject: Re: IPFILTER byte/packet counting References: <3B24F469.13D59538@centtech.com> <000401c0f2b0$0331dfe0$01000001@mhx800> <3B25259B.404344DA@centtech.com> <20010611234805.A17537@bk532nb.local.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That appears to show only packets.. thats close.. Any ideas how to measure bytes? (thanks for the info) Boris Karnaukh wrote: > > On Mon, Jun 11, 2001 at 03:10:03PM -0500, Eric Anderson wrote: > > Well, I know about this. But what I really need it basically bytes > > passed in/out on a per rule basis. I need to graph (I'll use mrtg) the > > usage per machine behind the transparent firewall (running IPFILTER). > > > > ipfstat -hnio > > -- > > Boris Karnaukh (mailto:bk532@iname.com) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 15: 9:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mercury.ipdvbnet.com (adsl-216-100-228-204.dsl.snfc21.pacbell.net [216.100.228.204]) by hub.freebsd.org (Postfix) with ESMTP id C0A0737B403 for ; Mon, 11 Jun 2001 15:09:19 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: from sunking.ipdvbnet.com (sunking2.ipdvbnet.com [192.168.255.16]) by mercury.ipdvbnet.com (8.11.3/8.11.1) with ESMTP id f5BLb8J00479 for ; Mon, 11 Jun 2001 14:37:09 -0700 (PDT) (envelope-from Greg.Haa@amux.com) Received: by SUNKING with Internet Mail Service (5.5.2650.21) id ; Mon, 11 Jun 2001 14:37:08 -0700 Message-ID: <2BFD35C3F1F9D31185CE00B0D0202302838718@SUNKING> From: Greg Haa To: "'freebsd-security@FreeBSD.ORG'" Subject: message Date: Mon, 11 Jun 2001 14:36:59 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello list, So I am getting alot of these messages. Can someone shed some light on this for me? Or how to stop it? I understand that the comp is trying to connect to itself on 53 (dns). Jun 11 14:18:09 mercury /kernel: Connection attempt to UDP 127.0.0.1:1660 from 127.0.0.1:53 Also what is the submission service that runs on port 587? Thanks in advance greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 15:14:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [216.130.212.49]) by hub.freebsd.org (Postfix) with ESMTP id 5204D37B401 for ; Mon, 11 Jun 2001 15:14:47 -0700 (PDT) (envelope-from joe@advancewebhosting.com) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.3/8.11.0) with ESMTP id f5BMEiD05054; Mon, 11 Jun 2001 18:14:44 -0400 (EDT) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Mon, 11 Jun 2001 18:14:44 -0400 (EDT) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: message In-Reply-To: <2BFD35C3F1F9D31185CE00B0D0202302838718@SUNKING> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It appears that something (local) is trying to do dns lookups. if you run the command 'sockstat' it will report to you what ports are in use and which program is using it. Joe Oliveiro On Mon, 11 Jun 2001, Greg Haa wrote: > Hello list, > > So I am getting alot of these messages. Can someone shed some light > on this for me? Or how to stop it? I understand that the comp is trying > to connect to itself on 53 (dns). > > Jun 11 14:18:09 mercury /kernel: Connection attempt to UDP 127.0.0.1:1660 > from 127.0.0.1:53 > > Also what is the submission service that runs on port 587? > > > Thanks in advance > > greg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 15:16:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 805E337B401 for ; Mon, 11 Jun 2001 15:16:21 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f5BMGEK37417; Mon, 11 Jun 2001 18:16:14 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Mon, 11 Jun 2001 18:16:11 -0400 (EDT) From: Rob Simmons To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: message In-Reply-To: <2BFD35C3F1F9D31185CE00B0D0202302838718@SUNKING> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 The submission service is an MSA (see RFC 2476 for details). It is part of sendmail. It can be disabled if you don't want to use it, see /usr/share/sendmail/cf/README for details on disabling it. Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 11 Jun 2001, Greg Haa wrote: > Hello list, > > So I am getting alot of these messages. Can someone shed some light > on this for me? Or how to stop it? I understand that the comp is trying > to connect to itself on 53 (dns). > > Jun 11 14:18:09 mercury /kernel: Connection attempt to UDP 127.0.0.1:1660 > from 127.0.0.1:53 > > Also what is the submission service that runs on port 587? > > > Thanks in advance > > greg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7JUMuv8Bofna59hYRA4GVAJ48IrhbVFwJKV5A/a8L95H9Pe+DPwCgmDJ5 nPartLqMrwRA17M30uyzG0A= =uKew -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 15:18:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from malkavian.org (malkavian.org [206.136.132.23]) by hub.freebsd.org (Postfix) with ESMTP id F381037B403 for ; Mon, 11 Jun 2001 15:18:27 -0700 (PDT) (envelope-from rbw@myplace.org) Received: (from rbw@localhost) by malkavian.org (8.11.3/8.11.1) id f5BMI1n06215; Mon, 11 Jun 2001 18:18:01 -0400 (EDT) (envelope-from rbw@myplace.org) Date: Mon, 11 Jun 2001 15:18:01 -0700 From: "brian j. peterson" To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: message Message-ID: <20010611151801.A99272@malkavian.org> Mail-Followup-To: Greg Haa , "'freebsd-security@FreeBSD.ORG'" References: <2BFD35C3F1F9D31185CE00B0D0202302838718@SUNKING> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <2BFD35C3F1F9D31185CE00B0D0202302838718@SUNKING>; from Greg.Haa@amux.com on Mon, Jun 11, 2001 at 02:36:59PM -0700 X-URL: http://rbw.myplace.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 11, 2001 at 02:36:59PM -0700, Greg Haa wrote: > Also what is the submission service that runs on port 587? see http://www.faqs.org/rfcs/rfc2476.html -- --===-----=======-----------=============-----------------=================== | rbw aka bjp | god's final message to his creation: | | rbw@myplace.org | we apologize for the inconvenience. | ===================-----------------=============-----------=======-----===-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 15:18:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 100EF37B403 for ; Mon, 11 Jun 2001 15:18:44 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f5BMIm937502; Mon, 11 Jun 2001 18:18:48 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Mon, 11 Jun 2001 18:18:45 -0400 (EDT) From: Rob Simmons To: Greg Haa Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: message In-Reply-To: <2BFD35C3F1F9D31185CE00B0D0202302838718@SUNKING> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Make sure that your /etc/resolv.conf is setup correctly. It seems like your machine thinks that it has a dns server running locally. See the man page for resolv.conf for info on setting this up correctly. Sorry about sending two messages :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Mon, 11 Jun 2001, Greg Haa wrote: > Hello list, > > So I am getting alot of these messages. Can someone shed some light > on this for me? Or how to stop it? I understand that the comp is trying > to connect to itself on 53 (dns). > > Jun 11 14:18:09 mercury /kernel: Connection attempt to UDP 127.0.0.1:1660 > from 127.0.0.1:53 > > Also what is the submission service that runs on port 587? > > > Thanks in advance > > greg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7JUPHv8Bofna59hYRAxyVAJ0fXKWYvaYIDORncQCg3++IWHqTsgCfTTrC 1NtnRVxrJ+sEfd3B21z1Kvo= =1HYn -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 16:51:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 5BB2D37B405 for ; Mon, 11 Jun 2001 16:51:45 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id JAA14067; Tue, 12 Jun 2001 09:47:46 +1000 (EST) From: Darren Reed Message-Id: <200106112347.JAA14067@caligula.anu.edu.au> Subject: Re: IPFILTER byte/packet counting To: anderson@centtech.com Date: Tue, 12 Jun 2001 09:47:46 +1000 (Australia/ACT) Cc: bk532@iname.com (Boris Karnaukh), freebsd-security@FreeBSD.ORG In-Reply-To: <3B253258.304226B8@centtech.com> from "Eric Anderson" at Jun 11, 2001 04:04:24 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Eric Anderson, sie said: > > That appears to show only packets.. thats close.. Any ideas how to > measure bytes? (thanks for the info) count in on ppp0 all count out on ppp0 all ipfstat -aio ipfstat -haio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 17:12:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id C5E0E37B401 for ; Mon, 11 Jun 2001 17:12:47 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f5C0Cvm40035 for ; Mon, 11 Jun 2001 20:12:57 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Mon, 11 Jun 2001 20:12:53 -0400 (EDT) From: Rob Simmons To: freebsd-security@freebsd.org Subject: sftp plans Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 What are the plans for the OpenSSH sftp client? Will it be added to stable? Also, are there plans to update OpenSSH to 2.9? If not the one in the core OS, but at least the port? Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7JV6Jv8Bofna59hYRA2ypAJ9rPeTAJZZfoCHwEZizluhJraoPKACfbeDt mRqPfTJTMZlR3Px+RcaP4ao= =uV+B -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 17:20:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id F2A4337B407 for ; Mon, 11 Jun 2001 17:20:23 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f5C0K1F10052; Mon, 11 Jun 2001 17:20:01 -0700 Date: Mon, 11 Jun 2001 17:20:01 -0700 From: Brooks Davis To: Rob Simmons Cc: freebsd-security@FreeBSD.ORG Subject: Re: sftp plans Message-ID: <20010611172001.A2564@Odin.AC.HMC.Edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="xHFwDpU9dbj6ez1V" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Mon, Jun 11, 2001 at 08:12:53PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 11, 2001 at 08:12:53PM -0400, Rob Simmons wrote: > What are the plans for the OpenSSH sftp client? Will it be added to > stable? >=20 > Also, are there plans to update OpenSSH to 2.9? If not the one in the > core OS, but at least the port? sftp was imported with 2.9 in -current so I assume it will happen wehn 2.9 is imported into -stable. This is planned, but I don't know when it will happen. Both the openssh and openssh-portable ports have been updated. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7JWAwXY6L6fI4GtQRAmK5AJ9xojlHLS1+Oa679ZyHS2D4J3Im2wCg4rvR XlSC0gaMrethNfRbJT/mVvI= =AVqQ -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 17:24:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 972D337B401 for ; Mon, 11 Jun 2001 17:24:18 -0700 (PDT) (envelope-from petef@hex.databits.net) Received: (qmail 72887 invoked by uid 1001); 12 Jun 2001 00:24:17 -0000 Date: Mon, 11 Jun 2001 20:24:17 -0400 From: Pete Fritchman To: Rob Simmons Cc: freebsd-security@freebsd.org Subject: Re: sftp plans Message-ID: <20010611202417.C70538@databits.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rsimmons@wlcg.com on Mon, Jun 11, 2001 at 08:12:53PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ++ 11/06/01 20:12 -0400 - Rob Simmons: | Also, are there plans to update OpenSSH to 2.9? If not the one in the | core OS, but at least the port? /usr/ports/security/openssh{,-portable} -pete -- Pete Fritchman Databits Network Services, Inc. finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 19:10: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.noos.fr (claudel.noos.net [212.198.2.83]) by hub.freebsd.org (Postfix) with ESMTP id 0CF5D37B405 for ; Mon, 11 Jun 2001 19:09:48 -0700 (PDT) (envelope-from clefevre@redirect.to) Received: (qmail 597862 invoked by uid 0); 12 Jun 2001 02:09:46 -0000 Received: from unknown (HELO gits.dyndns.org) ([212.198.228.81]) (envelope-sender ) by 212.198.2.83 (qmail-ldap-1.03) with SMTP for ; 12 Jun 2001 02:09:46 -0000 Received: (from root@localhost) by gits.dyndns.org (8.11.3/8.11.3) id f5C29jY51403; Tue, 12 Jun 2001 04:09:45 +0200 (CEST) (envelope-from clefevre@redirect.to) To: jseger@FreeBSD.org Cc: security@FreeBSD.org Subject: Re: SGID make References: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> <20010607114714.R1832@superconductor.rush.net> X-Face: V|+c;4!|B?E%BE^{E6);aI.[<97Zd*>^#%Y5Cxv;%Y[PT-LW3;A:fRrJ8+^k"e7@+30g0YD0*^^3jgyShN7o?a]C la*Zv'5NA,=963bM%J^o]C Reply-To: Cyrille Lefevre In-Reply-To: <20010607114714.R1832@superconductor.rush.net> Mail-Copies-To: never From: Cyrille Lefevre Date: 12 Jun 2001 04:09:44 +0200 Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alfred Perlstein writes: > * Nickolay A. Kritsky [010607 11:19] wrote: > > Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID > > kmem? I thought that make is intended only for compiling huge C > > programs, isnt it? > > > > #ls -l /usr/local/bin/make > > -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make > > As people have stated this isn't our make, it's most likely GNU make > installed without using the port. > > The reason for the sgid'ness is most likely so that the binary can > query the system load average to optimize parrallel compliation > without overwhelming the system. > > Although, this is sort of silly as the info should be available via > sysctl in FreeBSD. Justin, are you willing to update gmake for using sysctl instead of reading kmem ? if no, I'll do it when I'll have some time. Cyrille. -- home: mailto:clefevre@redirect.to UNIX is user-friendly; it's just particular work: mailto:Cyrille.Lefevre@edf.fr about who it chooses to be friends with. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 11 19:22:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 8DFC937B401 for ; Mon, 11 Jun 2001 19:22:32 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 15907 invoked by uid 0); 12 Jun 2001 02:22:30 -0000 Received: from pd9508876.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.118) by mail.gmx.net (mail07) with SMTP; 12 Jun 2001 02:22:30 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA32186 for freebsd-security@freebsd.org; Mon, 11 Jun 2001 22:16:47 +0200 Date: Mon, 11 Jun 2001 22:16:47 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: IPFILTER byte/packet counting Message-ID: <20010611221647.Y17514@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <3B24F469.13D59538@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3B24F469.13D59538@centtech.com>; from anderson@centtech.com on Mon, Jun 11, 2001 at 11:40:09AM -0500 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 11, 2001 at 11:40 -0500, Eric Anderson wrote: > > Using IPFILTER with a bridge, can ipf count packets and bytes > going to/from an ip? Do some "man ipfstat", search for "account". It talks about _bytes_ while I have to admit I haven't used it before. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 2: 9:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (diskworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id D220D37B401 for ; Tue, 12 Jun 2001 02:09:07 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 10703 invoked by uid 1000); 12 Jun 2001 09:07:40 -0000 Date: Tue, 12 Jun 2001 12:07:40 +0300 From: Peter Pentchev To: Cyrille Lefevre Cc: jseger@FreeBSD.org, security@FreeBSD.org Subject: Re: SGID make Message-ID: <20010612120740.A819@ringworld.oblivion.bg> Mail-Followup-To: Cyrille Lefevre , jseger@FreeBSD.org, security@FreeBSD.org References: <009501c0ef65$23482580$0600a8c0@ibmka.internethelp.ru> <20010607114714.R1832@superconductor.rush.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from clefevre-lists@noos.fr on Tue, Jun 12, 2001 at 04:09:44AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 12, 2001 at 04:09:44AM +0200, Cyrille Lefevre wrote: > Alfred Perlstein writes: > > > * Nickolay A. Kritsky [010607 11:19] wrote: > > > Can anybody tell me why /usr/local/bin/make in FreeBSD 4.2 is SGID > > > kmem? I thought that make is intended only for compiling huge C > > > programs, isnt it? > > > > > > #ls -l /usr/local/bin/make > > > -rwxr-sr-x 1 root kmem 445486 May 14 15:58 /usr/local/bin/make > > > > As people have stated this isn't our make, it's most likely GNU make > > installed without using the port. > > > > The reason for the sgid'ness is most likely so that the binary can > > query the system load average to optimize parrallel compliation > > without overwhelming the system. > > > > Although, this is sort of silly as the info should be available via > > sysctl in FreeBSD. > > Justin, are you willing to update gmake for using sysctl instead of > reading kmem ? if no, I'll do it when I'll have some time. The devel/gmake port already clears the setgid bit of the gmake executable in its post-install target - gmake uses the getloadavg(3) function, which does not require any privileges, but the autoconf getloadavg-setgid'ness detection logic is not quite up-to-date. G'luck, Peter -- I am not the subject of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 5: 0:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id A11CB37B401 for ; Tue, 12 Jun 2001 05:00:10 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA85734; Tue, 12 Jun 2001 09:00:09 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Tue, 12 Jun 2001 09:00:09 -0300 From: "Fernando P . Schapachnik" To: Eric Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFILTER byte/packet counting Message-ID: <20010612090009.A79424@ns1.via-net-works.net.ar> References: <3B24F469.13D59538@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3B24F469.13D59538@centtech.com>; from anderson@centtech.com on Mon, Jun 11, 2001 at 11:40:09AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Are you sure you can use ipfilter + FreeBSD + bridging? I thought I wasn't available... Would you mind pointing me to any documentation about it? Thanks for your help and regards! En un mensaje anterior, Eric Anderson escribió: > Using IPFILTER with a bridge, can ipf count packets and bytes going > to/from an ip? I see things like dummynet (which only works with > ipfw?). Does anyone have a good url of a howto or information on this? > I basically need to see usage (in bytes really) to/from certain ip's > behind my ipf/bridging firewall. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 5:15:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id B6AB737B407; Tue, 12 Jun 2001 05:15:46 -0700 (PDT) (envelope-from dhagan@colltech.com) Received: from colltech.com (1Cust157.tnt1.clarksburg.wv.da.uu.net [63.21.114.157]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id FAA26429; Tue, 12 Jun 2001 05:15:40 -0700 (PDT) Message-ID: <3B2608E8.611D1669@colltech.com> Date: Tue, 12 Jun 2001 08:19:52 -0400 From: Daniel Hagan Reply-To: FreeBSD-Security@FreeBSD.org X-Mailer: Mozilla 4.73 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: aeonflux99@hushmail.com, FreeBSD-Audit@FreeBSD.org, FreeBSD-Security@FreeBSD.org Subject: Re: resubmitting fix (/etc/security ssh awareness) References: <200106112104.OAA16071@user7.hushmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This probably belongs more on -security than -audit, so I'm cross posting it to both with follow-ups set to -security. aeonflux99@hushmail.com wrote: > > I first submitted this patch to this mailing list in the month of January, > unfortunately it was largely ignored. As it stands ssh failures are not > audited, they're not even logged in the default configuration. > > Obviously we need to make some changes so that repeated failures, get logged. > Likewise people connecting to our sshd port to look for a banner version > should also be logged. As it stands the only way to really do this properly > is to use tcpwrappers, or packet filtering. However, I believe there needs > to be some logging higher up in the ladder too. > > I'm resubmitting this patch. In order to get it to work properly, you're > going to need to modify syslog.conf > > security.*;auth.info /var/log/security > > adding auth.info (the facility ssh uses) to the security log. Likewise > the patch is extremely simple. It seems that adding auth and authpriv to /var/log/security would be the 'right thing to do' in the POLA sense. > - > --- /etc/security Mon Jun 11 15:45:02 2001 > +++ /etc/security Mon Jun 11 15:48:29 2001 > @@ -44,6 +44,7 @@ > sort -t. -r -n +1 -2 | > xargs zcat -f > [ -f $LOG/messages ] && cat $LOG/messages > + [ -f $LOG/security ] && cat $LOG/security > } > > sflag=FALSE ignore= > @@ -188,6 +189,12 @@ > separator > echo "${host} login failures:" > n=$(catmsgs | grep -i "^$yesterday.*login failure" | tee /dev/stderr | > wc -l) > +[ $n -gt 0 -a $rc -lt 1 ] && rc=1 > + > +# Show "${host} SSH login failures:" > +separator > +echo "${host} login failures:" This should probably be echo "${host} SSH login failures:", right? > +n=$(catmsgs | grep -i "^$yesterday.*failed password" | tee /dev/stderr > | wc -l) > [ $n -gt 0 -a $rc -lt 1 ] && rc=1 > > # Show tcp_wrapper warning messages While I agree that this is a Good Idea, I'm not entirely sure that your implementation is sufficient. Does .*failed password match only sshd entries and does it match all of the cases you mention above (failed logins, port scanning; what about failed RSAAuthentication attempts)? Daniel -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 6:22:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 0768C37B410 for ; Tue, 12 Jun 2001 06:22:43 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id IAA13397; Tue, 12 Jun 2001 08:22:10 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma013393; Tue, 12 Jun 01 08:22:01 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id IAA15549; Tue, 12 Jun 2001 08:22:01 -0500 (CDT) Message-ID: <3B26177A.ED41EF99@centtech.com> Date: Tue, 12 Jun 2001 08:22:02 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Darren Reed Cc: Boris Karnaukh , freebsd-security@freebsd.org Subject: Re: IPFILTER byte/packet counting References: <200106112347.JAA14067@caligula.anu.edu.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thats exactly what I was looking for! Thanks so much for the help.. Darren Reed wrote: > > In some mail from Eric Anderson, sie said: > > > > That appears to show only packets.. thats close.. Any ideas how to > > measure bytes? (thanks for the info) > > count in on ppp0 all > count out on ppp0 all > > ipfstat -aio > ipfstat -haio > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:21:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by hub.freebsd.org (Postfix) with ESMTP id B97ED37B40C for ; Tue, 12 Jun 2001 12:21:16 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010612192006.CUBH29984.mail3.home.nl@windows> for ; Tue, 12 Jun 2001 20:20:06 +0100 Message-ID: <01c301c0f374$f3f3c910$0900a8c0@windows> From: "Marcel Dijk" To: References: <200106112347.JAA14067@caligula.anu.edu.au> <3B26177A.ED41EF99@centtech.com> Subject: IPFW almost works now. Date: Tue, 12 Jun 2001 21:11:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Thanks to some advice here and http://freebsddiary.org my IPfirewall is almost how I want it now. Only to ports I want to be open are open now, and I can access the services behind these ports. The only problem is FTP. If I try to access the FTP daemon on port 5617 from for example my work (the FTP daemon runs at home) I get an error. I can connect, I have to give my username and pass. It then esstablishes a connection and tries to execute the LIST command. But then I get this error _______________________________________ Can't build data connection: interrupted system call. ABOR command succesfull. Connection Lost _______________________________________ If I set the firewall wide-open everything works perfectly, but ofcourse I don't want a wide open firewall. I have these IPFW rules defined: ________________________________________ 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00220 divert 8668 ip from any to any via ed0 00400 deny ip from 127.0.0.0/8 to any 00615 allow tcp from any to MY_IP 22,5617,10000 00625 allow tcp from MY_IP to any 00650 allow udp from any to MY_IP 00700 allow udp from MY_IP to any 00750 allow icmp from MY_IP to any 00800 allow icmp from any to MY_IP 00850 allow ip from 192.168.0.0/16 to any 00900 allow ip from any to 192.168.0.0/16 65535 deny ip from any to any ________________________________________ (MY_IP is my public/internet IP) Can anyone give me some advice on what the problem is and how I can solve it. Just a reminder: all the other services work perfectly with this FW configuration. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:25:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 0CB3837B403 for ; Tue, 12 Jun 2001 12:25:36 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 12:25:34 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> From: Jason DiCioccio To: 'Marcel Dijk' , freebsd-security@freebsd.org Subject: RE: IPFW almost works now. Date: Tue, 12 Jun 2001 12:25:33 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Welcome to the shitty protocol that is: FTP. To use active ftp, you need to allow connections to all inbound ports above 1024. To allow passive FTP, you need to allow outbound connections to all ports above 1024. FTP is obsolete, too bad everyone still uses it though. Cheers, - -JD- - -----Original Message----- From: Marcel Dijk [mailto:nascar24@home.nl] Sent: Tuesday, June 12, 2001 12:12 PM To: freebsd-security@freebsd.org Subject: IPFW almost works now. Hello, Thanks to some advice here and http://freebsddiary.org my IPfirewall is almost how I want it now. Only to ports I want to be open are open now, and I can access the services behind these ports. The only problem is FTP. If I try to access the FTP daemon on port 5617 from for example my work (the FTP daemon runs at home) I get an error. I can connect, I have to give my username and pass. It then esstablishes a connection and tries to execute the LIST command. But then I get this error _______________________________________ Can't build data connection: interrupted system call. ABOR command succesfull. Connection Lost _______________________________________ If I set the firewall wide-open everything works perfectly, but ofcourse I don't want a wide open firewall. I have these IPFW rules defined: ________________________________________ 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00220 divert 8668 ip from any to any via ed0 00400 deny ip from 127.0.0.0/8 to any 00615 allow tcp from any to MY_IP 22,5617,10000 00625 allow tcp from MY_IP to any 00650 allow udp from any to MY_IP 00700 allow udp from MY_IP to any 00750 allow icmp from MY_IP to any 00800 allow icmp from any to MY_IP 00850 allow ip from 192.168.0.0/16 to any 00900 allow ip from any to 192.168.0.0/16 65535 deny ip from any to any ________________________________________ (MY_IP is my public/internet IP) Can anyone give me some advice on what the problem is and how I can solve it. Just a reminder: all the other services work perfectly with this FW configuration. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML VsjpyCAbVE/YVGtFK3wi6cBW =18Ea -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:27:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 0F5BF37B409 for ; Tue, 12 Jun 2001 12:27:04 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 12:27:03 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D97E@goofy.epylon.lan> From: Jason DiCioccio To: Jason DiCioccio , 'Marcel Dijk' , freebsd-security@freebsd.org Subject: RE: IPFW almost works now. Date: Tue, 12 Jun 2001 12:27:03 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Correction: I might have gotten those backwards if YOU are the one running the FTP server. - -------------- Welcome to the shitty protocol that is: FTP. To use active ftp, you need to allow connections to all inbound ports above 1024. To allow passive FTP, you need to allow outbound connections to all ports above 1024. FTP is obsolete, too bad everyone still uses it though. Cheers, - -JD- - -----Original Message----- From: Marcel Dijk [mailto:nascar24@home.nl] Sent: Tuesday, June 12, 2001 12:12 PM To: freebsd-security@freebsd.org Subject: IPFW almost works now. Hello, Thanks to some advice here and http://freebsddiary.org my IPfirewall is almost how I want it now. Only to ports I want to be open are open now, and I can access the services behind these ports. The only problem is FTP. If I try to access the FTP daemon on port 5617 from for example my work (the FTP daemon runs at home) I get an error. I can connect, I have to give my username and pass. It then esstablishes a connection and tries to execute the LIST command. But then I get this error _______________________________________ Can't build data connection: interrupted system call. ABOR command succesfull. Connection Lost _______________________________________ If I set the firewall wide-open everything works perfectly, but ofcourse I don't want a wide open firewall. I have these IPFW rules defined: ________________________________________ 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00220 divert 8668 ip from any to any via ed0 00400 deny ip from 127.0.0.0/8 to any 00615 allow tcp from any to MY_IP 22,5617,10000 00625 allow tcp from MY_IP to any 00650 allow udp from any to MY_IP 00700 allow udp from MY_IP to any 00750 allow icmp from MY_IP to any 00800 allow icmp from any to MY_IP 00850 allow ip from 192.168.0.0/16 to any 00900 allow ip from any to 192.168.0.0/16 65535 deny ip from any to any ________________________________________ (MY_IP is my public/internet IP) Can anyone give me some advice on what the problem is and how I can solve it. Just a reminder: all the other services work perfectly with this FW configuration. Marcel -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOyZtt1CmU62pemyaEQIyDQCgzpLiYKA6nitxrTC/I/iiyU3htIkAn3M1 btM2Y/4JTEh4XoIuZVrjxjJv =I+Ei -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:29:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id D8D9937B422 for ; Tue, 12 Jun 2001 12:29:06 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.3/8.11.0) id f5CJSud72311 for freebsd-security@FreeBSD.ORG; Tue, 12 Jun 2001 15:28:56 -0400 (EDT) (envelope-from mistwolf) Date: Tue, 12 Jun 2001 15:28:56 -0400 From: Jamie Norwood To: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <20010612152856.A72299@mushhaven.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan>; from Jason.DiCioccio@Epylon.com on Tue, Jun 12, 2001 at 12:25:33PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > need to allow connections to all inbound ports above 1024. To allow > passive FTP, you need to allow outbound connections to all ports > above 1024. FTP is obsolete, too bad everyone still uses it though. What do you recommend? SFTP? Jamie > > Cheers, > - -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:41: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id D14D337B405 for ; Tue, 12 Jun 2001 12:40:57 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 951 invoked from network); 12 Jun 2001 19:40:52 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 12 Jun 2001 19:40:52 -0000 Message-ID: <000f01c0f377$9f325e70$9865fea9@book> From: "alexus" To: "Jamie Norwood" , References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> Subject: Re: IPFW almost works now. Date: Tue, 12 Jun 2001 15:41:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org scp and sftp;) ----- Original Message ----- From: "Jamie Norwood" To: Sent: Tuesday, June 12, 2001 3:28 PM Subject: Re: IPFW almost works now. > On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: > > > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > > need to allow connections to all inbound ports above 1024. To allow > > passive FTP, you need to allow outbound connections to all ports > > above 1024. FTP is obsolete, too bad everyone still uses it though. > > What do you recommend? SFTP? > > Jamie > > > > > Cheers, > > - -JD- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.home.nl (mail4.home.nl [213.51.129.228]) by hub.freebsd.org (Postfix) with ESMTP id 23A1737B401 for ; Tue, 12 Jun 2001 12:44:35 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail4.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010612194501.XFPD407.mail4.home.nl@windows> for ; Tue, 12 Jun 2001 20:45:01 +0100 Message-ID: <01d401c0f378$35e4dc30$0900a8c0@windows> From: "Marcel Dijk" To: References: <657B20E93E93D4118F9700D0B73CE3EA0166D97E@goofy.epylon.lan> Subject: Re: IPFW almost works now. Date: Tue, 12 Jun 2001 21:45:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, I am the one running the FTP Daemon, and I want to access it from my work but that isn't working. (discribed below in my other mail.) Marcel ----- Original Message ----- From: "Jason DiCioccio" To: "Jason DiCioccio" ; "'Marcel Dijk'" ; Sent: Tuesday, June 12, 2001 9:27 PM Subject: RE: IPFW almost works now. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Correction: I might have gotten those backwards if YOU are the one > running the FTP server. > > > - -------------- > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > need to allow connections to all inbound ports above 1024. To allow > passive FTP, you need to allow outbound connections to all ports > above 1024. FTP is obsolete, too bad everyone still uses it though. > > Cheers, > - -JD- > > > > - -----Original Message----- > From: Marcel Dijk [mailto:nascar24@home.nl] > Sent: Tuesday, June 12, 2001 12:12 PM > To: freebsd-security@freebsd.org > Subject: IPFW almost works now. > > > Hello, > > Thanks to some advice here and http://freebsddiary.org my IPfirewall > is > almost how I want it now. > > Only to ports I want to be open are open now, and I can access the > services > behind these ports. The only problem is FTP. If I try to access the > FTP > daemon on port 5617 from for example my work (the FTP daemon runs at > home) I > get an error. > > I can connect, I have to give my username and pass. It then > esstablishes a > connection and tries to execute the LIST command. But then I get this > error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > If I set the firewall wide-open everything works perfectly, but > ofcourse I > don't want a wide open firewall. > > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) > > Can anyone give me some advice on what the problem is and how I can > solve > it. Just a reminder: all the other services work perfectly with this > FW > configuration. > > Marcel > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > iQA/AwUBOyZtt1CmU62pemyaEQIyDQCgzpLiYKA6nitxrTC/I/iiyU3htIkAn3M1 > btM2Y/4JTEh4XoIuZVrjxjJv > =I+Ei > -----END PGP SIGNATURE----- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:51:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f202.law11.hotmail.com [64.4.17.202]) by hub.freebsd.org (Postfix) with ESMTP id 551A137B405 for ; Tue, 12 Jun 2001 12:51:18 -0700 (PDT) (envelope-from derekoflynn@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 12 Jun 2001 12:51:17 -0700 Received: from 155.58.130.143 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 12 Jun 2001 19:51:17 GMT X-Originating-IP: [155.58.130.143] From: "Derek O'Flynn" To: freebsd-security@freebsd.org Date: Tue, 12 Jun 2001 14:51:17 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 12 Jun 2001 19:51:17.0951 (UTC) FILETIME=[0BB704F0:01C0F379] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have two machines, one running freebsd 4.0, and one running 4.3. They are physically connected to the same hub (same segment) When running tcpdump or snort on the 4.0 box, I get traffic from a variety of protocols However, when I run tcpdump or snort on the 4.0 box, I get traffic from a variety of protocols, but no tcp protocol traffic. The only time tcp protocol shows up is if I connect to the web server on the 4.3 box from another machine. Strangest thing I've ever seen! Anyway, I thought it might have been cause I did a minimal installation, and maybe something was disabled, so I setup the box again with a full install of everything but X, and the same thing is occurring. I then thought it was the network card, but that can't be cause it is receiving tcp packets, but only those destined for the machine, nothing else on the segment. Is there a setting that causes it to only see it's tcp packets (note: it is seeing icmp/udp/arp packets from other sources) Does anyone know if there's something weird with 4.3 that would cause this? I'm running the 4.3 iso image downloaded from freebsd. It hasn't been modified at all, standard installation. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 12:53:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f21.law11.hotmail.com [64.4.17.21]) by hub.freebsd.org (Postfix) with ESMTP id 3422D37B40A for ; Tue, 12 Jun 2001 12:53:04 -0700 (PDT) (envelope-from derekoflynn@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 12 Jun 2001 12:53:03 -0700 Received: from 155.58.130.143 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 12 Jun 2001 19:53:03 GMT X-Originating-IP: [155.58.130.143] From: "Derek O'Flynn" To: freebsd-security@freebsd.org Subject: snort/tcpdump not showing tcp packets Date: Tue, 12 Jun 2001 14:53:03 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 12 Jun 2001 19:53:03.0983 (UTC) FILETIME=[4AEA37F0:01C0F379] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have two machines, one running freebsd 4.0, and one running 4.3. They are physically connected to the same hub (same segment) When running tcpdump or snort on the 4.0 box, I get traffic from a variety of protocols However, when I run tcpdump or snort on the 4.0 box, I get traffic from a variety of protocols, but no tcp protocol traffic. The only time tcp protocol shows up is if I connect to the web server on the 4.3 box from another machine. Strangest thing I've ever seen! Anyway, I thought it might have been cause I did a minimal installation, and maybe something was disabled, so I setup the box again with a full install of everything but X, and the same thing is occurring. I then thought it was the network card, but that can't be cause it is receiving tcp packets, but only those destined for the machine, nothing else on the segment. Is there a setting that causes it to only see it's tcp packets (note: it is seeing icmp/udp/arp packets from other sources) Does anyone know if there's something weird with 4.3 that would cause this? I'm running the 4.3 iso image downloaded from freebsd. It hasn't been modified at all, standard installation. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:15: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 13A4937B403 for ; Tue, 12 Jun 2001 13:14:54 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5att.ericy.com [138.85.92.13]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5CKEe818558; Tue, 12 Jun 2001 15:14:44 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5CKEcR06448; Tue, 12 Jun 2001 15:14:38 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5CKEbG00027; Tue, 12 Jun 2001 16:14:38 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 16:14:36 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MY4P5SBA; Tue, 12 Jun 2001 16:14:34 -0400 From: "Antoine Beaupre (LMC)" To: Jamie Norwood Cc: freebsd-security@FreeBSD.ORG Message-ID: <3B267827.5090002@lmc.ericsson.se> Date: Tue, 12 Jun 2001 16:14:31 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jamie Norwood wrote: > On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: > >>Welcome to the shitty protocol that is: FTP. To use active ftp, you >>need to allow connections to all inbound ports above 1024. To allow >>passive FTP, you need to allow outbound connections to all ports >>above 1024. FTP is obsolete, too bad everyone still uses it though. > > What do you recommend? SFTP? IIRC, there's a nice protocol called HTTP that does not have ftp's limitations. ;) A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:16:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 01D0337B408 for ; Tue, 12 Jun 2001 13:16:14 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from hades.hell.gr (patr530-a105.otenet.gr [212.205.215.105]) by mailsrv.otenet.gr (8.11.1/8.11.1) with ESMTP id f5CKG9v20744; Tue, 12 Jun 2001 23:16:09 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.3/8.11.3) id f5CK6PL63040; Tue, 12 Jun 2001 23:06:25 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 12 Jun 2001 23:06:24 +0300 From: Giorgos Keramidas To: Eric Anderson Cc: Ryan , freebsd-security@FreeBSD.ORG Subject: Re: IPFILTER byte/packet counting Message-ID: <20010612230624.D62873@hades.hell.gr> References: <3B24F469.13D59538@centtech.com> <000401c0f2b0$0331dfe0$01000001@mhx800> <3B25259B.404344DA@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B25259B.404344DA@centtech.com>; from anderson@centtech.com on Mon, Jun 11, 2001 at 03:10:03PM -0500 X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2 X-URL: http://students.ceid.upatras.gr/~keramida/index.html Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 11, 2001 at 03:10:03PM -0500, Eric Anderson wrote: > Well, I know about this. But what I really need it basically bytes > passed in/out on a per rule basis. I need to graph (I'll use mrtg) the > usage per machine behind the transparent firewall (running IPFILTER). Try running: % ipfstat -hnio The output is probably what you want :-) -giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:19:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136]) by hub.freebsd.org (Postfix) with ESMTP id 2D79A37B409 for ; Tue, 12 Jun 2001 13:18:55 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f5CKIn401289; Tue, 12 Jun 2001 16:18:49 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 12 Jun 2001 16:18:49 -0400 (EDT) From: Matt Piechota To: "Derek O'Flynn" Cc: Subject: Re: snort/tcpdump not showing tcp packets In-Reply-To: Message-ID: <20010612160917.V445-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 12 Jun 2001, Derek O'Flynn wrote: > I have two machines, one running freebsd 4.0, and one running 4.3. They are > physically connected to the same hub (same segment) > > When running tcpdump or snort on the 4.0 box, I get traffic from a variety > of protocols > > However, when I run tcpdump or snort on the 4.0 box, I get traffic from a > variety of protocols, but no tcp protocol traffic. The only time tcp > protocol shows up is if I connect to the web server on the 4.3 box from > another machine. I assume you meant the 4.3 box in the above paragraph? > Strangest thing I've ever seen! Anyway, I thought it might have been cause > I did a minimal installation, and maybe something was disabled, so I setup > the box again with a full install of everything but X, and the same thing is > occurring. I then thought it was the network card, but that can't be cause > it is receiving tcp packets, but only those destined for the machine, > nothing else on the segment. Is there a setting that causes it to only see > it's tcp packets (note: it is seeing icmp/udp/arp packets from other > sources) > > Does anyone know if there's something weird with 4.3 that would cause this? > I'm running the 4.3 iso image downloaded from freebsd. It hasn't been > modified at all, standard installation. I'm running the same release as a dedicated sniffer device on a PC (Intel EEPro 100B NIC), and an IBM Stinkpad w/#com 3c574-TX NIC. It works perfectly (as far as I can tell). Could this be a problem with your specific card/driver and it's interaction with the TCPIP stack? -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:19:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3A76137B405 for ; Tue, 12 Jun 2001 13:18:54 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEU32P00.TTX; Tue, 12 Jun 2001 13:18:26 -0700 Message-ID: <3B26792B.25950F26@globalstar.com> Date: Tue, 12 Jun 2001 13:18:51 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Derek O'Flynn Cc: freebsd-security@FreeBSD.ORG Subject: Re: snort/tcpdump not showing tcp packets References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Derek O'Flynn wrote: > > I have two machines, one running freebsd 4.0, and one running 4.3. They are > physically connected to the same hub (same segment) Not sure I understood the mail, > When running tcpdump or snort on the 4.0 box, I get traffic from a variety > of protocols > > However, when I run tcpdump or snort on the 4.0 box, OK, are we really talking about the same host? From what you are describing, are you sure your "hub" isn't really a switch? Is it a dual-speed hub and the various have different speed NICs? Try a, # tcpdump -en Do you ever see non-broadcast addresses or traffic not meant for the host? -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:28:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id CC0CB37B401 for ; Tue, 12 Jun 2001 13:28:00 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.3/8.11.0) id f5CKRnH73676; Tue, 12 Jun 2001 16:27:49 -0400 (EDT) (envelope-from mistwolf) Date: Tue, 12 Jun 2001 16:27:49 -0400 From: Jamie Norwood To: "Antoine Beaupre (LMC)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <20010612162749.A73655@mushhaven.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3B267827.5090002@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Tue, Jun 12, 2001 at 04:14:31PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 12, 2001 at 04:14:31PM -0400, Antoine Beaupre (LMC) wrote: > Jamie Norwood wrote: > > > On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: > > > >>Welcome to the shitty protocol that is: FTP. To use active ftp, you > >>need to allow connections to all inbound ports above 1024. To allow > >>passive FTP, you need to allow outbound connections to all ports > >>above 1024. FTP is obsolete, too bad everyone still uses it though. > > > > What do you recommend? SFTP? > > > IIRC, there's a nice protocol called HTTP that does not have ftp's limitations. ;) No, it has a host of limitations all it's own, not the least of which is that is is actually less efficient at transfering files, and that it has limited CLI tools. Remember, not every computer has a monitor, mouse, and web browser! I would love to see something quality replace FTP. Maybe SFTP will, but it is still young, and if SSH is any indication, the onlt commercial support for it will be very expensive (IE, SecureCRT/SecureFX at about $100 each). Yeah, I know about PuTTY,but I don't like it. :) Jamie > A. > > -- > La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:33:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f184.law11.hotmail.com [64.4.17.184]) by hub.freebsd.org (Postfix) with ESMTP id A262E37B401 for ; Tue, 12 Jun 2001 13:33:51 -0700 (PDT) (envelope-from derekoflynn@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 12 Jun 2001 13:33:51 -0700 Received: from 155.58.130.143 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 12 Jun 2001 20:33:51 GMT X-Originating-IP: [155.58.130.143] From: "Derek O'Flynn" To: piechota@argolis.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: snort/tcpdump not showing tcp packets Date: Tue, 12 Jun 2001 15:33:51 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 12 Jun 2001 20:33:51.0557 (UTC) FILETIME=[FDC85F50:01C0F37E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marc, Same type of NIC in both machines, 3com 3c595 fast etherlink III PCI Both connected to a 10bT 3com hub. It might be something with the card. I have some isa nic cards I can try, and my new token ring card just arrived, but of course, I have to rebuild the kernel to add token ring support :( Derek >From: Matt Piechota >To: "Derek O'Flynn" >CC: >Subject: Re: snort/tcpdump not showing tcp packets >Date: Tue, 12 Jun 2001 16:18:49 -0400 (EDT) > >On Tue, 12 Jun 2001, Derek O'Flynn wrote: > > > I have two machines, one running freebsd 4.0, and one running 4.3. They >are > > physically connected to the same hub (same segment) > > > > When running tcpdump or snort on the 4.0 box, I get traffic from a >variety > > of protocols > > > > However, when I run tcpdump or snort on the 4.0 box, I get traffic from >a > > variety of protocols, but no tcp protocol traffic. The only time tcp > > protocol shows up is if I connect to the web server on the 4.3 box from > > another machine. > >I assume you meant the 4.3 box in the above paragraph? > > > Strangest thing I've ever seen! Anyway, I thought it might have been >cause > > I did a minimal installation, and maybe something was disabled, so I >setup > > the box again with a full install of everything but X, and the same >thing is > > occurring. I then thought it was the network card, but that can't be >cause > > it is receiving tcp packets, but only those destined for the machine, > > nothing else on the segment. Is there a setting that causes it to only >see > > it's tcp packets (note: it is seeing icmp/udp/arp packets from other > > sources) > > > > Does anyone know if there's something weird with 4.3 that would cause >this? > > I'm running the 4.3 iso image downloaded from freebsd. It hasn't been > > modified at all, standard installation. > >I'm running the same release as a dedicated sniffer device on a PC (Intel >EEPro 100B NIC), and an IBM Stinkpad w/#com 3c574-TX NIC. It works >perfectly (as far as I can tell). Could this be a problem with your >specific card/driver and it's interaction with the TCPIP stack? > >-- >Matt Piechota >Finger piechota@emailempire.com for PGP key >AOL IM: cithaeron > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:34:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 0A5BC37B401 for ; Tue, 12 Jun 2001 13:34:39 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id C4168BAA7; Tue, 12 Jun 2001 15:34:36 -0500 (CDT) Message-ID: <01fe01c0f37e$c5948e10$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Jason DiCioccio" Cc: References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> Subject: Re: IPFW almost works now. Date: Tue, 12 Jun 2001 15:32:15 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No you don't. My servers run fine for active and I DON'T allow access to all inbound above 1024. Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Jason DiCioccio" To: "'Marcel Dijk'" ; Sent: Tuesday, June 12, 2001 2:25 PM Subject: RE: IPFW almost works now. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > need to allow connections to all inbound ports above 1024. To allow > passive FTP, you need to allow outbound connections to all ports > above 1024. FTP is obsolete, too bad everyone still uses it though. > > Cheers, > - -JD- > > > > - -----Original Message----- > From: Marcel Dijk [mailto:nascar24@home.nl] > Sent: Tuesday, June 12, 2001 12:12 PM > To: freebsd-security@freebsd.org > Subject: IPFW almost works now. > > > Hello, > > Thanks to some advice here and http://freebsddiary.org my IPfirewall > is > almost how I want it now. > > Only to ports I want to be open are open now, and I can access the > services > behind these ports. The only problem is FTP. If I try to access the > FTP > daemon on port 5617 from for example my work (the FTP daemon runs at > home) I > get an error. > > I can connect, I have to give my username and pass. It then > esstablishes a > connection and tries to execute the LIST command. But then I get this > error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > If I set the firewall wide-open everything works perfectly, but > ofcourse I > don't want a wide open firewall. > > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) > > Can anyone give me some advice on what the problem is and how I can > solve > it. Just a reminder: all the other services work perfectly with this > FW > configuration. > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML > VsjpyCAbVE/YVGtFK3wi6cBW > =18Ea > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:43:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id AE13337B401 for ; Tue, 12 Jun 2001 13:43:23 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr7.exu.ericsson.se (mr7u3.ericy.com [208.237.135.122]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f5CKhFa09050; Tue, 12 Jun 2001 15:43:15 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5CKhEU29561; Tue, 12 Jun 2001 15:43:14 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5CKhDG02027; Tue, 12 Jun 2001 16:43:13 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 16:43:12 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MY4P5ST4; Tue, 12 Jun 2001 16:43:08 -0400 From: "Antoine Beaupre (LMC)" To: "Thomas T. Veldhouse" Cc: Jason DiCioccio , freebsd-security@FreeBSD.ORG Message-ID: <3B267EDA.9070605@lmc.ericsson.se> Date: Tue, 12 Jun 2001 16:43:06 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas T. Veldhouse wrote: > No you don't. My servers run fine for active and I DON'T allow access to > all inbound above 1024. But you do need to allow outbound above 1024, right? > Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. yee-ha. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:44:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id C0A1837B403 for ; Tue, 12 Jun 2001 13:44:05 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA93356; Tue, 12 Jun 2001 16:44:02 -0400 (EDT) (envelope-from wollman) Date: Tue, 12 Jun 2001 16:44:02 -0400 (EDT) From: Garrett Wollman Message-Id: <200106122044.QAA93356@khavrinen.lcs.mit.edu> To: Jamie Norwood Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-Reply-To: <20010612162749.A73655@mushhaven.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > No, it has a host of limitations all it's own, not the least of which is > that is is actually less efficient at transfering files, Balderdash! HTTP and TCP both send files over identical TCP connections, which makes them equally efficient. There really is no reason for FTP to continue to exist (but yet it does). -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:45:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 8F15B37B401 for ; Tue, 12 Jun 2001 13:45:42 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA93382; Tue, 12 Jun 2001 16:45:37 -0400 (EDT) (envelope-from wollman) Date: Tue, 12 Jun 2001 16:45:37 -0400 (EDT) From: Garrett Wollman Message-Id: <200106122045.QAA93382@khavrinen.lcs.mit.edu> To: Jamie Norwood Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-Reply-To: <200106122044.QAA93356@khavrinen.lcs.mit.edu> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < Balderdash! HTTP and TCP both send files over identical TCP Make that ``HTTP and FTP''.... Damn finger macros.... -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:49:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id 2908A37B407 for ; Tue, 12 Jun 2001 13:49:23 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.3/8.11.0) id f5CKnGD73996; Tue, 12 Jun 2001 16:49:16 -0400 (EDT) (envelope-from mistwolf) Date: Tue, 12 Jun 2001 16:49:16 -0400 From: Jamie Norwood To: Garrett Wollman Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <20010612164916.A73904@mushhaven.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106122044.QAA93356@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Jun 12, 2001 at 04:44:02PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 12, 2001 at 04:44:02PM -0400, Garrett Wollman wrote: > < said: > > > No, it has a host of limitations all it's own, not the least of which is > > that is is actually less efficient at transfering files, > > Balderdash! HTTP and TCP both send files over identical TCP > connections, which makes them equally efficient. There really is no > reason for FTP to continue to exist (but yet it does). OK, even not arguing the point, they are still quite different applications. FTP still very much serves a purpose. For one thing, uploading via HTTP is excessively non-trivial. For another, while Lynx and Links are well and good, browsing files from a text-only medium is also non-useful with the currently implementations of HTTP. Sure, when I am at a desktop, I use Netscrape/Exploder/Moz-ill-a to browse FTP sites, but it isn't feasible when I am looking on gnu.org for the source code to gcc/make/ whatnot. Jamie > > -GAWollman > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:52:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 79EB637B405 for ; Tue, 12 Jun 2001 13:52:12 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr7.exu.ericsson.se (mr7att.ericy.com [138.85.92.15]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5CKq8805404; Tue, 12 Jun 2001 15:52:08 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5CKq7U02400; Tue, 12 Jun 2001 15:52:07 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5CKq6G02545; Tue, 12 Jun 2001 16:52:06 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 16:52:05 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MY4P5SX9; Tue, 12 Jun 2001 16:52:00 -0400 From: "Antoine Beaupre (LMC)" To: Jamie Norwood Cc: freebsd-security@FreeBSD.ORG Message-ID: <3B2680EB.9040007@lmc.ericsson.se> Date: Tue, 12 Jun 2001 16:51:55 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: OT: yet another discussion FTP vs HTTP (was: IPFW almost works now.) References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jamie Norwood wrote: > On Tue, Jun 12, 2001 at 04:14:31PM -0400, Antoine Beaupre (LMC) wrote: > >>Jamie Norwood wrote: >> >> >>>On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: >>> >>> >>>>Welcome to the shitty protocol that is: FTP. To use active ftp, you >>>>need to allow connections to all inbound ports above 1024. To allow >>>>passive FTP, you need to allow outbound connections to all ports >>>>above 1024. FTP is obsolete, too bad everyone still uses it though. >>>> >>>What do you recommend? SFTP? >> >>IIRC, there's a nice protocol called HTTP that does not have ftp's limitations. ;) > > No, it has a host of limitations all it's own, not the least of which is > that is is actually less efficient at transfering files, I heard a few things regarding that, all contradictory. :) Could you give me a few examples/explanations/references as to why it is less efficient? I'd be curious. > and that it has limited CLI tools. I think that would be the biggest limitation. HTTP could technically override FTP's functionalities using the PUT and DELETE actions, but the only clients actually implementing this functionality are either dead (netscape 3) or forgotten (amaya). :) > Remember, not every computer has a monitor, mouse, and > web browser! Yeah... but every computer should at least have something like lynx/links/w3m/wget/fetch/whatever... You don't need a fully featured web browser to download/upload files to a webserver. Only to display them. Same for ftp. > I would love to see something quality replace FTP. Maybe SFTP will, but it > is still young, and if SSH is any indication, the onlt commercial support > for it will be very expensive (IE, SecureCRT/SecureFX at about $100 each). SFTP is not really an alternative. From what I understand, it is only built over ssh and therefore needs a corresponding shell account (if you exclude the RSA auth). It is surprising we (the internet community) haven't come up with a viable replacement. > Yeah, I know about PuTTY,but I don't like it. :) Well, it's better than almost anything else on windoze. ;) A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:53:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from fwnl.nextleft.com (ns1.nextleft.com [207.67.140.66]) by hub.freebsd.org (Postfix) with ESMTP id 5BF3F37B405 for ; Tue, 12 Jun 2001 13:53:06 -0700 (PDT) (envelope-from jkeck@NextLeft.COM) Received: from durban.sea.com (NextLeft.COM [172.19.4.20]) by fwnl.nextleft.com (8.9.3/8.9.3) with ESMTP id NAA74358; Tue, 12 Jun 2001 13:53:02 -0700 (PDT) (envelope-from jkeck@nextleft.com) Received: by durban.sea.com with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 13:57:11 -0700 Message-ID: <40B05F13113ED411A91E00D0B71A7DAC127369@durban.sea.com> From: John Keck To: "'Robin Huiser'" , freebsd-security@FreeBSD.ORG Subject: RE: ipfw, natd and routing question Date: Tue, 12 Jun 2001 13:57:03 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0F382.3B477250" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0F382.3B477250 Content-Type: text/plain; charset="iso-8859-1" The first case diverts incoming packets for the DMZ, which you don't want. The second case fails to divert response packets for the inside, which you do want. Try: ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to not x.x.242.48:255.255.255.240 via ${natd_interface} Hope this helps... J. Keck NextLeft, Inc. San Diego, CA USA jkeck@nextleft.com -----Original Message----- From: Robin Huiser [mailto:robin@bequbed.com] Sent: Monday, June 11, 2001 7:47 AM To: freebsd-security@FreeBSD.ORG Subject: FW: ipfw, natd and routing question Hi all, I hope someone can help me with this problem I'm trying to solve. I think the answer is trivial, but so far I 'm stuck. Our FreeBSD 4.2-STABLE firewall has three network cards as shown below: -- DMZ / EXT--FIREWALL--- \ -- LAN -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240 -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240 -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24 I use NAT to 'route' traffic from the LAN to the Internet I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet So far, so good. But... how do I prevent the NAT to 'translate' the IP addresses when a session is set up from the DMZ segment to a host somewhere on the Internet? I want all traffic to be routed from the DMZ subnet to the Internet... I've tried to alter the natd rule, without any success. The rules I tried didn't work or had bad side effects, so I moved back to the standard natd rule, but everything gets NAT-ed now... Some examples I tried: # # The rule below works, but the it causes TCP/IP timeouts and a *very* slow # connection between the DMZ and EXT subnets... # ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any via ${natd_interface} # # The rule below doesn't work at all (?) Don't know why... # ${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via ${natd_interface} Please advise... Cheers -- Robin __________________________________________________________________ Robin Huiser robin@bequbed.com BeQubed N.V. http://www.bequbed.com Veenwal 130 tel: +31 (30) 6023 626 (OFFICE) 3432 ZE +31 (6) 2061 9842 (MOBILE) Nieuwegein fax: +31 (30) 6586 090 The Netherlands __________________________________________________________________ ======================Confidential Disclaimer===================== The information contained in this communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed. You should not copy, disclose or distribute this communication without the authority of BeQubed N.V. BeQubed is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. BeQubed does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies. In carrying out its engagements, BeQubed applies general terms and conditions, which contain a clause that limits its liability. A copy of these terms and conditions is available on request free of charge. ================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------_=_NextPart_001_01C0F382.3B477250 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ipfw, natd and routing question

The first case diverts incoming packets for the DMZ, = which you don't want.  The second case fails to divert response = packets for the inside, which you do want.  Try:

 ${fwcmd} add divert natd all from not = x.x.242.48:255.255.255.240 to not x.x.242.48:255.255.255.240
via ${natd_interface}

Hope this helps...
J. Keck
NextLeft, Inc.
San Diego, CA  USA
jkeck@nextleft.com


-----Original Message-----
From: Robin Huiser [mailto:robin@bequbed.com]
Sent: Monday, June 11, 2001 7:47 AM
To: freebsd-security@FreeBSD.ORG
Subject: FW: ipfw, natd and routing question


Hi all,

I hope someone can help me with this problem I'm = trying to solve. I think
the answer is trivial, but so far I 'm stuck.

Our FreeBSD 4.2-STABLE firewall has three network = cards as shown below:

          &nb= sp;           &nb= sp;         -- DMZ
          &nb= sp;           &nb= sp;        /
          &nb= sp;    EXT--FIREWALL---
          &nb= sp;           &nb= sp;        \
          &nb= sp;           &nb= sp;         -- LAN

-The EXT interface: connected to the Internet, IP = subnet x.x.242.32/240
-The DMZ interface: connected to our DMZ subnet, IP = subnet x.x.242.48/240
-The LAN interface: connected to our LAN subnet, IP = subnet 192.168.1.0/24

I use NAT to 'route' traffic from the LAN to the = Internet
I use ipfw rules to ROUTE traffic from the Internet = to the DMZ subnet

So far, so good.

But... how do I prevent the NAT to 'translate' the IP = addresses when a
session is set up from the DMZ segment to a host = somewhere on the Internet?
I want all traffic to be routed from the DMZ subnet = to the Internet...

I've tried to alter the natd rule, without any = success.
The rules I tried didn't work or had bad side = effects, so I moved back to
the standard natd rule, but everything gets NAT-ed = now...

Some examples I tried:

#
# The rule below works, but the it causes TCP/IP = timeouts and a *very* slow
# connection between the DMZ and EXT = subnets...
#
${fwcmd} add divert natd all from not = x.x.242.48:255.255.255.240 to any
via ${natd_interface}

#
# The rule below doesn't work at all (?) Don't know = why...
#
${fwcmd} add divert natd all from = 192.168.1.0:255.255.255.0 to any via
${natd_interface}


Please advise...

Cheers -- Robin

_______________________________________________________________= ___

Robin = Huiser           =          = robin@bequbed.com
BeQubed = N.V.           &n= bsp;        http://www.bequbed.com

Veenwal = 130           &nb= sp;         tel:   = +31 (30) 6023 626 (OFFICE)
3432 = ZE           &nbs= p;           &nbs= p;        +31 (6) 2061 9842 = (MOBILE)
Nieuwegein         = ;            = ; fax:   +31 (30) 6586 090
The Netherlands
_______________________________________________________________= ___


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3DConfidential = Disclaimer=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

The information contained in this communication is = confidential and is
intended solely for the use of the individual or = entity to whom it is
addressed. You should not copy, disclose or = distribute this communication
without the authority of BeQubed N.V. BeQubed is = neither liable for the
proper and complete transmission of the information = contained in this
communication nor for any delay in its = receipt.
BeQubed does not guarantee that the integrity of = this communication has been
maintained nor that the communication is free of = viruses, interceptions or
interference.

If you are not the intended recipient of this = communication please return
the communication to the sender and delete and = destroy all copies.

In carrying out its engagements, BeQubed applies = general terms and
conditions, which contain a clause that limits its = liability. A copy of
these terms and conditions is available on request = free of charge.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D



To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the = body of the message

------_=_NextPart_001_01C0F382.3B477250-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:54: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 1692637B403 for ; Tue, 12 Jun 2001 13:53:49 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id QAA29678 for freebsd-security@FreeBSD.ORG; Tue, 12 Jun 2001 16:53:48 -0400 (EDT) (envelope-from str) Date: Tue, 12 Jun 2001 16:53:48 -0400 (EDT) From: Igor Roshchin Message-Id: <200106122053.QAA29678@giganda.komkon.org> To: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-Reply-To: <000f01c0f377$9f325e70$9865fea9@book> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: "alexus" > Subject: Re: IPFW almost works now. > Date: Tue, 12 Jun 2001 15:41:06 -0400 > > scp and sftp;) > AFAIk, neither of them offers an anonymous ftp access. > > Jamie Norwood wrote: > > > On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: > > > >>Welcome to the shitty protocol that is: FTP. To use active ftp, you > >>need to allow connections to all inbound ports above 1024. To allow > >>passive FTP, you need to allow outbound connections to all ports > >>above 1024. FTP is obsolete, too bad everyone still uses it though. > > > > What do you recommend? SFTP? > > > IIRC, there's a nice protocol called HTTP that does not have ftp's limitations. ;) HTTP has problems with anonymous uploads (sometimes those are needed, despite possible hazards associated with that). In any case, as somebody already noted, http has much more problems in effectiveness of transfer due to an overhead. Also, most of the web browsers do not have some capabilities like those offered by, say, ncftp, or similar Windows ftp clients, where you can transfer the whole directory tree. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 13:58:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id E8A9037B405 for ; Tue, 12 Jun 2001 13:58:15 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.3/8.11.0) id f5CKwEa74153; Tue, 12 Jun 2001 16:58:14 -0400 (EDT) (envelope-from mistwolf) Date: Tue, 12 Jun 2001 16:58:14 -0400 From: Jamie Norwood To: "Antoine Beaupre (LMC)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: OT: yet another discussion FTP vs HTTP (was: IPFW almost works now.) Message-ID: <20010612165814.B74054@mushhaven.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <3B2680EB.9040007@lmc.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3B2680EB.9040007@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Tue, Jun 12, 2001 at 04:51:55PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > No, it has a host of limitations all it's own, not the least of which is > > that is is actually less efficient at transfering files, > > I heard a few things regarding that, all contradictory. :) Could you > give me a few examples/explanations/references as to why it is less > efficient? I'd be curious. I have to admit I have nothing on hand, so will concede that battle for lack of ammunition. I could easily be wrong. > > and that it has limited CLI tools. > > I think that would be the biggest limitation. HTTP could technically > override FTP's functionalities using the PUT and DELETE actions, but the > only clients actually implementing this functionality are either dead > (netscape 3) or forgotten (amaya). :) The question is why bother? If, as you say above, there is no difference between the two other than interface, what makes HTTP better than FTP? FTP has suited well for CLI work for many years. (Continued below) > > > Remember, not every computer has a monitor, mouse, and > > web browser! > > Yeah... but every computer should at least have something like > lynx/links/w3m/wget/fetch/whatever... > > You don't need a fully featured web browser to download/upload files to > a webserver. Only to display them. Same for ftp. But they make it unessacarily convoluted to browse for wanted files. HTTP is not, in this case, an adequet substitute for FTP. Yes, these methods .work., but are more of a kludge than anything. > > I would love to see something quality replace FTP. Maybe SFTP will, but it > > is still young, and if SSH is any indication, the onlt commercial support > > for it will be very expensive (IE, SecureCRT/SecureFX at about $100 each). > > SFTP is not really an alternative. From what I understand, it is only > built over ssh and therefore needs a corresponding shell account (if you > exclude the RSA auth). SFTP is only needed over FTP in circumstances where security is needed, which is any time a password is involved. Anonymous FTP doesn't need SFTP. > It is surprising we (the internet community) haven't come up with a > viable replacement. No, it isn't, because I don't really think there is a need for an elaborate replacement. What is so broken about FTP? > > Yeah, I know about PuTTY,but I don't like it. :) > > Well, it's better than almost anything else on windoze. ;) Well, AbsoluteFTP and SecureCRT are much better (IMHO. For many purposes, they are of similar power level), but cost an arm and a leg because Vandyke aims at business customers not end-users. Jamie > A. > > -- > La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14: 3:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 2673537B411 for ; Tue, 12 Jun 2001 14:03:08 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5att.ericy.com [138.85.92.13]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5CL2U809686; Tue, 12 Jun 2001 16:02:30 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5CL2SR15639; Tue, 12 Jun 2001 16:02:28 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5CL2RG03287; Tue, 12 Jun 2001 17:02:27 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 17:02:26 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MY4P5S0P; Tue, 12 Jun 2001 17:02:20 -0400 From: "Antoine Beaupre (LMC)" To: Jamie Norwood Cc: Garrett Wollman , freebsd-security@FreeBSD.ORG Message-ID: <3B268359.70202@lmc.ericsson.se> Date: Tue, 12 Jun 2001 17:02:17 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> <20010612164916.A73904@mushhaven.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jamie Norwood wrote: > On Tue, Jun 12, 2001 at 04:44:02PM -0400, Garrett Wollman wrote: > >>< said: >>Balderdash! HTTP and TCP both send files over identical TCP >>connections, which makes them equally efficient. There really is no >>reason for FTP to continue to exist (but yet it does). Actually... > OK, even not arguing the point, they are still quite different applications. This is it. The only reason why FTP still exists is because there is no "standard" command-line HTTP client that can be used as an FTP client. Same thing on the server side. Although you have mod_put for apache. ;) > FTP still very much serves a purpose. For one thing, uploading via HTTP is > excessively non-trivial. Why? Because (almost) no software was written with that application in mind. While I would gladly let FTP die in favor of a cleaner (HTTP) and more secure (HTTPS) alternative, it does indeed serve a purpose: legacy. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14: 9:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id A2B4C37B40A for ; Tue, 12 Jun 2001 14:09:14 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6att.ericy.com [138.85.92.14]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5CL99812712; Tue, 12 Jun 2001 16:09:09 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5CL97r27405; Tue, 12 Jun 2001 16:09:07 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5CL96G04074; Tue, 12 Jun 2001 17:09:06 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 17:09:05 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MY4P5THR; Tue, 12 Jun 2001 17:09:02 -0400 From: "Antoine Beaupre (LMC)" To: Jamie Norwood Cc: "Antoine Beaupre (LMC)" , freebsd-security@FreeBSD.ORG Message-ID: <3B2684EC.2010205@lmc.ericsson.se> Date: Tue, 12 Jun 2001 17:09:00 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: OT: yet another discussion FTP vs HTTP (was: IPFW almost works now.) References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <3B2680EB.9040007@lmc.ericsson.se> <20010612165814.B74054@mushhaven.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jamie Norwood wrote: >>>No, it has a host of limitations all it's own, not the least of which is >>>that is is actually less efficient at transfering files, >>> >>I heard a few things regarding that, all contradictory. :) Could you >>give me a few examples/explanations/references as to why it is less >>efficient? I'd be curious. > > I have to admit I have nothing on hand, so will concede that battle for lack > of ammunition. I could easily be wrong. Yay! ;) >>>and that it has limited CLI tools. >>> >>I think that would be the biggest limitation. HTTP could technically >>override FTP's functionalities using the PUT and DELETE actions, but the >>only clients actually implementing this functionality are either dead >>(netscape 3) or forgotten (amaya). :) > > The question is why bother? If, as you say above, there is no difference > between the two other than interface, what makes HTTP better than FTP? > FTP has suited well for CLI work for many years. (Continued below) One less data connection. :) Actually, I think I agree with you on a few points, see below. >>>Remember, not every computer has a monitor, mouse, and >>>web browser! >>> >>Yeah... but every computer should at least have something like >>lynx/links/w3m/wget/fetch/whatever... >> >>You don't need a fully featured web browser to download/upload files to >>a webserver. Only to display them. Same for ftp. > > But they make it unessacarily convoluted to browse for wanted files. HTTP is > not, in this case, an adequet substitute for FTP. Yes, these methods .work., > but are more of a kludge than anything. Exactly. That is what I was looking for. Browsing of files over HTTP is "patchy". Some kind of workaround involving HTML. It sucks. :) >>>I would love to see something quality replace FTP. Maybe SFTP will, but it >>>is still young, and if SSH is any indication, the onlt commercial support >>>for it will be very expensive (IE, SecureCRT/SecureFX at about $100 each). >>> >>SFTP is not really an alternative. From what I understand, it is only >>built over ssh and therefore needs a corresponding shell account (if you >>exclude the RSA auth). > > SFTP is only needed over FTP in circumstances where security is needed, which > is any time a password is involved. I think you misunderstood. If you need to allow ftp access, *securly*, you must use sftp, and then, you must provide the user with a shell account, which is by definition a higher security risk, unless you disable the shell account and use only RSA auth. Which is completly user-unfriendly. > Anonymous FTP doesn't need SFTP. Agreed. Anonymous FTP still rocks. But then again... why have a root process running for anonymous ftp? :) >>It is surprising we (the internet community) haven't come up with a >>viable replacement. > > No, it isn't, because I don't really think there is a need for an elaborate > replacement. What is so broken about FTP? I must admit I do not have pretty strong ammo against ftp. It is a pain on firewall setups, though. [snip] > Jamie A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:20:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by hub.freebsd.org (Postfix) with ESMTP id B25EF37B405 for ; Tue, 12 Jun 2001 14:20:10 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010612221946.XOOI6179.mail2.home.nl@windows>; Tue, 12 Jun 2001 23:19:46 +0100 Message-ID: <025101c0f385$91092730$0900a8c0@windows> From: "Marcel Dijk" To: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" Cc: "Jason DiCioccio" , References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> <3B267EDA.9070605@lmc.ericsson.se> Subject: Re: IPFW almost works now. Date: Tue, 12 Jun 2001 23:20:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > No you don't. My servers run fine for active and I DON'T allow access to > > all inbound above 1024. But what the problem then, I can't reach my FTP. Original post, but no working anwser jet :( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Only the ports I want to be open are open now, and I can access the services behind these ports. The only problem is FTP. If I try to access the FTP daemon on port 5617 from for example my work (the FTP daemon runs at home) I get an error. I can connect, I have to give my username and pass. It then esstablishes a connection and tries to execute the LIST command. But then I get this error _______________________________________ Can't build data connection: interrupted system call. ABOR command succesfull. Connection Lost _______________________________________ If I set the firewall wide-open everything works perfectly, but ofcourse I don't want a wide open firewall. I have these IPFW rules defined: ________________________________________ 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00220 divert 8668 ip from any to any via ed0 00400 deny ip from 127.0.0.0/8 to any 00615 allow tcp from any to MY_IP 22,5617,10000 00625 allow tcp from MY_IP to any 00650 allow udp from any to MY_IP 00700 allow udp from MY_IP to any 00750 allow icmp from MY_IP to any 00800 allow icmp from any to MY_IP 00850 allow ip from 192.168.0.0/16 to any 00900 allow ip from any to 192.168.0.0/16 65535 deny ip from any to any ________________________________________ (MY_IP is my public/internet IP) Can anyone give me some advice on what the problem is and how I can solve it. Just a reminder: all the other services work perfectly with this FW configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. > > yee-ha. One for the money two for the show.... Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:39:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailfarm.ipfnet.net (mailfarm.ipfnet.net [195.211.129.222]) by hub.freebsd.org (Postfix) with ESMTP id 2DD2437B403 for ; Tue, 12 Jun 2001 14:39:26 -0700 (PDT) (envelope-from ab@ipfnet.net) Received: from [192.168.2.94] (router-195-211-129.ipfnet.net [195.211.129.1]) (authenticated) by mailfarm.ipfnet.net (8.11.3/8.11.3) with ESMTP id f5CLdO368624; Tue, 12 Jun 2001 23:39:24 +0200 (CEST) Date: Tue, 12 Jun 2001 23:39:06 +0200 From: Alexander Bilz Reply-To: Alexander Bilz To: freebsd-security@FreeBSD.ORG Cc: Marcel Dijk Subject: Re: IPFW almost works now. (fwd) Message-ID: <251701542.992389146@[192.168.2.94]> X-Mailer: Mulberry/2.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org maybe you've missed this posting from thomas (see below) i don't like ftp / firewalling too, but lot of people are still using it (me too), especially 'newbies' and other people not having time to look for an alternative (e.g. our customers updating their webpages twice a year). so we have to deal with the ftp protocoll... and just saying that ftp is bullshit doesn't really help and doesn't really answer the original question :) use this for 'active' ftp: allow outgoing packages with dest port 21, incoming with source port 21 (control session) allow outgoing packages with source port 20, incoming with dest port 20 (data sessions where the binary data is transmitted) passive ftp sucks, but could be done with some kind of 'dynamic rules' parsing the control session of ftp..?? but in my opinion this is much harder to implement (think so, i'm using ipfw too not ipfilter) good luck, alex ---------- Forwarded Message ---------- Date: Dienstag, 12. Juni 2001 15:32 -0500 From: "Thomas T. Veldhouse" To: Jason DiCioccio Subject: Re: IPFW almost works now. No you don't. My servers run fine for active and I DON'T allow access to all inbound above 1024. Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Jason DiCioccio" To: "'Marcel Dijk'" ; Sent: Tuesday, June 12, 2001 2:25 PM Subject: RE: IPFW almost works now. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > need to allow connections to all inbound ports above 1024. To allow > passive FTP, you need to allow outbound connections to all ports > above 1024. FTP is obsolete, too bad everyone still uses it though. > > Cheers, > - -JD- > > > > - -----Original Message----- > From: Marcel Dijk [mailto:nascar24@home.nl] > Sent: Tuesday, June 12, 2001 12:12 PM > To: freebsd-security@freebsd.org > Subject: IPFW almost works now. > > > Hello, > > Thanks to some advice here and http://freebsddiary.org my IPfirewall > is > almost how I want it now. > > Only to ports I want to be open are open now, and I can access the > services > behind these ports. The only problem is FTP. If I try to access the > FTP > daemon on port 5617 from for example my work (the FTP daemon runs at > home) I > get an error. > > I can connect, I have to give my username and pass. It then > esstablishes a > connection and tries to execute the LIST command. But then I get this > error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > If I set the firewall wide-open everything works perfectly, but > ofcourse I > don't want a wide open firewall. > > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) > > Can anyone give me some advice on what the problem is and how I can > solve > it. Just a reminder: all the other services work perfectly with this > FW > configuration. > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML > VsjpyCAbVE/YVGtFK3wi6cBW > =18Ea > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ---------- End Forwarded Message ---------- \\\\//// ( oo ) ***************oOOo**(__)**oOOo************************ * Alexander Bilz email: ab@ipfnet.net * * IPFNET GmbH web: http://www.ipfnet.net/ * * Brueckenstrasse 22 voice: +49 911 72301 0 * * D-90768 Fuerth fax: +49 911 72301 28 * ******************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:48:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailfarm.ipfnet.net (mailfarm.ipfnet.net [195.211.129.222]) by hub.freebsd.org (Postfix) with ESMTP id 2ADA237B43F for ; Tue, 12 Jun 2001 14:48:38 -0700 (PDT) (envelope-from ml-freebsd-security@phobgate.de) Received: from [192.168.2.94] (router-195-211-129.ipfnet.net [195.211.129.1]) (authenticated) by mailfarm.ipfnet.net (8.11.3/8.11.3) with ESMTP id f5CLmb368675; Tue, 12 Jun 2001 23:48:37 +0200 (CEST) Date: Tue, 12 Jun 2001 23:48:19 +0200 From: alex Reply-To: alex To: freebsd-security@FreeBSD.ORG Cc: Marcel Dijk Subject: Re: IPFW almost works now. (fwd) - correction Message-ID: <252254257.992389699@[192.168.2.94]> In-Reply-To: <251701542.992389146@[192.168.2.94]> X-Mailer: Mulberry/2.0.8 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sorry, i mixed it up :( correct setup for active ftp: allow incoming packages with destination port 20 and 21 allow outgoing packages with source port 20 and 21 --On Dienstag, 12. Juni 2001 23:39 +0200 Alexander Bilz wrote: > > maybe you've missed this posting from thomas (see below) > > i don't like ftp / firewalling too, but lot of people are still using it > (me too), especially 'newbies' and other people not having time to look > for an alternative (e.g. our customers updating their webpages twice a > year). so we have to deal with the ftp protocoll... and just saying that > ftp is bullshit doesn't really help and doesn't really answer the > original question :) > > use this for 'active' ftp: > allow outgoing packages with dest port 21, incoming with source port 21 > (control session) > allow outgoing packages with source port 20, incoming with dest port 20 > (data sessions where the binary data is transmitted) > > passive ftp sucks, but could be done with some kind of 'dynamic rules' > parsing the control session of ftp..?? but in my opinion this is much > harder to implement (think so, i'm using ipfw too not ipfilter) > > good luck, alex > > > ---------- Forwarded Message ---------- > Date: Dienstag, 12. Juni 2001 15:32 -0500 > From: "Thomas T. Veldhouse" > To: Jason DiCioccio > Subject: Re: IPFW almost works now. > > No you don't. My servers run fine for active and I DON'T allow access to > all inbound above 1024. > > Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Jason DiCioccio" > To: "'Marcel Dijk'" ; > Sent: Tuesday, June 12, 2001 2:25 PM > Subject: RE: IPFW almost works now. > > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Welcome to the shitty protocol that is: FTP. To use active ftp, you >> need to allow connections to all inbound ports above 1024. To allow >> passive FTP, you need to allow outbound connections to all ports >> above 1024. FTP is obsolete, too bad everyone still uses it though. >> >> Cheers, >> - -JD- >> >> >> >> - -----Original Message----- >> From: Marcel Dijk [mailto:nascar24@home.nl] >> Sent: Tuesday, June 12, 2001 12:12 PM >> To: freebsd-security@freebsd.org >> Subject: IPFW almost works now. >> >> >> Hello, >> >> Thanks to some advice here and http://freebsddiary.org my IPfirewall >> is >> almost how I want it now. >> >> Only to ports I want to be open are open now, and I can access the >> services >> behind these ports. The only problem is FTP. If I try to access the >> FTP >> daemon on port 5617 from for example my work (the FTP daemon runs at >> home) I >> get an error. >> >> I can connect, I have to give my username and pass. It then >> esstablishes a >> connection and tries to execute the LIST command. But then I get this >> error >> >> _______________________________________ >> Can't build data connection: interrupted system call. >> ABOR command succesfull. >> Connection Lost >> _______________________________________ >> >> If I set the firewall wide-open everything works perfectly, but >> ofcourse I >> don't want a wide open firewall. >> >> I have these IPFW rules defined: >> >> ________________________________________ >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00220 divert 8668 ip from any to any via ed0 >> 00400 deny ip from 127.0.0.0/8 to any >> 00615 allow tcp from any to MY_IP 22,5617,10000 >> 00625 allow tcp from MY_IP to any >> 00650 allow udp from any to MY_IP >> 00700 allow udp from MY_IP to any >> 00750 allow icmp from MY_IP to any >> 00800 allow icmp from any to MY_IP >> 00850 allow ip from 192.168.0.0/16 to any >> 00900 allow ip from any to 192.168.0.0/16 >> 65535 deny ip from any to any >> ________________________________________ >> (MY_IP is my public/internet IP) >> >> Can anyone give me some advice on what the problem is and how I can >> solve >> it. Just a reminder: all the other services work perfectly with this >> FW >> configuration. >> >> Marcel >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGPfreeware 7.0.3 for non-commercial use >> >> iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML >> VsjpyCAbVE/YVGtFK3wi6cBW >> =18Ea >> -----END PGP SIGNATURE----- >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:57: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 99CFD37B401 for ; Tue, 12 Jun 2001 14:57:02 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f5CLv7476548; Tue, 12 Jun 2001 17:57:07 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 12 Jun 2001 17:57:03 -0400 (EDT) From: Rob Simmons To: "Antoine Beaupre (LMC)" Cc: Jamie Norwood , "Antoine Beaupre (LMC)" , freebsd-security@FreeBSD.ORG Subject: Re: OT: yet another discussion FTP vs HTTP (was: IPFW almost works now.) In-Reply-To: <3B2684EC.2010205@lmc.ericsson.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, 12 Jun 2001, Antoine Beaupre (LMC) wrote: > Jamie Norwood wrote: > I think you misunderstood. If you need to allow ftp access, *securly*, > you must use sftp, and then, you must provide the user with a shell > account, which is by definition a higher security risk, unless you > disable the shell account and use only RSA auth. Which is completly > user-unfriendly. chroot'ing that user's ssh session to their home directory could solve this problem somewhat. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7JpAzv8Bofna59hYRAz69AJ43K3GjMNQDGyT2W7kc8iWASfZgkgCdH1ca rnCP/j1ckt2AFtUtcrG8a/E= =PrcX -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:59: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id BDF7237B405 for ; Tue, 12 Jun 2001 14:59:00 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f5CL53403423; Wed, 13 Jun 2001 00:05:03 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Wed, 13 Jun 2001 00:05:03 +0300 (EEST) From: Evren Yurtesen To: Garrett Wollman Cc: Jamie Norwood , Subject: HTTP and FTP In-Reply-To: <200106122045.QAA93382@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I wonder if it is possible in HTTP to make users login to their home dirs automaticly and when they put files it goes in with their uid,gid and of course they will login with their own passwords? etc. =) I am too tired to make long sentences now also what is the simplicity of that kind of setup compared with http server instead of using an ftp server? On Tue, 12 Jun 2001, Garrett Wollman wrote: > < > > Balderdash! HTTP and TCP both send files over identical TCP > > Make that ``HTTP and FTP''.... Damn finger macros.... > > -GAWollman > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:59: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id 25E1D37B403 for ; Tue, 12 Jun 2001 14:58:57 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f5CLeLT17880; Wed, 13 Jun 2001 00:40:21 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Wed, 13 Jun 2001 00:40:21 +0300 (EEST) From: Evren Yurtesen To: Marcel Dijk Cc: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , Subject: Re: IPFW almost works now. In-Reply-To: <025101c0f385$91092730$0900a8c0@windows> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org what FTP client do you use? Evren On Tue, 12 Jun 2001, Marcel Dijk wrote: > > > No you don't. My servers run fine for active and I DON'T allow access > to > > > all inbound above 1024. > > But what the problem then, I can't reach my FTP. > > Original post, but no working anwser jet :( > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Only the ports I want to be open are open now, and I can access the services > behind these ports. The only problem is FTP. If I try to access the FTP > daemon on port 5617 from for example my work (the FTP daemon runs at home) I > get an error. > > I can connect, I have to give my username and pass. It then esstablishes a > connection and tries to execute the LIST command. But then I get this error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > If I set the firewall wide-open everything works perfectly, but ofcourse I > don't want a wide open firewall. > > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) > > Can anyone give me some advice on what the problem is and how I can solve > it. Just a reminder: all the other services work perfectly with this FW > configuration. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > Open up tcp/20 and tcp/21 statefully and you will be rocking and > rolling. > > > > yee-ha. > > One for the money two for the show.... > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:59:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id 52A9537B401 for ; Tue, 12 Jun 2001 14:59:03 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f5CKoEV96777; Tue, 12 Jun 2001 23:50:14 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Tue, 12 Jun 2001 23:50:14 +0300 (EEST) From: Evren Yurtesen To: "Thomas T. Veldhouse" Cc: Jason DiCioccio , Subject: Re: IPFW almost works now. In-Reply-To: <01fe01c0f37e$c5948e10$3028680a@tgt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org it cant be about port 20 or 21 he says that he is able to login but he cant get a data connection which happens to be at a higher port! if I am correct! Evren On Tue, 12 Jun 2001, Thomas T. Veldhouse wrote: > No you don't. My servers run fine for active and I DON'T allow access to > all inbound above 1024. > > Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Jason DiCioccio" > To: "'Marcel Dijk'" ; > Sent: Tuesday, June 12, 2001 2:25 PM > Subject: RE: IPFW almost works now. > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > > need to allow connections to all inbound ports above 1024. To allow > > passive FTP, you need to allow outbound connections to all ports > > above 1024. FTP is obsolete, too bad everyone still uses it though. > > > > Cheers, > > - -JD- > > > > > > > > - -----Original Message----- > > From: Marcel Dijk [mailto:nascar24@home.nl] > > Sent: Tuesday, June 12, 2001 12:12 PM > > To: freebsd-security@freebsd.org > > Subject: IPFW almost works now. > > > > > > Hello, > > > > Thanks to some advice here and http://freebsddiary.org my IPfirewall > > is > > almost how I want it now. > > > > Only to ports I want to be open are open now, and I can access the > > services > > behind these ports. The only problem is FTP. If I try to access the > > FTP > > daemon on port 5617 from for example my work (the FTP daemon runs at > > home) I > > get an error. > > > > I can connect, I have to give my username and pass. It then > > esstablishes a > > connection and tries to execute the LIST command. But then I get this > > error > > > > _______________________________________ > > Can't build data connection: interrupted system call. > > ABOR command succesfull. > > Connection Lost > > _______________________________________ > > > > If I set the firewall wide-open everything works perfectly, but > > ofcourse I > > don't want a wide open firewall. > > > > I have these IPFW rules defined: > > > > ________________________________________ > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00220 divert 8668 ip from any to any via ed0 > > 00400 deny ip from 127.0.0.0/8 to any > > 00615 allow tcp from any to MY_IP 22,5617,10000 > > 00625 allow tcp from MY_IP to any > > 00650 allow udp from any to MY_IP > > 00700 allow udp from MY_IP to any > > 00750 allow icmp from MY_IP to any > > 00800 allow icmp from any to MY_IP it +---------------------------------------------------------+ | Name : Evren Yurtesen - yurtesen@ispro.net.tr | | Job Title : Technical Consultant & System Administrator| | S-Mail : Talikkokatu 6B 26, Turku 20540, Finland | | Work Tel. : +90-232-2463992 | | Mobile Tel.: +358-40-5073940 | +---------------------------------------------------------+ > > 00850 allow ip from 192.168.0.0/16 to any > > 00900 allow ip from any to 192.168.0.0/16 > > 65535 deny ip from any to any > > ________________________________________ > > (MY_IP is my public/internet IP) > > > > Can anyone give me some advice on what the problem is and how I can > > solve > > it. Just a reminder: all the other services work perfectly with this > > FW > > configuration. > > > > Marcel > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 7.0.3 for non-commercial use > > > > iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML > > VsjpyCAbVE/YVGtFK3wi6cBW > > =18Ea > > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:59:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id 27A5B37B407 for ; Tue, 12 Jun 2001 14:59:05 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f5CL2nu02089; Wed, 13 Jun 2001 00:02:49 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Wed, 13 Jun 2001 00:02:49 +0300 (EEST) From: Evren Yurtesen To: "Antoine Beaupre (LMC)" Cc: "Thomas T. Veldhouse" , Jason DiCioccio , Subject: Re: IPFW almost works now. In-Reply-To: <3B267EDA.9070605@lmc.ericsson.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you use passive FTP then it shouldnt be needed actually because the client connects to server all the time and the server is in passive mode. so the server doesnt need to connect to the client so voila =3D) On Tue, 12 Jun 2001, Antoine Beaupre (LMC) wrote: > Thomas T. Veldhouse wrote: > > > No you don't. My servers run fine for active and I DON'T allow access = to > > all inbound above 1024. > > > But you do need to allow outbound above 1024, right? > > > > Open up tcp/20 and tcp/21 statefully and you will be rocking and rollin= g. > > > yee-ha. > > > -- > La s=E9mantique est la gravit=E9 de l'abstraction. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 14:59:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id 1DF3137B409 for ; Tue, 12 Jun 2001 14:59:07 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f5CK1CR76076; Tue, 12 Jun 2001 23:01:12 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Tue, 12 Jun 2001 23:01:12 +0300 (EEST) From: Evren Yurtesen To: Marcel Dijk Cc: Subject: Re: IPFW almost works now. In-Reply-To: <01d401c0f378$35e4dc30$0900a8c0@windows> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sorry I missed the beginning of the conversation but did you try to set passive mode in your ftp client? that will solve your problem I guess! On Tue, 12 Jun 2001, Marcel Dijk wrote: > Yes, I am the one running the FTP Daemon, and I want to access it from my > work but that isn't working. (discribed below in my other mail.) > > Marcel > > ----- Original Message ----- > From: "Jason DiCioccio" > To: "Jason DiCioccio" ; "'Marcel Dijk'" > ; > Sent: Tuesday, June 12, 2001 9:27 PM > Subject: RE: IPFW almost works now. > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Correction: I might have gotten those backwards if YOU are the one > > running the FTP server. > > > > > > - -------------- > > > > Welcome to the shitty protocol that is: FTP. To use active ftp, you > > need to allow connections to all inbound ports above 1024. To allow > > passive FTP, you need to allow outbound connections to all ports > > above 1024. FTP is obsolete, too bad everyone still uses it though. > > > > Cheers, > > - -JD- > > > > > > > > - -----Original Message----- > > From: Marcel Dijk [mailto:nascar24@home.nl] > > Sent: Tuesday, June 12, 2001 12:12 PM > > To: freebsd-security@freebsd.org > > Subject: IPFW almost works now. > > > > > > Hello, > > > > Thanks to some advice here and http://freebsddiary.org my IPfirewall > > is > > almost how I want it now. > > > > Only to ports I want to be open are open now, and I can access the > > services > > behind these ports. The only problem is FTP. If I try to access the > > FTP > > daemon on port 5617 from for example my work (the FTP daemon runs at > > home) I > > get an error. > > > > I can connect, I have to give my username and pass. It then > > esstablishes a > > connection and tries to execute the LIST command. But then I get this > > error > > > > _______________________________________ > > Can't build data connection: interrupted system call. > > ABOR command succesfull. > > Connection Lost > > _______________________________________ > > > > If I set the firewall wide-open everything works perfectly, but > > ofcourse I > > don't want a wide open firewall. > > > > I have these IPFW rules defined: > > > > ________________________________________ > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00220 divert 8668 ip from any to any via ed0 > > 00400 deny ip from 127.0.0.0/8 to any > > 00615 allow tcp from any to MY_IP 22,5617,10000 > > 00625 allow tcp from MY_IP to any > > 00650 allow udp from any to MY_IP > > 00700 allow udp from MY_IP to any > > 00750 allow icmp from MY_IP to any > > 00800 allow icmp from any to MY_IP > > 00850 allow ip from 192.168.0.0/16 to any > > 00900 allow ip from any to 192.168.0.0/16 > > 65535 deny ip from any to any > > ________________________________________ > > (MY_IP is my public/internet IP) > > > > Can anyone give me some advice on what the problem is and how I can > > solve > > it. Just a reminder: all the other services work perfectly with this > > FW > > configuration. > > > > Marcel > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 7.0.3 for non-commercial use > > > > iQA/AwUBOyZtt1CmU62pemyaEQIyDQCgzpLiYKA6nitxrTC/I/iiyU3htIkAn3M1 > > btM2Y/4JTEh4XoIuZVrjxjJv > > =I+Ei > > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 15:21:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 49FE337B401 for ; Tue, 12 Jun 2001 15:21:52 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f5CMM4t77062 for ; Tue, 12 Jun 2001 18:22:04 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 12 Jun 2001 18:22:01 -0400 (EDT) From: Rob Simmons To: freebsd-security@freebsd.org Subject: RELENG_4_3 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I have a box that has already been updated to 4.3-STABLE from 4.3-RELEASE. I would like to run the RELENG_4_3 branch on this machine. What is the best way to go about this? The buildworld/installworld/kernel part is straightforward. How would I get mergemaster to work in this situation. The versions of some of the config files on the system are higher than the versions that I want to install. I realize that I could use the -s option, but that could get tedious. Also, is this even a safe thing to do? Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7JpYMv8Bofna59hYRAzALAJ9lxnDXU2RCYexzBWAmWhlVmZsNBwCeP8wj Wktz3nfIcGoEobWWcfVXFbw= =oUMd -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 15:34:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 9443337B407 for ; Tue, 12 Jun 2001 15:34:25 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEU9CL00.SV4; Tue, 12 Jun 2001 15:33:57 -0700 Message-ID: <3B2698EF.BD7EF0DB@globalstar.com> Date: Tue, 12 Jun 2001 15:34:23 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Evren Yurtesen Cc: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Evren Yurtesen wrote: > > If you use passive FTP then it shouldnt be needed actually > because the client connects to server all the time and the server is in > passive mode. > so the server doesnt need to connect to the client so voila =) PASV is easy for firewalling if you are a client. PASV sucks for firewalling if you are the server (which is the original poster's case). The reverse is true for PORT (active FTP). At the server, if you are doing PASV, you need to somehow allow the incoming connections from the client in. They can come into just about any port. So, you are left with two options, (a) Open up a whole slew of ports on your server to incoming connections from the outside world. (b) Have some sort of proxy reconfigure the firewall when the PASV command comes over. Option (a) is easy to implement but defeats the purpose of a firewall. Option (b) is not easy. Someone said the problem with FTP is that it uses a separate data connection. This in and of itself is not the problem. The problem with FTP is, FTP passes information about how it is going to use lower layer protocols, TCP/IP, in the application layer. Thus, to actually do (b), you need some proxy application that watches the application data for FTP and then reconfigures your TCP/IP stack accordingly. A firewall, ususally purely a network and transport layer beast, needs some help with this. Surprised no one has built a really lightweight divert(4)-based daemon to do this for ipfw(8) (note that natd(8) has an ftp proxy built in as does ipf(8))... maybe something useful to do with my commit bit. ;) This problem is not unique to FTP, but FTP is _the_ application that causes the most trouble because of this. To the original poster, also keep in mind that firewalls at the other end of your connection could be making trouble for you too. You can use tcpdump(8) and firewall logging to see if traffic is getting to your FTP server at all. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 15:36:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 5C23A37B401 for ; Tue, 12 Jun 2001 15:36:47 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 15:36:46 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D97F@goofy.epylon.lan> From: Jason DiCioccio To: 'Jamie Norwood' , freebsd-security@FreeBSD.ORG Subject: RE: IPFW almost works now. Date: Tue, 12 Jun 2001 15:36:44 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HTTP :-) Cheers, - -JD- - -----Original Message----- From: Jamie Norwood [mailto:mistwolf@mushhaven.net] Sent: Tuesday, June 12, 2001 12:29 PM To: freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. On Tue, Jun 12, 2001 at 12:25:33PM -0700, Jason DiCioccio wrote: > > Welcome to the shitty protocol that is: FTP. To use active ftp, > you need to allow connections to all inbound ports above 1024. To > allow passive FTP, you need to allow outbound connections to all > ports > above 1024. FTP is obsolete, too bad everyone still uses it > though. What do you recommend? SFTP? Jamie > > Cheers, > - -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOyaaLVCmU62pemyaEQL4RgCg5nxUFwQKnC6jqLuglaOQ3t0IhF8AnAhC KFe10gafwcxrgneeXcFDomHe =VYrs -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 15:39:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 9631737B401 for ; Tue, 12 Jun 2001 15:39:29 -0700 (PDT) (envelope-from Jason.DiCioccio@Epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 15:39:29 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D980@goofy.epylon.lan> From: Jason DiCioccio To: "'Thomas T. Veldhouse'" Cc: freebsd-security@freebsd.org Subject: RE: IPFW almost works now. Date: Tue, 12 Jun 2001 15:39:28 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See my correction, I stated that I had it backwards. I did forget to mention port 20 (or actually [FTP PORT-1]).. i stated what is needed on the client here by accident :-).. Cheers, - -JD- - -----Original Message----- From: Thomas T. Veldhouse [mailto:veldy@veldy.net] Sent: Tuesday, June 12, 2001 1:32 PM To: Jason DiCioccio Cc: freebsd-security@freebsd.org Subject: Re: IPFW almost works now. No you don't. My servers run fine for active and I DON'T allow access to all inbound above 1024. Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. Tom Veldhouse veldy@veldy.net - ----- Original Message ----- From: "Jason DiCioccio" To: "'Marcel Dijk'" ; Sent: Tuesday, June 12, 2001 2:25 PM Subject: RE: IPFW almost works now. > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Welcome to the shitty protocol that is: FTP. To use active ftp, > you need to allow connections to all inbound ports above 1024. To > allow passive FTP, you need to allow outbound connections to all > ports > above 1024. FTP is obsolete, too bad everyone still uses it > though. > > Cheers, > - -JD- > > > > - -----Original Message----- > From: Marcel Dijk [mailto:nascar24@home.nl] > Sent: Tuesday, June 12, 2001 12:12 PM > To: freebsd-security@freebsd.org > Subject: IPFW almost works now. > > > Hello, > > Thanks to some advice here and http://freebsddiary.org my > IPfirewall is > almost how I want it now. > > Only to ports I want to be open are open now, and I can access the > services > behind these ports. The only problem is FTP. If I try to access the > FTP > daemon on port 5617 from for example my work (the FTP daemon runs > at home) I > get an error. > > I can connect, I have to give my username and pass. It then > esstablishes a > connection and tries to execute the LIST command. But then I get > this error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > If I set the firewall wide-open everything works perfectly, but > ofcourse I > don't want a wide open firewall. > > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) > > Can anyone give me some advice on what the problem is and how I can > solve > it. Just a reminder: all the other services work perfectly with > this FW > configuration. > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > > iQA/AwUBOyZtXlCmU62pemyaEQJaLwCfbnpgCZAxYcr0kw+S9EAmD72AIt0An1ML > VsjpyCAbVE/YVGtFK3wi6cBW > =18Ea > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOyaa0VCmU62pemyaEQJCJACgykYVvY32WJFmflxIpfs9JdGC+dEAmwQJ XedTMLfO+PMzpF1wq0qYrrvM =11pN -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 16: 4: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id AB18137B405 for ; Tue, 12 Jun 2001 16:03:59 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEUAPY00.CV5; Tue, 12 Jun 2001 16:03:34 -0700 Message-ID: <3B269FDD.B5323617@globalstar.com> Date: Tue, 12 Jun 2001 16:03:57 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Evren Yurtesen Cc: Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: HTTP and FTP References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Evren Yurtesen wrote: > > I wonder if it is possible in HTTP to make users login to their home dirs > automaticly and when they put files it goes in with their uid,gid and of > course they will login with their own passwords? etc. =) It should not be terribly difficult. > also what is the simplicity of that kind of setup compared with http > server instead of using an ftp server? Setting it up an HTTP server to allow anonymous file downloads is trivial since that is what 99.9% of the webservers on the Internet are doing right now. Allowing users to download from a home directory with a password is easy enough too. Writing (HTTP POSTs and PUTs) is a different matter. Most HTTP servers are not configured to do this in such a away as to mimic FTP's typical functionality. However, we are talking about computers. They do whatever you tell them. Getting an HTTP server to accept POSTs where the 'Authorization:' field provides a username for finding a home directory is definately do-able. I can't say off the top of my head whether you can get something like Apache to do this by just configuring it correctly or if you need to add new modules or hack source. And the other issue is finding a HTTP client that will push POSTs how you want. The main limitation when considering HTTP versus FTP is to remember that HTTP is stateless and FTP is not. There are other little things here and there that HTTP cannot do that FTP can. I do not believe HTTP has a mechanism to rename a file (without downloading, deleting, and uploading). Although it is easy enough to make your own implementation there is none in HTTP itself (I could easily be wrong, I don't know RFC2616 by heart). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 16:17: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.sit.edu.my (mail.sit.edu.my [202.184.64.24]) by hub.freebsd.org (Postfix) with ESMTP id D207A37B403 for ; Tue, 12 Jun 2001 16:17:04 -0700 (PDT) (envelope-from Lim.Seng.Chor@sit.edu.my) Received: from LION (pmail.sit.edu.my [202.184.64.6]) by saturn.sit.edu.my (8.11.4/8.11.3) with ESMTP id f5CHFdV03126 for ; Wed, 13 Jun 2001 01:16:20 +0800 Received: from LION/SpoolDir by LION (Mercury 1.47); 13 Jun 01 01:13:30 +0800 Received: from SpoolDir by LION (Mercury 1.47); 13 Jun 01 01:12:39 +0800 From: "Lim Seng Chor" Organization: Sepang Institute of Technology To: freebsd-security@freebsd.org Date: Wed, 13 Jun 2001 01:12:33 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: port scan detector Message-ID: <3B17970F.1017.19CBCD8@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, can somebody give me some direction on setting up the port scan detector on my freebsd box? which is the most efficient portscan detector? with good alert function and logging? Thank you very much!!!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 16:34:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 181CA37B403 for ; Tue, 12 Jun 2001 16:34:47 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id BAA19350; Wed, 13 Jun 2001 01:34:43 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Derek O'Flynn" Cc: freebsd-security@FreeBSD.ORG Subject: Re: snort/tcpdump not showing tcp packets References: From: Dag-Erling Smorgrav Date: 13 Jun 2001 01:34:42 +0200 In-Reply-To: Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Derek O'Flynn" writes: > However, when I run tcpdump or snort on the 4.0 box, I get traffic from a > variety of protocols, but no tcp protocol traffic. The only time tcp > protocol shows up is if I connect to the web server on the 4.3 box from > another machine. Use the -n option to stop tcpdump from trying to look up all IP addresses it sees in DNS. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 16:35:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 98D2B37B407 for ; Tue, 12 Jun 2001 16:35:09 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id RAA11748; Tue, 12 Jun 2001 17:33:52 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id RAA11223; Tue, 12 Jun 2001 17:33:36 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15142.42704.228823.693752@nomad.yogotech.com> Date: Tue, 12 Jun 2001 17:33:36 -0600 (MDT) To: Garrett Wollman Cc: Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-Reply-To: <200106122044.QAA93356@khavrinen.lcs.mit.edu> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > No, it has a host of limitations all it's own, not the least of which is > > that is is actually less efficient at transfering files, > > Balderdash! HTTP and TCP both send files over identical TCP > connections, which makes them equally efficient. From a raw protocol stack, yes. However, most FTP servers are optimized for streaming out large bits of static data, while HTTP servers are less optimized for this. FTP servers can be more easily optimized (KISS et al), and hence FTP is a better protocol for simple file transfers. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 16:57:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id C8A2237B401 for ; Tue, 12 Jun 2001 16:57:55 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.3/8.11.2) id f5CNubp50204; Tue, 12 Jun 2001 16:56:37 -0700 (PDT) (envelope-from dillon) Date: Tue, 12 Jun 2001 16:56:37 -0700 (PDT) From: Matt Dillon Message-Id: <200106122356.f5CNubp50204@earth.backplane.com> To: Nate Williams Cc: Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> <15142.42704.228823.693752@nomad.yogotech.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :> Balderdash! HTTP and TCP both send files over identical TCP :> connections, which makes them equally efficient. : :>From a raw protocol stack, yes. However, most FTP servers are optimized :for streaming out large bits of static data, while HTTP servers are less :optimized for this. : :FTP servers can be more easily optimized (KISS et al), and hence FTP is :a better protocol for simple file transfers. : :Nate If you have to have a web server, and would only also have a ftp server to 'optimize' transfers, I would submit that whatever performance one perceives as having gained from running the ftp server (which I think is Balderdash as well) is offset by the fact that you are now running two pieces of server software that might potentially create a security hazzard rather then one. Since I can't do without my web server, ftpd is the one I turn off. Historically, a plain old Apache with no fancy modules turned on is just as secure... in fact, even more secure... then ftpd. Maybe because web servers focus on read-only stuff whereas ftpd tries to be general purpose read/write/exec/chmod/only-god-knows-what-else. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 17:24:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 7F4E637B401 for ; Tue, 12 Jun 2001 17:24:46 -0700 (PDT) (envelope-from veldy@visi.com) Received: from cascade (cascade.veldy.net [192.168.1.1]) by veldy.net (Postfix) with SMTP id 14F07BA56; Tue, 12 Jun 2001 19:24:42 -0500 (CDT) Message-ID: <001a01c0f39f$4182e1a0$0101a8c0@cascade> From: "Thomas T. Veldhouse" To: "Antoine Beaupre (LMC)" Cc: References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> <3B267EDA.9070605@lmc.ericsson.se> Subject: Re: IPFW almost works now. Date: Tue, 12 Jun 2001 19:24:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Use stateful rules -- they keep track of that and open the ports dynamically. man ipfw Look for "keep-state" Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Antoine Beaupre (LMC)" To: "Thomas T. Veldhouse" Cc: "Jason DiCioccio" ; Sent: Tuesday, June 12, 2001 3:43 PM Subject: Re: IPFW almost works now. > Thomas T. Veldhouse wrote: > > > No you don't. My servers run fine for active and I DON'T allow access to > > all inbound above 1024. > > > But you do need to allow outbound above 1024, right? > > > > Open up tcp/20 and tcp/21 statefully and you will be rocking and rolling. > > > yee-ha. > > > -- > La sémantique est la gravité de l'abstraction. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 21: 3:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id C366D37B401 for ; Tue, 12 Jun 2001 21:03:37 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.3/8.11.0) id f5D43k000415; Wed, 13 Jun 2001 00:03:46 -0400 (EDT) (envelope-from mistwolf) Date: Wed, 13 Jun 2001 00:03:46 -0400 From: Jamie Norwood To: Matt Dillon Cc: Nate Williams , Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <20010613000346.A398@mushhaven.net> References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> <15142.42704.228823.693752@nomad.yogotech.com> <200106122356.f5CNubp50204@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106122356.f5CNubp50204@earth.backplane.com>; from dillon@earth.backplane.com on Tue, Jun 12, 2001 at 04:56:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 12, 2001 at 04:56:37PM -0700, Matt Dillon wrote: > > If you have to have a web server, and would only also have a ftp > server to 'optimize' transfers, I would submit that whatever > performance one perceives as having gained from running the ftp > server (which I think is Balderdash as well) is offset by the fact > that you are now running two pieces of server software that might > potentially create a security hazzard rather then one. > > Since I can't do without my web server, ftpd is the one I turn off. > > Historically, a plain old Apache with no fancy modules turned on > is just as secure... in fact, even more secure... then ftpd. Maybe > because web servers focus on read-only stuff whereas ftpd tries to > be general purpose read/write/exec/chmod/only-god-knows-what-else. So how, then, do you propose people upload files, a common use of ftp? Since your alternative is 'bare-bones' Apache, you have just cut out a function many of us rely on. Security through lack of usefulness is not an option, IMHO. Jamie > -Matt > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 21:39:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp1.mastery.ca (comp1.mastery.ca [209.202.88.60]) by hub.freebsd.org (Postfix) with ESMTP id 2E41937B408 for ; Tue, 12 Jun 2001 21:39:31 -0700 (PDT) (envelope-from mail@max-info.net) Received: from 78kw954 (dyn216-8-128-110.ADSL.mnsi.net [216.8.128.110]) (authenticated) by comp1.mastery.ca (8.11.3/8.11.1) with ESMTP id f5D4cfL26615; Wed, 13 Jun 2001 00:38:44 -0400 (EDT) (envelope-from mail@max-info.net) Message-ID: <016a01c0f3c2$19f27920$3200a8c0@Home> From: "Ryan Masse" To: "Rob Simmons" Cc: References: Subject: Re: RELENG_4_3 Date: Wed, 13 Jun 2001 00:33:44 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I have a box that has already been updated to 4.3-STABLE from 4.3-RELEASE. > I would like to run the RELENG_4_3 branch on this machine. not sure what exactly you mean by this. RELENG_4_3 is a security branch specifically for 4.3-RELEASE. The standard make buildworld/installworld/kernel would update your 4.3-RELEASE box with the latest security fixes. Mergemaster in this situation can be skipped. > > What is the best way to go about this? The buildworld/installworld/kernel > part is straightforward. How would I get mergemaster to work in this > situation. The versions of some of the config files on the system are > higher than the versions that I want to install. I realize that I could > use the -s option, but that could get tedious. > > Also, is this even a safe thing to do? > Ryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 21:44:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.errno.com (node-d1d4bd7a.powerinter.net [209.212.189.122]) by hub.freebsd.org (Postfix) with ESMTP id A85BF37B403 for ; Tue, 12 Jun 2001 21:44:38 -0700 (PDT) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [209.212.166.36]) by gw.errno.com (8.11.2/8.11.2) with SMTP id f5D4icZ05124 for ; Tue, 12 Jun 2001 21:44:38 -0700 (PDT) Message-ID: <099301c0f3c3$8d405630$24a6d4d1@melange> From: "Sam Leffler" To: Subject: tripwire Date: Tue, 12 Jun 2001 21:44:37 -0700 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do folks use tripwire or is there a preferred alternative? The LGPL Linux 2.2.1 version works fine in compatibility mode under 4.3-R (after a little tweaking to get it installed). Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 22:26:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3894337B405 for ; Tue, 12 Jun 2001 22:26:23 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.154.2]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEUSF800.EV6; Tue, 12 Jun 2001 22:25:56 -0700 Message-ID: <3B26F975.84A0AD02@globalstar.com> Date: Tue, 12 Jun 2001 22:26:13 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Jamie Norwood Cc: Matt Dillon , Nate Williams , Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <200106122044.QAA93356@khavrinen.lcs.mit.edu> <15142.42704.228823.693752@nomad.yogotech.com> <200106122356.f5CNubp50204@earth.backplane.com> <20010613000346.A398@mushhaven.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jamie Norwood wrote: > > On Tue, Jun 12, 2001 at 04:56:37PM -0700, Matt Dillon wrote: > > > > If you have to have a web server, and would only also have a ftp > > server to 'optimize' transfers, I would submit that whatever > > performance one perceives as having gained from running the ftp > > server (which I think is Balderdash as well) is offset by the fact > > that you are now running two pieces of server software that might > > potentially create a security hazzard rather then one. > > > > Since I can't do without my web server, ftpd is the one I turn off. > > > > Historically, a plain old Apache with no fancy modules turned on > > is just as secure... in fact, even more secure... then ftpd. Maybe > > because web servers focus on read-only stuff whereas ftpd tries to > > be general purpose read/write/exec/chmod/only-god-knows-what-else. > > So how, then, do you propose people upload files, a common use of ftp? HTTP has POST and PUT. See RFC2616 for all of HTTP 1.1's capabilities. Compare to RFC0959 for FTP (see section 4.1). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 22:40:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id 96B3D37B405 for ; Tue, 12 Jun 2001 22:40:31 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id PAA03340; Wed, 13 Jun 2001 15:40:27 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37645) with ESMTP id <01K4Q1VRF41CVNYT03@cim.alcatel.com.au>; Wed, 13 Jun 2001 15:40:28 +1000 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f5D5eMu37443; Wed, 13 Jun 2001 15:40:22 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Wed, 13 Jun 2001 15:40:22 +1000 From: Peter Jeremy Subject: Re: RELENG_4_3 In-reply-to: <016a01c0f3c2$19f27920$3200a8c0@Home>; from mail@max-info.net on Wed, Jun 13, 2001 at 12:33:44AM -0400 To: Ryan Masse Cc: Rob Simmons , freebsd-security@FreeBSD.ORG Mail-Followup-To: Ryan Masse , Rob Simmons , freebsd-security@FreeBSD.ORG Message-id: <20010613154022.D95583@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <016a01c0f3c2$19f27920$3200a8c0@Home> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-Jun-13 00:33:44 -0400, Ryan Masse wrote: >not sure what exactly you mean by this. RELENG_4_3 is a security branch >specifically for 4.3-RELEASE. The standard make >buildworld/installworld/kernel would update your 4.3-RELEASE box with the >latest security fixes. Mergemaster in this situation can be skipped. No it can't. Since Rob's box is at -STABLE, it may be running _later_ versions of some scripts. In any case, mergemaster still needs to be run on the RELENG_4_3 branch in case a security fix impacts /etc and related files. >> What is the best way to go about this? The buildworld/installworld/kernel >> part is straightforward. How would I get mergemaster to work in this >> situation. mergemaster does a equality comparison, rather than a relational comparison, on the CVS Id line. This means that you should be able to use mergemaster normally to go backwards in time, or across branches. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 23:24:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 09B6937B405 for ; Tue, 12 Jun 2001 23:24:12 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 8431 invoked by uid 666); 13 Jun 2001 06:24:03 -0000 Date: Wed, 13 Jun 2001 09:24:02 +0300 From: Alex Popa To: security@freebsd.org Subject: Compiling untrusted source -- what are the risks? Message-ID: <20010613092402.A8413@ldc.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What would be the risks of setting up a server that will evaluate some programs, something like USACO or ACM competitions? The user submits the source, and the machine should compile it, run it against a number ot test cases, and then produces a result - program accepted, wrong answer, compile error or run-time error. The step I am worried about is the compiling, since I do need to have the include files and libraries available. The output should be a statically linked file, which would run in a jail (separate one per source file) which contains nothing more than the compiled binary, and the input file. The evaluation program will run in a separate jail, given only the output file from the program, and maybe an "expected results" file. I plan on using ipfw to block all traffic on that machine (will be a dedicated machine) not coming from a few trusted uids (like root and the evaluation process). I also plan setting up resource limits, and not running more evaluation jobs at the same time (ruins timing). Do you think this is feasible using FreeBSD, or is there something I have missed, something that would get my machine rooted and "dd if=/dev/zero of=/dev/ad0"ed? Thanks a lot Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 12 23:30:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.sit.edu.my (saturn.sit.edu.my [202.184.64.24]) by hub.freebsd.org (Postfix) with ESMTP id C2D4837B405 for ; Tue, 12 Jun 2001 23:29:58 -0700 (PDT) (envelope-from Lim.Seng.Chor@sit.edu.my) Received: from LION (pmail.sit.edu.my [202.184.64.6]) by saturn.sit.edu.my (8.11.4/8.11.3) with ESMTP id f5D2bg100541 for ; Wed, 13 Jun 2001 10:37:43 +0800 Received: from LION/SpoolDir by LION (Mercury 1.47); 13 Jun 01 10:34:54 +0800 Received: from SpoolDir by LION (Mercury 1.47); 13 Jun 01 10:34:52 +0800 From: "Lim Seng Chor" Organization: Sepang Institute of Technology To: sEcurity@FreeBSD.ORG Date: Wed, 13 Jun 2001 10:34:49 +0800 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: port scan detector Message-ID: <3B181AD3.6467.1F9DB47@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, can somebody give me some direction on setting up the port scan detector on my freebsd box? which is the most efficient portscan detector? with good alert function and logging? Thank you very much!!!! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 2: 3:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 84BDA37B403 for ; Wed, 13 Jun 2001 02:03:25 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.22 #1) id 15A6YY-000Hr0-00; Wed, 13 Jun 2001 11:03:18 +0200 From: Sheldon Hearn To: "Sam Leffler" Cc: freebsd-security@freebsd.org Subject: Re: tripwire In-reply-to: Your message of "Tue, 12 Jun 2001 21:44:37 MST." <099301c0f3c3$8d405630$24a6d4d1@melange> Date: Wed, 13 Jun 2001 11:03:18 +0200 Message-ID: <68633.992422998@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 12 Jun 2001 21:44:37 MST, "Sam Leffler" wrote: > Do folks use tripwire or is there a preferred alternative? The LGPL Linux > 2.2.1 version works fine in compatibility mode under 4.3-R (after a little > tweaking to get it installed). You can use a native version, as built from the ports tree: /path/to/ports/tripwire /path/to/ports/tripwire-131 It works very well for many people. Reading the accompanying documentation is worthwhile. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 2:49:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id DD9CC37B401 for ; Wed, 13 Jun 2001 02:49:52 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5D9sut75681; Wed, 13 Jun 2001 02:54:56 -0700 (PDT) (envelope-from fasty) Date: Wed, 13 Jun 2001 02:54:56 -0700 From: faSty To: Lim Seng Chor Cc: freebsd-security@freebsd.org Subject: Re: port scan detector Message-ID: <20010613025456.A75663@i-sphere.com> References: <3B181AD3.6467.1F9DB47@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B181AD3.6467.1F9DB47@localhost>; from Lim.Seng.Chor@sit.edu.my on Wed, Jun 13, 2001 at 10:34:49AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would recommend using snort in /usr/ports/security/snort -trev On Wed, Jun 13, 2001 at 10:34:49AM +0800, Lim Seng Chor wrote: > Hi, > can somebody give me some direction on setting up the > port scan > detector on my freebsd box? > which is the most efficient portscan detector? with good > alert > function and logging? > Thank you very much!!!! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 4: 4:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from nomad.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by hub.freebsd.org (Postfix) with SMTP id EF2B137B407 for ; Wed, 13 Jun 2001 04:04:11 -0700 (PDT) (envelope-from steve@nomad.lets.net) Received: (qmail 31126 invoked by uid 1001); 13 Jun 2001 10:59:06 -0000 Date: Wed, 13 Jun 2001 06:59:06 -0400 From: Steve Shorter To: Sam Leffler Cc: freebsd-security@freebsd.org Subject: Re: tripwire Message-ID: <20010613065906.A31121@nomad.lets.net> References: <099301c0f3c3$8d405630$24a6d4d1@melange> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <099301c0f3c3$8d405630$24a6d4d1@melange>; from sam@errno.com on Tue, Jun 12, 2001 at 09:44:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 12, 2001 at 09:44:37PM -0700, Sam Leffler wrote: > Do folks use tripwire or is there a preferred alternative? The LGPL Linux > 2.2.1 version works fine in compatibility mode under 4.3-R (after a little > tweaking to get it installed). It has been ported to FreeBSD 4.x. The docs in the source tell you how to modify the Makefile. Compiles and runs fine in native FreeBSD 4.3 AFAICT. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 6: 1:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from newman.cs.purdue.edu (newman.cs.purdue.edu [128.10.2.6]) by hub.freebsd.org (Postfix) with ESMTP id B7C1A37B401 for ; Wed, 13 Jun 2001 06:01:37 -0700 (PDT) (envelope-from dk@cs.purdue.edu) Received: from lore.cs.purdue.edu (IDENT:1301@lore.cs.purdue.edu [128.10.2.16]) by newman.cs.purdue.edu (8.11.3/8.11.3/PURDUE_CS-2.0) with ESMTP id f5DD1Y521924; Wed, 13 Jun 2001 08:01:34 -0500 (EST) Date: Wed, 13 Jun 2001 08:01:33 -0500 (EST) From: Daniel Kim To: Sam Leffler Cc: Subject: Re: tripwire In-Reply-To: <099301c0f3c3$8d405630$24a6d4d1@melange> Message-ID: X-PGP-Public-Key: finger dk@cs.purdue.edu X-PGP-Fingerprint: E3 D6 3B 3E 34 E6 0D F9 51 CF 32 5F B0 7E 6B A6 25 8C AB 53 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In the previous episode, Sam Leffler said: > Do folks use tripwire or is there a preferred alternative? The LGPL Linux > 2.2.1 version works fine in compatibility mode under 4.3-R (after a little > tweaking to get it installed). You also might want to check out the following link that guides you through the installation process of Tripwire-2.3.x on -STABLE. http://www.schlacter.dyndns.org/public/FreeBSD-STABLE_and_IPFILTER.html Scroll to the middle (section 8) to skip to the Tripwire portion. --dk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 6:24:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0571037B403 for ; Wed, 13 Jun 2001 06:24:27 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA29799; Wed, 13 Jun 2001 06:24:11 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29797; Wed Jun 13 06:24:04 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5DDNw823410; Wed, 13 Jun 2001 06:23:58 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdN23408; Wed Jun 13 06:23:21 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5DDNLU09513; Wed, 13 Jun 2001 06:23:21 -0700 (PDT) Message-Id: <200106131323.f5DDNLU09513@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdaC9509; Wed Jun 13 06:22:33 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Sheldon Hearn Cc: "Sam Leffler" , freebsd-security@FreeBSD.ORG Subject: Re: tripwire In-reply-to: Your message of "Wed, 13 Jun 2001 11:03:18 +0200." <68633.992422998@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 06:22:33 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <68633.992422998@axl.seasidesoftware.co.za>, Sheldon Hearn writes: > > > On Tue, 12 Jun 2001 21:44:37 MST, "Sam Leffler" wrote: > > > Do folks use tripwire or is there a preferred alternative? The LGPL Linux > > 2.2.1 version works fine in compatibility mode under 4.3-R (after a little > > tweaking to get it installed). > > You can use a native version, as built from the ports tree: > > /path/to/ports/tripwire > /path/to/ports/tripwire-131 > > It works very well for many people. Reading the accompanying > documentation is worthwhile. I'm currently working on a tripwire-231 port. It compiles and runs on FreeBSD using native FreeBSD binaries. I'm about 30% complete on a FreeBSD-specific policy file. The policy file shipped with the source is RedHat-specific: Many binaries that exist on RedHat do not exist on FreeBSD and vice versa. Also many binaries on RedHat that reside in /bin, /sbin, and /lib reside in /usr/bin, /usr/sbin, and /usr/lib. I must say that I'm discovering some of the esoteric bits and pieces of both RedHat and FreeBSD in the translation process. If people want, I could shortcut the whole process by creating a generic policy file similar to the generic nature of the tripwire-131 policy file. This would give us a tripwire-231 port now and an updated tripwire-231 port with a FreeBSD-specific policy file later when I've completed building the FreeBSD policy file. If people see value in this, I will do it. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 6:28: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id A008037B405 for ; Wed, 13 Jun 2001 06:27:56 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr7.exu.ericsson.se (mr7att.ericy.com [138.85.92.15]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5DDRp829134; Wed, 13 Jun 2001 08:27:51 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr7.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5DDRn404236; Wed, 13 Jun 2001 08:27:49 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5DDRlG28306; Wed, 13 Jun 2001 09:27:48 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 13 Jun 2001 09:27:46 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M6AW63W9; Wed, 13 Jun 2001 09:26:49 -0400 From: "Antoine Beaupre (LMC)" To: Marcel Dijk Cc: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Message-ID: <3B276A18.1070703@lmc.ericsson.se> Date: Wed, 13 Jun 2001 09:26:48 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: IPFW almost works now. References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> <3B267EDA.9070605@lmc.ericsson.se> <025101c0f385$91092730$0900a8c0@windows> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcel Dijk wrote: >>>No you don't. My servers run fine for active and I DON'T allow access >>>to >>>all inbound above 1024. > > But what the problem then, I can't reach my FTP. Can you provide more details such as syslog entries of the denied packets (because there should be)?? > Original post, but no working anwser jet :( Let's see that OP again: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Only the ports I want to be open are open now, and I can access the services > behind these ports. The only problem is FTP. If I try to access the FTP > daemon on port 5617 from for example my work (the FTP daemon runs at home) I > get an error. The error below, I guess. This is probably associated with logs and errors on the firewall side. These are the ones we're interested in here. > I can connect, I have to give my username and pass. It then esstablishes a > connection and tries to execute the LIST command. But then I get this error > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ This is "normal", in a sense that if port 21 (or 20?) is open, you can open the "control connection" to give FTP commands (such as USER, ABOR, etc) but not get the output of PORT commands (output of GET, LIST, which open a connection: (a) from server to client for ACTIVE mode, or (b) from client to server for PASSIVE mode. > If I set the firewall wide-open everything works perfectly, but ofcourse I > don't want a wide open firewall. Of course. > I have these IPFW rules defined: > > ________________________________________ > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00220 divert 8668 ip from any to any via ed0 > 00400 deny ip from 127.0.0.0/8 to any > 00615 allow tcp from any to MY_IP 22,5617,10000 > 00625 allow tcp from MY_IP to any > 00650 allow udp from any to MY_IP > 00700 allow udp from MY_IP to any > 00750 allow icmp from MY_IP to any > 00800 allow icmp from any to MY_IP > 00850 allow ip from 192.168.0.0/16 to any > 00900 allow ip from any to 192.168.0.0/16 > 65535 deny ip from any to any > ________________________________________ > (MY_IP is my public/internet IP) I don't understand why you can connect to your ftp at all. Is it setup to listen on 5617 instead of standard 20,21? I don't think I can help you very much here, unless you provide logfiles. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 6:35:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id 6749537B408 for ; Wed, 13 Jun 2001 06:35:19 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6u3.ericy.com [208.237.135.123]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f5DDZDa23245; Wed, 13 Jun 2001 08:35:13 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5DDZD619320; Wed, 13 Jun 2001 08:35:13 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5DDZAG28876; Wed, 13 Jun 2001 09:35:11 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 13 Jun 2001 09:35:08 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M6AW637K; Wed, 13 Jun 2001 09:33:00 -0400 From: "Antoine Beaupre (LMC)" To: Peter Werner Cc: Rob Simmons , "Antoine Beaupre (LMC)" , Jamie Norwood , freebsd-security@FreeBSD.ORG Message-ID: <3B276B88.4070904@lmc.ericsson.se> Date: Wed, 13 Jun 2001 09:32:56 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: OT: yet another discussion FTP vs HTTP (was: IPFW almost worksnow.) References: <026201c0f3ac$c5b0d9c0$0d00a8c0@documenta.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, that's one thing I wondered about.. Do sftp need the user to have a valid shell? There's always nologin... But passwd is also a very neat idea. :) A. Peter Werner wrote: > you can also make peoples shells '/bin/passwd', that way they can > ssh in and change their passwd but that's it. add an entry into > /etc/shells too if need be. > > -pete > ----- Original Message ----- > From: Rob Simmons > To: Antoine Beaupre (LMC) > Cc: Jamie Norwood ; Antoine Beaupre (LMC) > ; > Sent: Wednesday, June 13, 2001 7:57 AM > Subject: Re: OT: yet another discussion FTP vs HTTP (was: IPFW > almost worksnow.) > -- -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 6:46:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 397AB37B405 for ; Wed, 13 Jun 2001 06:46:28 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5att.ericy.com [138.85.92.13]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5DDjS807450; Wed, 13 Jun 2001 08:45:28 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5DDjMb18939; Wed, 13 Jun 2001 08:45:22 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5DDjKG29732; Wed, 13 Jun 2001 09:45:21 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 13 Jun 2001 09:45:19 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M6AW6PF1; Wed, 13 Jun 2001 09:44:28 -0400 From: "Antoine Beaupre (LMC)" To: Crist Clark Cc: Evren Yurtesen , Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Message-ID: <3B276E3A.1000207@lmc.ericsson.se> Date: Wed, 13 Jun 2001 09:44:26 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: HTTP and FTP References: <3B269FDD.B5323617@globalstar.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist Clark wrote: > Evren Yurtesen wrote: > >>I wonder if it is possible in HTTP to make users login to their home dirs >>automaticly and when they put files it goes in with their uid,gid and of >>course they will login with their own passwords? etc. =) >> > > It should not be terribly difficult. Actualy, there's mod_put that is a plugin module for apache to do something like that: http://hpwww.ec-lyon.fr/~vincent/apache/mod_put.html Please note, however, that there's not really a "login" session in http. HTTP == stateless, FTP == stateful, as said somewhere else. >>also what is the simplicity of that kind of setup compared with http >>server instead of using an ftp server? > [snipped discussion on implementation possibilities, see mod_put. :)] > And the > other issue is finding a HTTP client that will push POSTs how you want. Netscape 3.0, amaya. ;) Please see a dating article of Apache Week: http://www.apacheweek.com/features/put > The main limitation when considering HTTP versus FTP is to remember that > HTTP is stateless and FTP is not. There are other little things here and > there that HTTP cannot do that FTP can. I do not believe HTTP has a > mechanism to rename a file (without downloading, deleting, and uploading). Indeed, there isn't. Only GET/HEAD/OPTIONS/CONNECT/POST/PUT/DELETE, on top of my head. Anyways, HTTP cleint haven't evolve in this direction. The WWW is becoming more a TV then a publishing space, so what the heck. Honestly, who of these AOL jerks even *knows* what FTP *is*? Or "HTTP", for that matter! :) It's all "the web" or "the internet" for them. Just the same zappers... And the protocol has evolve to feed this direction. > Although it is easy enough to make your own implementation there is none > in HTTP itself (I could easily be wrong, I don't know RFC2616 by heart). It would be useless because no client will implement it. If someone mentions the J word, I hack a 125Mb jre into his head. ;) A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 6:49:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from faulkner.netnet.net (faulkner.netnet.net [206.40.99.110]) by hub.freebsd.org (Postfix) with ESMTP id 1A5B637B401 for ; Wed, 13 Jun 2001 06:49:40 -0700 (PDT) (envelope-from brentc@netnet.net) Received: from fitzgerald.netnet.net (fitzgerald.netnet.net [206.40.99.111]) by faulkner.netnet.net (8.11.3/8.11.3) with ESMTP id f5DDnSR26961; Wed, 13 Jun 2001 08:49:28 -0500 Date: Wed, 13 Jun 2001 08:49:28 -0500 (CDT) From: Brent Crier To: Lim Seng Chor Cc: sEcurity@FreeBSD.ORG Subject: Re: port scan detector In-Reply-To: <3B181AD3.6467.1F9DB47@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would suggest taking a look at 'portsentry' www.psionic.com -Brent On Wed, 13 Jun 2001, Lim Seng Chor wrote: > Hi, > can somebody give me some direction on setting up the > port scan > detector on my freebsd box? > which is the most efficient portscan detector? with good > alert > function and logging? > Thank you very much!!!! > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 7:29: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by hub.freebsd.org (Postfix) with ESMTP id 2373837B401 for ; Wed, 13 Jun 2001 07:29:03 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010613142754.GQYV29984.mail3.home.nl@windows>; Wed, 13 Jun 2001 15:27:54 +0100 Message-ID: <02a201c0f415$4dad56b0$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" , "Evren Yurtesen" Cc: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> Subject: Re: IPFW almost works now. Date: Wed, 13 Jun 2001 16:29:49 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > To the original poster, also keep in mind that firewalls at the other > end of your connection could be making trouble for you too. You can use > tcpdump(8) and firewall logging to see if traffic is getting to your > FTP server at all. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 Traffic IS getting to the FTP server, because I can login. The thing is when I have logged in and the client sends the LIST command it can't read the directory and closes the connection. As discribed here: _______________________________________ Can't build data connection: interrupted system call. ABOR command succesfull. Connection Lost _______________________________________ So, connection TO the server seems to work but when the server tries to SEND traffic to the client it fails. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 7:32:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by hub.freebsd.org (Postfix) with ESMTP id 915BE37B405 for ; Wed, 13 Jun 2001 07:32:14 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010613153151.WKY6179.mail2.home.nl@windows>; Wed, 13 Jun 2001 16:31:51 +0100 Message-ID: <02ba01c0f415$bfeb3fd0$0900a8c0@windows> From: "Marcel Dijk" To: "alex" , References: <252254257.992389699@[192.168.2.94]> Subject: Re: IPFW almost works now. (fwd) - correction Date: Wed, 13 Jun 2001 16:33:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > correct setup for active ftp: > > allow incoming packages with destination port 20 and 21 > allow outgoing packages with source port 20 and 21 ________________________________________ 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00220 divert 8668 ip from any to any via ed0 00400 deny ip from 127.0.0.0/8 to any 00615 allow tcp from any to MY_IP 22,5617,10000 I have done the first part -> opend the port required for FTP (only a different port than normal) 00625 allow tcp from MY_IP to any 00650 allow udp from any to MY_IP 00700 allow udp from MY_IP to any As far as I know, these lines make it possible for my server to connect to everyone on every port. 00750 allow icmp from MY_IP to any 00800 allow icmp from any to MY_IP 00850 allow ip from 192.168.0.0/16 to any 00900 allow ip from any to 192.168.0.0/16 65535 deny ip from any to any ________________________________________ (MY_IP is my public/internet IP) Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 7:44: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0534637B403 for ; Wed, 13 Jun 2001 07:43:48 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA30648; Wed, 13 Jun 2001 07:43:13 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30646; Wed Jun 13 07:43:01 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5DEgtM26936; Wed, 13 Jun 2001 07:42:55 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdf26932; Wed Jun 13 07:42:22 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5DEgNB10141; Wed, 13 Jun 2001 07:42:23 -0700 (PDT) Message-Id: <200106131442.f5DEgNB10141@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdw10136; Wed Jun 13 07:42:06 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Garrett Wollman Cc: Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-reply-to: Your message of "Tue, 12 Jun 2001 16:44:02 EDT." <200106122044.QAA93356@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 07:42:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200106122044.QAA93356@khavrinen.lcs.mit.edu>, Garrett Wollman write s: > < > said: > > > No, it has a host of limitations all it's own, not the least of which is > > that is is actually less efficient at transfering files, > > Balderdash! HTTP and TCP both send files over identical TCP > connections, which makes them equally efficient. There really is no > reason for FTP to continue to exist (but yet it does). On virtually every mailing list I'm on I've been advocating the deprecation of FTP, only to get flamed by advocates of FTP. The reason FTP is still used is because people want to use it. Until the majority can be educated (convinced) it will continue to be used. Code (CGI scripts, etc.) to perform uploads would be the start of the demise of FTP. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 7:49:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 02F6537B401 for ; Wed, 13 Jun 2001 07:49:19 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f5DEmsB11168; Wed, 13 Jun 2001 10:48:55 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Wed, 13 Jun 2001 10:48:51 -0400 (EDT) From: Rob Simmons To: Peter Jeremy Cc: Ryan Masse , freebsd-security@FreeBSD.ORG Subject: Re: RELENG_4_3 In-Reply-To: <20010613154022.D95583@gsmx07.alcatel.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Wed, 13 Jun 2001, Peter Jeremy wrote: > On 2001-Jun-13 00:33:44 -0400, Ryan Masse wrote: > >not sure what exactly you mean by this. RELENG_4_3 is a security branch > >specifically for 4.3-RELEASE. The standard make > >buildworld/installworld/kernel would update your 4.3-RELEASE box with the > >latest security fixes. Mergemaster in this situation can be skipped. > > No it can't. Since Rob's box is at -STABLE, it may be running _later_ > versions of some scripts. In any case, mergemaster still needs to be > run on the RELENG_4_3 branch in case a security fix impacts /etc and > related files. > > >> What is the best way to go about this? The buildworld/installworld/kernel > >> part is straightforward. How would I get mergemaster to work in this > >> situation. > > mergemaster does a equality comparison, rather than a relational > comparison, on the CVS Id line. This means that you should be able to > use mergemaster normally to go backwards in time, or across branches. In that case, I will give it a try. > > Peter > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7J31Wv8Bofna59hYRA7UxAJsECulS1cw3Z6YjUToxLirR4JsU2QCdExyw w5Z1ZHjLT2M6ly7amozlP6Y= =UZr6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 7:51:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by hub.freebsd.org (Postfix) with ESMTP id 237F137B401 for ; Wed, 13 Jun 2001 07:51:12 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010613145110.KOAG22865.mail1.home.nl@windows>; Wed, 13 Jun 2001 16:51:10 +0200 Message-ID: <02cb01c0f418$6553ff50$0900a8c0@windows> From: "Marcel Dijk" To: "Jason DiCioccio" , "'Thomas T. Veldhouse'" Cc: References: <657B20E93E93D4118F9700D0B73CE3EA0166D980@goofy.epylon.lan> Subject: Re: IPFW almost works now. Date: Wed, 13 Jun 2001 16:51:55 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > See my correction, I stated that I had it backwards. I did forget to > mention port 20 (or actually [FTP PORT-1]).. i stated what is needed > on the client here by accident :-).. So, if my FTP port would be 8466 then I should also open port 8465? Because it is FTP port -1. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8: 2:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id 7F26237B405 for ; Wed, 13 Jun 2001 08:02:17 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6u3.ericy.com [208.237.135.123]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f5DF1Ca13579; Wed, 13 Jun 2001 10:01:12 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5DF1B610565; Wed, 13 Jun 2001 10:01:11 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5DF1AG07242; Wed, 13 Jun 2001 11:01:10 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 13 Jun 2001 11:01:08 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M6GN05T0; Wed, 13 Jun 2001 11:01:05 -0400 From: "Antoine Beaupre (LMC)" To: Cy Schubert - ITSD Open Systems Group Cc: Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Message-ID: <3B278030.3020305@lmc.ericsson.se> Date: Wed, 13 Jun 2001 11:01:04 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: OT: FTP almost gone now? (was: Re: IPFW almost works now.) References: <200106131442.f5DEgNB10141@cwsys.cwsent.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group wrote: > In message <200106122044.QAA93356@khavrinen.lcs.mit.edu>, Garrett > Wollman write > s: > >>< >>said: >> >> >>>No, it has a host of limitations all it's own, not the least of which is >>>that is is actually less efficient at transfering files, >>> >>Balderdash! HTTP and TCP both send files over identical TCP >>connections, which makes them equally efficient. There really is no >>reason for FTP to continue to exist (but yet it does). >> > > On virtually every mailing list I'm on I've been advocating the > deprecation of FTP, only to get flamed by advocates of FTP. The reason > FTP is still used is because people want to use it. Until the majority > can be educated (convinced) it will continue to be used. Code (CGI > scripts, etc.) to perform uploads would be the start of the demise of > FTP. Actually, I think that nothing short of: - the (possible?) merge of mod_put in the main distro of Apache coupled with - the implementation of PUT and DELETE methods on the client side (Netscape, IE and friends) along with - some kind of standardization of the process of renaming, etc would do it. Since this is completly unrealistic, ftp is here to stay. Or to be replace with SFTP. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8: 3:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.spiderhost.com (www.spiderhost.com [216.53.186.37]) by hub.freebsd.org (Postfix) with ESMTP id 6743537B405 for ; Wed, 13 Jun 2001 08:03:07 -0700 (PDT) (envelope-from dale@spiderhost.com) Received: from localhost (dale@localhost) by www.spiderhost.com (8.11.2/8.11.0) with ESMTP id f5DF0Pm20226; Wed, 13 Jun 2001 11:00:25 -0400 (EDT) (envelope-from dale@spiderhost.com) Date: Wed, 13 Jun 2001 11:00:25 -0400 (EDT) From: Dale Frohman To: Marcel Dijk Cc: Crist Clark , Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-Reply-To: <02a201c0f415$4dad56b0$0900a8c0@windows> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org what ftp client are you using and what OS are you using this client on? > > To the original poster, also keep in mind that firewalls at the other > > end of your connection could be making trouble for you too. You can use > > tcpdump(8) and firewall logging to see if traffic is getting to your > > FTP server at all. > > -- > > Crist J. Clark Network Security Engineer > > crist.clark@globalstar.com Globalstar, L.P. > > (408) 933-4387 FAX: (408) 933-4926 > > Traffic IS getting to the FTP server, because I can login. The thing is when > I have logged in and the client sends the LIST command it can't read the > directory and closes the connection. As discribed here: > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > So, connection TO the server seems to work but when the server tries to SEND > traffic to the client it fails. > > Marcel > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8: 9: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [216.130.212.49]) by hub.freebsd.org (Postfix) with ESMTP id 40E2537B408 for ; Wed, 13 Jun 2001 08:08:51 -0700 (PDT) (envelope-from joe@advancewebhosting.com) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.3/8.11.0) with ESMTP id f5DF8AR05459; Wed, 13 Jun 2001 11:08:10 -0400 (EDT) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Wed, 13 Jun 2001 11:08:10 -0400 (EDT) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: "Antoine Beaupre (LMC)" Cc: Cy Schubert - ITSD Open Systems Group , Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) In-Reply-To: <3B278030.3020305@lmc.ericsson.se> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How are you going to transfer files back and forth if the server doesnt have FTP and no HTTPD running? wget is good for getting files to the server without httpd/ftpd but how are you going to get files on that server to others? FTP will be around for good because it is the norm for transferring files. Joe On Wed, 13 Jun 2001, Antoine Beaupre (LMC) wrote: > Cy Schubert - ITSD Open Systems Group wrote: >=20 > > In message <200106122044.QAA93356@khavrinen.lcs.mit.edu>, Garrett=20 > > Wollman write > > s: > >=20 > >><=20 > >>said: > >> > >> > >>>No, it has a host of limitations all it's own, not the least of which = is=20 > >>>that is is actually less efficient at transfering files,=20 > >>> > >>Balderdash! HTTP and TCP both send files over identical TCP > >>connections, which makes them equally efficient. There really is no > >>reason for FTP to continue to exist (but yet it does). > >> > >=20 > > On virtually every mailing list I'm on I've been advocating the=20 > > deprecation of FTP, only to get flamed by advocates of FTP. The reason= =20 > > FTP is still used is because people want to use it. Until the majority= =20 > > can be educated (convinced) it will continue to be used. Code (CGI=20 > > scripts, etc.) to perform uploads would be the start of the demise of= =20 > > FTP. >=20 >=20 > Actually, I think that nothing short of: >=20 >=20 > - the (possible?) merge of mod_put in the main distro of Apache coupled w= ith=20 >=20 > - the implementation of PUT and DELETE methods on the client side (Netsca= pe, IE and friends) along with=20 >=20 > - some kind of standardization of the process of renaming, etc >=20 >=20 > would do it. Since this is completly unrealistic, ftp is here to stay. Or= to be replace with SFTP.=20 >=20 >=20 > A. >=20 > -- > La s=E9mantique est la gravit=E9 de l'abstraction. >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:13:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by hub.freebsd.org (Postfix) with ESMTP id 476CC37B40B for ; Wed, 13 Jun 2001 08:12:59 -0700 (PDT) (envelope-from nospam@hiltonbsd.com) Received: from [209.224.22.80] (helo=daggar) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 15ACKH-00046R-00 for freebsd-security@FreeBSD.ORG; Wed, 13 Jun 2001 10:12:57 -0500 From: "Stephen Hilton" To: Subject: Re: tripwire Date: Wed, 13 Jun 2001 10:14:16 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Mr. Schubert Regarding your post about the tripwire port, I think this is a good idea in that some feedback could be obtained regarding the policy file setup. I have been using aide 0.7 on my systems and was interested if the "list" thinks this is a "solid" enough solution for integrity checking? I am aware that aide is a memory hog, but the systems I administer are used primarily during business hours, so aide can be run at night without user performance impact. Thanks for all your FreeBSD and IPFilter support, Sincerely, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:14:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id CF4E037B414 for ; Wed, 13 Jun 2001 08:13:58 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.4/8.11.4) id f5DFEL600924 for freebsd-security@FreeBSD.ORG; Wed, 13 Jun 2001 11:14:21 -0400 (EDT) (envelope-from mistwolf) Date: Wed, 13 Jun 2001 11:14:21 -0400 From: Jamie Norwood To: freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Message-ID: <20010613111421.A777@mushhaven.net> References: <200106131442.f5DEgNB10141@cwsys.cwsent.com> <3B278030.3020305@lmc.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B278030.3020305@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Wed, Jun 13, 2001 at 11:01:04AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote: > Cy Schubert - ITSD Open Systems Group wrote: > > On virtually every mailing list I'm on I've been advocating the > > deprecation of FTP, only to get flamed by advocates of FTP. The reason > > FTP is still used is because people want to use it. Until the majority > > can be educated (convinced) it will continue to be used. Code (CGI > > scripts, etc.) to perform uploads would be the start of the demise of > > FTP. My main issue is that noone has yet given me a good reason WHY FTP should be depreciated. All I keep hearing is most people saying 'Because HTTP is better, though it needs to be fixed to do what FTP does', and a few feeble cries of 'It's more secure to just have one service doing both, and since Apache is more secure than FTP (Assuming, of course, you use it in stock form and don't turn anything special on!), we should drop FTP!'. Noone has addressed my concerns at all, and seem to mostly ignore them. Just to be inflamatory about it, it is a common tactic when people are presented with an argument they don't know how to counter, to just ignore it. My main concern is the facts that, first off, HTTP doesn't, in most of it's current incarnations (Both client, and server), have an easy and sane way to handle uploading files, securely or otherwise. My secondary concern is ease of use. FTP is extremely easy to use, and powerful at the same time. It has many well-written text-based applications for it's use. HTTP has Lynx and Links, neither of which is adequet. Both rely on having high-quality terminal emulation with no quirks, a rare thing. I can pull up 'ftp' on any client, anywhere, and not have to worry that curses/ncurses/xterm/whatever will not like some of it's code. I've yet to see Lynx not look bad, and Links isn't much better. Tertiarily, there is the concept of statefulness. HTTP is stateless, which is well and good for people behind firewalls and such, but FTP is stateful. This allows us to be MUCH more interactive with the server. HTTP is nice, for what it does. It is a good 'Hyper Text Tansfer Protocol'. And FTP is a good 'File Transfer Protocol'. Yes, HTTP can transfer files, but it is not a suitable replacement for FTP. And I have, again, not heard anyone who is advocating ditching FTP give any realistic and practical reason why FTP is so evil. FTP does what it does very well, and should be allowed to continue to do so. Jamie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:15:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from unity.agava.ru (unity.agava.ru [213.59.3.227]) by hub.freebsd.org (Postfix) with ESMTP id B7CA437B40B for ; Wed, 13 Jun 2001 08:15:22 -0700 (PDT) (envelope-from m_ilya@agava.com) Received: from relay2.agava.net.ru (unknown [193.125.142.2]) by unity.agava.ru (Postfix) with ESMTP id D5D3727E968; Wed, 13 Jun 2001 19:15:19 +0400 (MSD) Received: from gw.office.agava.ru (2.oivt.mipt.ru [193.125.142.2]) by relay2.agava.net.ru (Postfix) with ESMTP id 9CC7B43452; Wed, 13 Jun 2001 19:14:03 +0400 (MSD) Received: from juil.domain (juil.domain [192.168.1.50]) by gw.office.agava.ru (Postfix) with ESMTP id 482C35E1E; Wed, 13 Jun 2001 19:14:03 +0400 (MSD) Received: by juil.domain (Postfix, from userid 1000) id 7BB0D1BD81; Wed, 13 Jun 2001 19:08:56 +0400 (MSD) To: "Antoine Beaupre (LMC)" Cc: Cy Schubert - ITSD Open Systems Group , Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) References: <200106131442.f5DEgNB10141@cwsys.cwsent.com> <3B278030.3020305@lmc.ericsson.se> From: Ilya Martynov Date: 13 Jun 2001 19:08:56 +0400 In-Reply-To: <3B278030.3020305@lmc.ericsson.se> Message-ID: <877kygwh6f.fsf@juil.domain> Lines: 20 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.0.103 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org AB> - the (possible?) merge of mod_put in the main distro of Apache AB> coupled with - the implementation of PUT and DELETE methods on the AB> client side (Netscape, IE and friends) along with - some kind of AB> standardization of the process of renaming, etc AB> would do it. Since this is completly unrealistic, ftp is here to AB> stay. Or to be replace with SFTP. A. It is not completly unrealistic. It is already done :) Apache 2.0 should contain mod_dav (for Apache 1.3 it is availble as separate module) which provides support for WebDav protocol. PUT is part of it. And latest versions of IE already support it. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/) | | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:17:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.sysadmin-inc.com (ns2.sysadmin-inc.com [209.16.228.145]) by hub.freebsd.org (Postfix) with SMTP id EAF4637B407 for ; Wed, 13 Jun 2001 08:17:49 -0700 (PDT) (envelope-from pab@sysadmin-inc.com) Received: (qmail 3835 invoked by alias); 13 Jun 2001 15:17:48 -0000 Received: from unknown (HELO w2kstest) (10.10.1.70) by ns2.sysadmin-inc.com with SMTP; 13 Jun 2001 15:17:48 -0000 From: "Peter Brezny" To: Subject: FW: FTP almost gone now? (was: Re: IPFW almost works now.) Date: Wed, 13 Jun 2001 11:17:07 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>Balderdash! HTTP and TCP both send files over identical TCP >>connections, which makes them equally efficient. There really is no >>reason for FTP to continue to exist (but yet it does). I was under the impression that the http protocol is a much 'chattier' protocol than ftp, and that regardless of them running on identical tcp connections, FTP is much more efficient by nature of the Protocol. Someone clear this up for me. Regardless, though, a secure, standardized method for PUT to work would be great for me. We've got a number of clients who want to transfer large files without having to 'figure out' how to use an ftp client. A web page they could log into that would guide them through the process of transferring files would be great. I guess we should stop yapping, and start putting something together. Thanks Antoine for the great article on apacheweek. Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Antoine Beaupre (LMC) Sent: Wednesday, June 13, 2001 11:01 AM To: Cy Schubert - ITSD Open Systems Group Cc: Garrett Wollman; Jamie Norwood; freebsd-security@FreeBSD.ORG Subject: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Cy Schubert - ITSD Open Systems Group wrote: > In message <200106122044.QAA93356@khavrinen.lcs.mit.edu>, Garrett > Wollman write > s: > >>< >>said: >> >> >>>No, it has a host of limitations all it's own, not the least of which is >>>that is is actually less efficient at transfering files, >>> >>Balderdash! HTTP and TCP both send files over identical TCP >>connections, which makes them equally efficient. There really is no >>reason for FTP to continue to exist (but yet it does). >> > > On virtually every mailing list I'm on I've been advocating the > deprecation of FTP, only to get flamed by advocates of FTP. The reason > FTP is still used is because people want to use it. Until the majority > can be educated (convinced) it will continue to be used. Code (CGI > scripts, etc.) to perform uploads would be the start of the demise of > FTP. Actually, I think that nothing short of: - the (possible?) merge of mod_put in the main distro of Apache coupled with - the implementation of PUT and DELETE methods on the client side (Netscape, IE and friends) along with - some kind of standardization of the process of renaming, etc would do it. Since this is completly unrealistic, ftp is here to stay. Or to be replace with SFTP. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:21:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by hub.freebsd.org (Postfix) with ESMTP id E7F3737B405 for ; Wed, 13 Jun 2001 08:21:05 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010613151957.GXEV29984.mail3.home.nl@windows>; Wed, 13 Jun 2001 16:19:57 +0100 Message-ID: <032f01c0f41c$9319d820$0900a8c0@windows> From: "Marcel Dijk" To: "Antoine Beaupre (LMC)" Cc: "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <01fe01c0f37e$c5948e10$3028680a@tgt.com> <3B267EDA.9070605@lmc.ericsson.se> <025101c0f385$91092730$0900a8c0@windows> <3B276A18.1070703@lmc.ericsson.se> Subject: Re: IPFW almost works now. Date: Wed, 13 Jun 2001 17:21:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > Only the ports I want to be open are open now, and I can access the services > > behind these ports. The only problem is FTP. If I try to access the FTP > > daemon on port 5617 from for example my work (the FTP daemon runs at home) I > > get an error. > > > The error below, I guess. This is probably associated with logs and > errors on the firewall side. These are the ones we're interested in here. Wich logs do you want to see? I will post them inmediatly. > > I can connect, I have to give my username and pass. It then esstablishes a > > connection and tries to execute the LIST command. But then I get this error > > > > _______________________________________ > > Can't build data connection: interrupted system call. > > ABOR command succesfull. > > Connection Lost > > _______________________________________ > > > This is "normal", in a sense that if port 21 (or 20?) is open, you can > open the "control connection" to give FTP commands (such as USER, ABOR, > etc) but not get the output of PORT commands (output of GET, LIST, which > open a connection: (a) from server to client for ACTIVE mode, or (b) > from client to server for PASSIVE mode. So, that means open the ports requierd? > > I have these IPFW rules defined: > > > > ________________________________________ > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00220 divert 8668 ip from any to any via ed0 > > 00400 deny ip from 127.0.0.0/8 to any > > 00615 allow tcp from any to MY_IP 22,5617,10000 > > 00625 allow tcp from MY_IP to any > > 00650 allow udp from any to MY_IP > > 00700 allow udp from MY_IP to any > > 00750 allow icmp from MY_IP to any > > 00800 allow icmp from any to MY_IP > > 00850 allow ip from 192.168.0.0/16 to any > > 00900 allow ip from any to 192.168.0.0/16 > > 65535 deny ip from any to any > > ________________________________________ > > (MY_IP is my public/internet IP) > > > I don't understand why you can connect to your ftp at all. Is it setup > to listen on 5617 instead of standard 20,21? Yes, it is. > I don't think I can help you very much here, unless you provide logfiles. Wich logs do you need to see? Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:22:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id 6266937B401 for ; Wed, 13 Jun 2001 08:22:06 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.4/8.11.4) id f5DFMSw01079; Wed, 13 Jun 2001 11:22:28 -0400 (EDT) (envelope-from mistwolf) Date: Wed, 13 Jun 2001 11:22:28 -0400 From: Jamie Norwood To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: FW: FTP almost gone now? (was: Re: IPFW almost works now.) Message-ID: <20010613112228.A1043@mushhaven.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from pab@sysadmin-inc.com on Wed, Jun 13, 2001 at 11:17:07AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 11:17:07AM -0400, Peter Brezny wrote: > >>Balderdash! HTTP and TCP both send files over identical TCP > >>connections, which makes them equally efficient. There really is no > >>reason for FTP to continue to exist (but yet it does). > > I was under the impression that the http protocol is a much 'chattier' > protocol than ftp, and that regardless of them running on identical tcp > connections, FTP is much more efficient by nature of the Protocol. This was my understanding as well, but I have no more data than you, hence why I conceded that argument for the moment. > Someone clear this up for me. > > Regardless, though, a secure, standardized method for PUT to work would be > great for me. We've got a number of clients who want to transfer large > files without having to 'figure out' how to use an ftp client. A web page > they could log into that would guide them through the process of > transferring files would be great. I agree, this would be 'nice', but replacing FTP with this isn't an option. Do not take away .my. tools because .your. users are too lazy to learn what they are doing. The Internet doesn't need any more dumbing-down than it's already had. FTP is not hard. There are plenty of point-n-drool applications out there, so the only excuse is one of laziness. > I guess we should stop yapping, and start putting something together. > > Thanks Antoine for the great article on apacheweek. Good luck with it. Jamie > Peter Brezny > SysAdmin Services Inc. > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Antoine Beaupre > (LMC) > Sent: Wednesday, June 13, 2001 11:01 AM > To: Cy Schubert - ITSD Open Systems Group > Cc: Garrett Wollman; Jamie Norwood; freebsd-security@FreeBSD.ORG > Subject: OT: FTP almost gone now? (was: Re: IPFW almost works now.) > > > Cy Schubert - ITSD Open Systems Group wrote: > > > In message <200106122044.QAA93356@khavrinen.lcs.mit.edu>, Garrett > > Wollman write > > s: > > > >>< > >>said: > >> > >> > >>>No, it has a host of limitations all it's own, not the least of which is > >>>that is is actually less efficient at transfering files, > >>> > >>Balderdash! HTTP and TCP both send files over identical TCP > >>connections, which makes them equally efficient. There really is no > >>reason for FTP to continue to exist (but yet it does). > >> > > > > On virtually every mailing list I'm on I've been advocating the > > deprecation of FTP, only to get flamed by advocates of FTP. The reason > > FTP is still used is because people want to use it. Until the majority > > can be educated (convinced) it will continue to be used. Code (CGI > > scripts, etc.) to perform uploads would be the start of the demise of > > FTP. > > > Actually, I think that nothing short of: > > > - the (possible?) merge of mod_put in the main distro of Apache coupled with > > - the implementation of PUT and DELETE methods on the client side (Netscape, > IE and friends) along with > > - some kind of standardization of the process of renaming, etc > > > would do it. Since this is completly unrealistic, ftp is here to stay. Or to > be replace with SFTP. > > > A. > > -- > La sémantique est la gravité de l'abstraction. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:24:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id 989BC37B403 for ; Wed, 13 Jun 2001 08:24:24 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.4/8.11.4) id f5DFOlg01098 for freebsd-security@freebsd.org; Wed, 13 Jun 2001 11:24:47 -0400 (EDT) (envelope-from mistwolf) Date: Wed, 13 Jun 2001 11:24:47 -0400 From: Jamie Norwood To: freebsd-security@freebsd.org Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Message-ID: <20010613112447.B1043@mushhaven.net> References: <20010613111421.A777@mushhaven.net> <72097.992445650@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <72097.992445650@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Wed, Jun 13, 2001 at 05:20:50PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 05:20:50PM +0200, Sheldon Hearn wrote: > > > On Wed, 13 Jun 2001 11:14:21 -0400, Jamie Norwood wrote: > > > My main issue is that noone has yet given me a good reason WHY FTP should > > be depreciated. > > Because it uses out-of-band socket connections for the actual transfer, > while HTTP transactions occur through a single socket connection. This > makes HTTP much easier to support from a firewalling perspective. Which is all well and good, but doesn't say why FTP should be replaced. There are far more people using FTP from outside firwewalls than inside. And a properly configured firewall should not have much problem. I have been behind plenty of firewalls and been perfectly able to FTP. And they were no more insecure than one that allows in/out http traffic. Jamie > as simple as HTTP from a firewall admin's perspective. > > Ciao, > Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:26:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [209.16.107.11]) by hub.freebsd.org (Postfix) with ESMTP id 69F2F37B403 for ; Wed, 13 Jun 2001 08:26:11 -0700 (PDT) (envelope-from mistwolf@diarmadhi.mushhaven.net) Received: (from mistwolf@localhost) by diarmadhi.mushhaven.net (8.11.4/8.11.4) id f5DFQYN03896 for freebsd-security@FreeBSD.ORG; Wed, 13 Jun 2001 11:26:34 -0400 (EDT) (envelope-from mistwolf) Date: Wed, 13 Jun 2001 11:26:34 -0400 From: Jamie Norwood To: freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Message-ID: <20010613112634.A1173@mushhaven.net> References: <20010613111421.A777@mushhaven.net> <72097.992445650@axl.seasidesoftware.co.za> <20010613112447.B1043@mushhaven.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010613112447.B1043@mushhaven.net>; from mistwolf@mushhaven.net on Wed, Jun 13, 2001 at 11:24:47AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 11:24:47AM -0400, Jamie Norwood wrote: > On Wed, Jun 13, 2001 at 05:20:50PM +0200, Sheldon Hearn wrote: > > Which is all well and good, but doesn't say why FTP should be replaced. > There are far more people using FTP from outside firwewalls than inside. > And a properly configured firewall should not have much problem. I have > been behind plenty of firewalls and been perfectly able to FTP. And > they were no more insecure than one that allows in/out http traffic. > > Jamie Apologies to Sheldon, I didn't realise he only sent his message to me and not to the list, and was quite in the habit of rewriting the headers because I don't think anyone here enjoys getting two copies of every message. Forgive me, Sheldon. Jamie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:26:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.errno.com (node-d1d4bd7a.powerinter.net [209.212.189.122]) by hub.freebsd.org (Postfix) with ESMTP id 7553E37B409 for ; Wed, 13 Jun 2001 08:26:21 -0700 (PDT) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [209.212.166.36]) by gw.errno.com (8.11.2/8.11.2) with SMTP id f5DFPMZ07086; Wed, 13 Jun 2001 08:25:22 -0700 (PDT) Message-ID: <0a6301c0f41d$0fb78c10$24a6d4d1@melange> From: "Sam Leffler" To: "Cy Schubert - ITSD Open Systems Group" , "Sheldon Hearn" Cc: References: <200106131323.f5DDNLU09513@cwsys.cwsent.com> Subject: Re: tripwire Date: Wed, 13 Jun 2001 08:25:22 -0700 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I thought 2.3.1 was proprietary and source was not available. I'd never have run it in linux emulation mode if I'd located the source... Sam ----- Original Message ----- From: "Cy Schubert - ITSD Open Systems Group" To: "Sheldon Hearn" Cc: "Sam Leffler" ; Sent: Wednesday, June 13, 2001 6:22 AM Subject: Re: tripwire > In message <68633.992422998@axl.seasidesoftware.co.za>, Sheldon Hearn > writes: > > > > > > On Tue, 12 Jun 2001 21:44:37 MST, "Sam Leffler" wrote: > > > > > Do folks use tripwire or is there a preferred alternative? The LGPL Linux > > > 2.2.1 version works fine in compatibility mode under 4.3-R (after a little > > > tweaking to get it installed). > > > > You can use a native version, as built from the ports tree: > > > > /path/to/ports/tripwire > > /path/to/ports/tripwire-131 > > > > It works very well for many people. Reading the accompanying > > documentation is worthwhile. > > I'm currently working on a tripwire-231 port. It compiles and runs on > FreeBSD using native FreeBSD binaries. I'm about 30% complete on a > FreeBSD-specific policy file. The policy file shipped with the source > is RedHat-specific: Many binaries that exist on RedHat do not exist on > FreeBSD and vice versa. Also many binaries on RedHat that reside in > /bin, /sbin, and /lib reside in /usr/bin, /usr/sbin, and /usr/lib. I > must say that I'm discovering some of the esoteric bits and pieces of > both RedHat and FreeBSD in the translation process. > > If people want, I could shortcut the whole process by creating a > generic policy file similar to the generic nature of the tripwire-131 > policy file. This would give us a tripwire-231 port now and an updated > tripwire-231 port with a FreeBSD-specific policy file later when I've > completed building the FreeBSD policy file. If people see value in > this, I will do it. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:31:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.serv.u-szeged.hu (sol.serv.u-szeged.hu [160.114.51.3]) by hub.freebsd.org (Postfix) with ESMTP id 04DDE37B401 for ; Wed, 13 Jun 2001 08:31:27 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.serv.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id RAA10392; Wed, 13 Jun 2001 17:31:25 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 15ACc4-0007Zl-00 for ; Wed, 13 Jun 2001 17:31:20 +0200 Date: Wed, 13 Jun 2001 17:31:20 +0200 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Message-ID: <20010613173119.A24077@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@FreeBSD.ORG References: <200106131442.f5DEgNB10141@cwsys.cwsent.com> <3B278030.3020305@lmc.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B278030.3020305@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Wed, Jun 13, 2001 at 11:01:04AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote: > Cy Schubert - ITSD Open Systems Group wrote: > > On virtually every mailing list I'm on I've been advocating the > > deprecation of FTP, only to get flamed by advocates of FTP. The reason > > FTP is still used is because people want to use it. Until the majority > > can be educated (convinced) it will continue to be used. Code (CGI > > scripts, etc.) to perform uploads would be the start of the demise of > > FTP. > > > Actually, I think that nothing short of: > > > - the (possible?) merge of mod_put in the main distro of Apache coupled with > > - the implementation of PUT and DELETE methods on the client side (Netscape, IE and friends) along with > > - some kind of standardization of the process of renaming, etc > > > would do it. Since this is completly unrealistic, ftp is here to stay. Or to be replace with SFTP. And I think that it is not very sensible to expect that one protocol will go away and replaced by the other since they were designed with different aims in mind and indeed serve different purposes. - HTTP is a "display that page with hyperlinks and with multimedia" protocol, mostly read-only. Just think about it: In today's setups, the web server is simply not expected to write anthing except logs. Hence the "www" user the server runs under, and the requirement that the web server not own any files in the web root. - FTP is simply put a remote shell with some restrictions and better file transfer capabilities than telnet. The two relate to each-other in a similar way than POP and IMAP: the latter is also some sort of remote shell for manipulating mails. That's why securing either FTP or IMAP is a whole lot more difficult, but HTTP would be no better if you had to give it the ability to actually change files. In my book, CGI is not a synonim for security either. The problem here is that *any* protocol that can change files on the system vs simply reading them is potentially a whole lot more dangerous and needs a lot more attention. The fact that ftp sends its passwords in the clear is bad, but IMHO it is much worse, that POP usually does the same thing and most people do not even know that every time they check for mail (like every 5 minutes) they send their pwds in the clear! This happens a whole lot more often than ftping with your personal account IMHO. Also, everyone of us knows that SSL is not only more resource-hungry (same goes for any encrypted connection) but not even as good as it seems since client-side certs are not usual and will not be for quite some time. OTOH in anonymous file serving, where pwds are unimportant, ftp still wins. Not because there is some fundamental difference in the two protocol's handling of TCP, but because ftp servers are optimized for sustained longer downloads, while www servers were optimized for faster response and reload times with smaller files. Reusing http in ftp's role is approx as productive as abusing POP by implementing IMAP-like features in it, *if you need the functionality*. If you don't, then don't use ftp/IMAP. (anyone besides me thinking that the HTTP extensions in newer versions of MS Office are pure bs?) My take: If you already have a home dir that you can ftp to, than it is better to use ssh/scp since it is more secure. (and giving you login privs is not that more dangerous than it is to let you tamper with a daemon running as root.) If you only need to read, go with HTTP. If it is an intranet server, then hide from the Net. If you need anon file serving to the Net at large, use ftp, (or HTTP) and place it outside of your intranet, eg in a DMZ. Simple? No. But doable. And is as good as the alternatives. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 8:53: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from carbon.cudenver.edu (carbon.cudenver.edu [132.194.10.4]) by hub.freebsd.org (Postfix) with ESMTP id 212CD37B419 for ; Wed, 13 Jun 2001 08:52:37 -0700 (PDT) (envelope-from bmurphy@carbon.cudenver.edu) Received: from localhost (bmurphy@localhost) by carbon.cudenver.edu (8.8.8/8.8.8) with ESMTP id JAA05092; Wed, 13 Jun 2001 09:47:25 -0600 (MDT) Date: Wed, 13 Jun 2001 09:47:24 -0600 (MDT) From: Brendan Murphy To: Crist Clark Cc: Evren Yurtesen , Garrett Wollman , Jamie Norwood , Subject: Re: HTTP and FTP In-Reply-To: <3B269FDD.B5323617@globalstar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 12 Jun 2001, Crist Clark wrote: > Evren Yurtesen wrote: > > > > I wonder if it is possible in HTTP to make users login to their home dirs > > automaticly and when they put files it goes in with their uid,gid and of > > course they will login with their own passwords? etc. =) > > It should not be terribly difficult. It should (obviously) go without saying that you should _NOT_ use /etc/passwd or the like as a basis for your authentication. Brendan Murphy Network, Video, and DSL Services University of Colorado-Denver Computing, Information & Network Services (CINS) ~~~ "Mental reflection is so much more interesting than TV it's a shame more people don't switch over to it." Robert M. Pirsig, "Zen and the Art of Motorcycle Maintenance" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 9:42:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from nomad.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by hub.freebsd.org (Postfix) with SMTP id 9080137B408 for ; Wed, 13 Jun 2001 09:42:28 -0700 (PDT) (envelope-from steve@nomad.lets.net) Received: (qmail 31302 invoked by uid 1001); 13 Jun 2001 16:37:25 -0000 Date: Wed, 13 Jun 2001 12:37:25 -0400 From: Steve Shorter To: Sam Leffler Cc: Cy Schubert - ITSD Open Systems Group , Sheldon Hearn , freebsd-security@FreeBSD.ORG Subject: Re: tripwire Message-ID: <20010613123725.B31291@nomad.lets.net> References: <200106131323.f5DDNLU09513@cwsys.cwsent.com> <0a6301c0f41d$0fb78c10$24a6d4d1@melange> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <0a6301c0f41d$0fb78c10$24a6d4d1@melange>; from sam@errno.com on Wed, Jun 13, 2001 at 08:25:22AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 08:25:22AM -0700, Sam Leffler wrote: > I thought 2.3.1 was proprietary and source was not available. I'd never > have run it in linux emulation mode if I'd located the source... The sources for a GPL'd version are on sourceforge www.sourceforge.net/projects/tripwire Latest version is 2.3.1 or therabouts I have done some initial work on a policy file. It would be nice to produce a policy file for freebsd. The linux one kind of sucks -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 10: 1: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id C00B837B422 for ; Wed, 13 Jun 2001 10:00:38 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6u3.ericy.com [208.237.135.123]) by imr1.ericy.com (8.11.3/8.11.3) with ESMTP id f5DH0ca00062 for ; Wed, 13 Jun 2001 12:00:38 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5DH0X617926 for ; Wed, 13 Jun 2001 12:00:33 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5DH0VG16229 for ; Wed, 13 Jun 2001 13:00:32 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Wed, 13 Jun 2001 13:00:29 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M6GN082T; Wed, 13 Jun 2001 12:59:34 -0400 From: "Antoine Beaupre (LMC)" Reply-To: "Antoine Beaupre (LMC)" To: freebsd-security@FreeBSD.ORG Message-ID: <3B279BF6.7000601@lmc.ericsson.se> Date: Wed, 13 Jun 2001 12:59:34 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) References: <200106131442.f5DEgNB10141@cwsys.cwsent.com> <3B278030.3020305@lmc.ericsson.se> <20010613111421.A777@mushhaven.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Don't get mad, jamie. :) I think most people actually *do* agree with you. But read on... Jamie Norwood wrote: > On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote: > >>Cy Schubert - ITSD Open Systems Group wrote: >> >>>On virtually every mailing list I'm on I've been advocating the >>>deprecation of FTP, only to get flamed by advocates of FTP. The reason >>>FTP is still used is because people want to use it. Until the majority >>>can be educated (convinced) it will continue to be used. Code (CGI >>>scripts, etc.) to perform uploads would be the start of the demise of >>>FTP. > > My main issue is that noone has yet given me a good reason WHY FTP should > be depreciated. All I keep hearing is most people saying 'Because HTTP > is better, though it needs to be fixed to do what FTP does', and a few > feeble cries of 'It's more secure to just have one service doing both, > and since Apache is more secure than FTP (Assuming, of course, you use > it in stock form and don't turn anything special on!), we should drop > FTP!'. I think the two main points are: - ftp uses 2 data connections which breaks the "transport model" or whatever you want to call it where the application layer (FTP protocol) must not deal with the transport layer (TCP ports). In HTTP, all transactions are on the same port. In FTP, the ports are negociated. This sucks. - There is no generally available SSL wrapper that allows secure communication of passwords over FTP. I never mentionned the points you quoted and I don't think they're really worth considering. :) > Noone has addressed my concerns at all, and seem to mostly ignore them. > Just to be inflamatory about it, it is a common tactic when people are > presented with an argument they don't know how to counter, to just ignore > it. I don't think I followed this behavior. > My main concern is the facts that, first off, HTTP doesn't, in most of it's > current incarnations (Both client, and server), have an easy and sane way > to handle uploading files, securely or otherwise. Agreed. > My secondary concern is ease of use. FTP is extremely easy to use, and > powerful at the same time. It has many well-written text-based applications > for it's use. HTTP has Lynx and Links, neither of which is adequet. Both > rely on having high-quality terminal emulation with no quirks, a rare > thing. I can pull up 'ftp' on any client, anywhere, and not have to worry > that curses/ncurses/xterm/whatever will not like some of it's code. I've > yet to see Lynx not look bad, and Links isn't much better. FTP == old == known and widely, well implemented. Also the fact that the protocol is "simple" compared to HTTP helps a lot. Agreed again. However, by "ease of use"... I'm not sure everyone can successfully use (eg) the Windows FTP client if they never did before. It can be tricky. Of course this is when we talk about text-only apps. When you fallback on GUIs, it's all leveled out. It depends on the availability of netscrape/exploder/aol-machin. > Tertiarily, there is the concept of statefulness. HTTP is stateless, which > is well and good for people behind firewalls and such, but FTP is stateful. > This allows us to be MUCH more interactive with the server. Agreed again. There is, however, a workaround available for HTTP: keep-alive connections. It is still not stateful though. > HTTP is nice, for what it does. It is a good 'Hyper Text Tansfer Protocol'. That is what I meant when talking about the "dir" (or "ls") workaround for HTTP. :) > And FTP is a good 'File Transfer Protocol'. Yes, HTTP can transfer files, > but it is not a suitable replacement for FTP. No. But it *could* replace it, if FTP would die off. > And I have, again, not heard > anyone who is advocating ditching FTP give any realistic and practical > reason why FTP is so evil. FTP does what it does very well, and should > be allowed to continue to do so. Yes. The only thing that really annoys me with ftp are the clear-text passwords flying around. But I guess that HTTP without SSL wouldn't solve it either. It all orbits around SFTP. And I fear that SSH implementation is way too permissive and/or complex to structure an FTP-like service. SSH is also not widely known and implemented as FTP. Long live FTP. ;) BTW, the charm for me would be a protocol that encrypts the control session (ie where the usernames and passwords are sent). Encryption of the data session we can do without. Is there anything like this? Let's kill this thread already. Respond via private mail. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 10:23: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 2AE6337B403 for ; Wed, 13 Jun 2001 10:22:55 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEVPLG00.0Z2; Wed, 13 Jun 2001 10:22:28 -0700 Message-ID: <3B27A16C.32BAF75E@globalstar.com> Date: Wed, 13 Jun 2001 10:22:52 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Brendan Murphy Cc: Evren Yurtesen , Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: HTTP and FTP References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brendan Murphy wrote: > > On Tue, 12 Jun 2001, Crist Clark wrote: > > > Evren Yurtesen wrote: > > > > > > I wonder if it is possible in HTTP to make users login to their home dirs > > > automaticly and when they put files it goes in with their uid,gid and of > > > course they will login with their own passwords? etc. =) > > > > It should not be terribly difficult. > > It should (obviously) go without saying that you should _NOT_ use > /etc/passwd or the like as a basis for your authentication. With most current HTTP servers, something like a htpasswd file is already more common. However, if we are comparing to FTP, many FTP daemons, the ftpd(8) with FreeBSD included, only use /etc/passwd, system users, for authentication. In that case, why would using /etc/passwd be so much worse than the status quo? FTP only passes the password across the Internet in cleartext once per control session whereas you'd be doing it with every request in HTTP, but then again, HTTP over SSL is well established and standardized. FTP over SSL is a PITA for a lot of the same reasons FTP is a pain through firewalls (which was the genesis of this flam^H^H^H^H^H long thread). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 10:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 4CE5037B403 for ; Wed, 13 Jun 2001 10:35:55 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEVQ7500.FXE; Wed, 13 Jun 2001 10:35:29 -0700 Message-ID: <3B27A478.85A21D3F@globalstar.com> Date: Wed, 13 Jun 2001 10:35:52 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: FW: FTP almost gone now? (was: Re: IPFW almost works now.) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter Brezny wrote: > > >>Balderdash! HTTP and TCP both send files over identical TCP > >>connections, which makes them equally efficient. There really is no > >>reason for FTP to continue to exist (but yet it does). > > I was under the impression that the http protocol is a much 'chattier' > protocol than ftp, and that regardless of them running on identical tcp > connections, FTP is much more efficient by nature of the Protocol. > > Someone clear this up for me. HTTP is stateless. FTP has state. /All/ of the information required to do the transaction must go out with each individual HTTP request. For this reason, if you were to download a lot of little files, FTP would be better. You would establish one control connection and then can issue a lot of very "short" (few bytes over the wire) commands to grab each file. In HTTP, you would send a big HTTP request for each file and get a pretty good sized HTTP response header back along with the file. However, there are situations where HTTP is less chatty. In the above example, say you were going to download a lot of little files, but you were going to make a fresh FTP control connection for each one (say each one was being grabbed an hour apart, control connections would tend to time out and keep-alives consume resources too). Typically, establishing a control connection is going to be more bytes over the wire than an HTTP request. Not only that, but an FTP download requires at least two TCP connections which consumes twice the kernel resources on both host and server. In this case, HTTP is _less_ "chatty." And this is one of the reasons HTTP on average is a better choice for something like web browsing. So, to summarize, there is no clear-cut answer as to which is less "chatty." It depends on how you are using them. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 11:20:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from anchor-post-32.mail.demon.net (anchor-post-32.mail.demon.net [194.217.242.90]) by hub.freebsd.org (Postfix) with ESMTP id CB27237B403 for ; Wed, 13 Jun 2001 11:20:34 -0700 (PDT) (envelope-from dmg@procopia.com) Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net) by anchor-post-32.mail.demon.net with esmtp (Exim 2.12 #1) id 15AFGb-000AGm-0W for freebsd-security@freebsd.org; Wed, 13 Jun 2001 19:21:21 +0100 Received: from wbra0013.cognos.com ([10.0.0.3] helo=procopia.com) by cerebus.parse.net with esmtp (Exim 3.16 #1) id 15AEwi-0007sV-00 for freebsd-security@freebsd.org; Wed, 13 Jun 2001 19:00:48 +0100 Message-ID: <3B27AACB.D8BC13F@procopia.com> Date: Wed, 13 Jun 2001 19:02:51 +0100 From: David Goddard X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Odd source IP for a scan Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, This isn't as such a FreeBSD thing, but I picked up some odd entries in a security log recently: root@cerebus% grep 66.22.30.76 /var/log/security Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303 194.222.X.X:27374 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304 194.222.X.X:12345 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305 194.222.X.X:139 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304 194.222.X.X:12345 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305 194.222.X.X:139 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303 194.222.X.X:27374 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304 194.222.X.X:12345 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305 194.222.X.X:139 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303 194.222.X.X:27374 in via tun0 66.22.30.76 resolves to host.domain.com - my guess is that it's some hacking tool and the script kiddie has not bothered to change the spoofing from the default. However, if they're just probing then they are surely not going to get much info back that way.. Has anyone seen anything similar? Cheers, Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 11:33:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from f-control.area51.dk (f-control.area51.dk [213.237.108.10]) by hub.freebsd.org (Postfix) with SMTP id D070537B403 for ; Wed, 13 Jun 2001 11:33:09 -0700 (PDT) (envelope-from a@f-control.area51.dk) Received: (qmail 13865 invoked by uid 1007); 13 Jun 2001 18:33:29 -0000 Date: Wed, 13 Jun 2001 20:33:29 +0200 From: Alex Holst To: freebsd-security@freebsd.org Subject: Re: Odd source IP for a scan Message-ID: <20010613203329.A13593@area51.dk> Mail-Followup-To: Alex Holst , freebsd-security@freebsd.org References: <3B27AACB.D8BC13F@procopia.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B27AACB.D8BC13F@procopia.com>; from dmg@procopia.com on Wed, Jun 13, 2001 at 07:02:51PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting David Goddard (dmg@procopia.com): > 66.22.30.76 resolves to host.domain.com - my guess is that it's some > hacking tool and the script kiddie has not bothered to change the > spoofing from the default. What's spoofed? Whoever owns 66.22.30.76 has told their DNS server to return "host.domain.com" when asked for a hostname. Query about 66.22.30.76 for record types PTR Name: host.domain.com Address: 66.22.30.76 -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 11:48:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe17.law12.hotmail.com [64.4.18.121]) by hub.freebsd.org (Postfix) with ESMTP id 5D14C37B407 for ; Wed, 13 Jun 2001 11:47:57 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 13 Jun 2001 11:47:56 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Subject: trouble with glob patch (ftp exploit) Date: Wed, 13 Jun 2001 13:48:23 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 13 Jun 2001 18:47:56.0742 (UTC) FILETIME=[5C6E4E60:01C0F439] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I was doing some security upgrades and attempted to install the glob ftp exploit patch... (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch) I do not believe it installed correctly as I received the following errors. If anyone can help me with this I would extremely appreciate it. (Here is when I applied the patch as directed on http://www.linuxsecurity.com/advisories/freebsd_advisory-1294.html) [/usr/src]# patch -p < /usr/home/default/patches/glob.4.x.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: include/glob.h |=================================================================== |RCS file: /home/ncvs/src/include/glob.h,v |--- include/glob.h 1998/02/25 02:15:59 1.3 |+++ include/glob.h 2001/03/21 14:33:56 1.3.6.1 -------------------------- Patching file include/glob.h using Plan A... Hunk #1 succeeded at 77. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/gen/glob.c |=================================================================== |RCS file: /home/ncvs/src/lib/libc/gen/glob.c,v |--- lib/libc/gen/glob.c 1998/02/20 07:54:56 1.11 |+++ lib/libc/gen/glob.c 2001/04/07 21:00:20 -------------------------- Patching file lib/libc/gen/glob.c using Plan A... Hunk #1 succeeded at 129. Hunk #2 succeeded at 137. Hunk #3 succeeded at 158. Hunk #4 succeeded at 168. Hunk #5 succeeded at 197. Hunk #6 succeeded at 207. Hunk #7 succeeded at 233. Hunk #8 succeeded at 274. Hunk #9 succeeded at 321. Hunk #10 succeeded at 415. Hunk #11 succeeded at 480. Hunk #12 succeeded at 493. Hunk #13 succeeded at 508. Hunk #14 succeeded at 528. Hunk #15 succeeded at 552. Hunk #16 succeeded at 567. Hunk #17 succeeded at 606. Hunk #18 succeeded at 636. Hunk #19 succeeded at 674. Hunk #20 succeeded at 710. Hunk #21 succeeded at 791. Hunk #22 succeeded at 804. Hunk #23 succeeded at 823. Hunk #24 succeeded at 840. Hunk #25 succeeded at 860. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: libexec/ftpd/popen.c |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/popen.c,v |--- libexec/ftpd/popen.c 2000/09/20 09:57:58 1.18.2.1 |+++ libexec/ftpd/popen.c 2001/04/07 21:08:09 -------------------------- Patching file libexec/ftpd/popen.c using Plan A... Hunk #1 succeeded at 107. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v |--- libexec/ftpd/ftpd.c 2001/03/11 13:20:44 1.73 |+++ libexec/ftpd/ftpd.c 2001/03/19 19:11:00 -------------------------- Patching file libexec/ftpd/ftpd.c using Plan A... Hunk #1 succeeded at 186 (offset -3 lines). Hunk #2 succeeded at 2611 (offset -17 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpcmd.y,v |--- libexec/ftpd/ftpcmd.y 2001/04/16 22:20:26 1.23 |+++ libexec/ftpd/ftpcmd.y 2001/04/17 03:03:45 -------------------------- Patching file libexec/ftpd/ftpcmd.y using Plan A... Hunk #1 succeeded at 133 with fuzz 2 (offset -5 lines). Hunk #2 succeeded at 461 (offset -14 lines). Hunk #3 succeeded at 910 (offset -31 lines). Hunk #4 succeeded at 1008 (offset -33 lines). done (here is what happened when I did a make all install in /usr/src/lib/libc) cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTER FACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBR OKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported only once /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.) /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this function) *** Error code 1 (and finally, here is what happened when I did a make all install in /usr/src/libexec/ftpd) [/usr/src/libexec/ftpd]# make all install Warning: Object directory not changed from original /usr/src/libexec/ftpd cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -I/us r/src/libexec/ftpd/../../contrib-crypto/telnet -DINET6 -Dmain=ls_main -I/usr /src/libexec/ftpd/../../bin/ls -c ftpd.c ftpd.c: In function `send_file_list': ftpd.c:2612: `GLOB_MAXPATH' undeclared (first use in this function) ftpd.c:2612: (Each undeclared identifier is reported only once ftpd.c:2612: for each function it appears in.) ftpd.c:2601: warning: variable `dout' might be clobbered by `longjmp' or `vfork' ftpd.c:2602: warning: variable `dirlist' might be clobbered by `longjmp' or `vfork' ftpd.c:2603: warning: variable `simple' might be clobbered by `longjmp' or `vfork' ftpd.c:2604: warning: variable `freeglob' might be clobbered by `longjmp' or `vfork' *** Error code 1 Stop in /usr/src/libexec/ftpd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 11:50:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 1B8D537B407 for ; Wed, 13 Jun 2001 11:50:47 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 74CDD1360C; Wed, 13 Jun 2001 14:50:36 -0400 (EDT) Date: Wed, 13 Jun 2001 14:50:36 -0400 From: Chris Faulhaber To: default013 - subscriptions Cc: freebsd-security@freebsd.org Subject: Re: trouble with glob patch (ftp exploit) Message-ID: <20010613145036.A50431@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , default013 - subscriptions , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Wed, Jun 13, 2001 at 01:48:23PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 13, 2001 at 01:48:23PM -0500, default013 - subscriptions wrote: > Hi, I was doing some security upgrades and attempted to install the glob = ftp > exploit patch... > (ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch) >=20 > I do not believe it installed correctly as I received the following error= s. > If anyone can help me with this I would extremely appreciate it. >=20 > (Here is when I applied the patch as directed on > http://www.linuxsecurity.com/advisories/freebsd_advisory-1294.html) >=20 You should probably use the advisories on FreeBSD's ftp mirrors, in particular: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:33.ftpd-glo= b.v1.1.asc which has updated instructions. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjsntfsACgkQObaG4P6BelBR5wCfTzalLJfkJrOda/wkLAjpRnGi R7MAoJQpUyWHXtwZagF1POwiTrvSuFz/ =O/H4 -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 12:13:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe60.law12.hotmail.com [64.4.18.195]) by hub.freebsd.org (Postfix) with ESMTP id 8D67B37B401 for ; Wed, 13 Jun 2001 12:13:51 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 13 Jun 2001 12:13:51 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Cc: Subject: Re: trouble with glob patch (ftp exploit) Date: Wed, 13 Jun 2001 14:14:18 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 13 Jun 2001 19:13:51.0376 (UTC) FILETIME=[FB10A100:01C0F43C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, thanks for the tip, but I attempted the new instructions and got this error... It seemed like it went a bit farther but... [/usr/src/lib/libc]# make all install Warning: Object directory not changed from original /usr/src/lib/libc cc -pg -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBI NTERFACE_PRIVATE -DINET6 -DPOSIX_Mo cc: Internal compiler error: program cc1 got fatal signal 11 *** Error code 1 Stop in /usr/src/lib/libc. [/usr/src/lib/libc]# cd /usr/src/libexec/ftpd [/usr/src/libexec/ftpd]# make all install Warning: Object directory not changed from original /usr/src/libexec/ftpd cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -I/us r/src/libexec/ftpd/../../contrib-cc cc: Internal compiler error: program cc1 got fatal signal 11 *** Error code 1 Stop in /usr/src/libexec/ftpd. ----- Original Message ----- From: "Chris Faulhaber" To: "default013 - subscriptions" Cc: Sent: Wednesday, June 13, 2001 1:50 PM Subject: Re: trouble with glob patch (ftp exploit) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 12:36:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from yez.hyperreal.org (gate.sp.collab.net [64.211.228.36]) by hub.freebsd.org (Postfix) with SMTP id CB31637B403 for ; Wed, 13 Jun 2001 12:36:10 -0700 (PDT) (envelope-from brian@collab.net) Received: (qmail 3546 invoked by uid 1000); 13 Jun 2001 19:37:22 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Jun 2001 19:37:22 -0000 Date: Wed, 13 Jun 2001 12:37:22 -0700 (PDT) From: Brian Behlendorf X-X-Sender: To: Jamie Norwood Cc: Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) In-Reply-To: <20010613111421.A777@mushhaven.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 13 Jun 2001, Jamie Norwood wrote: > My main concern is the facts that, first off, HTTP doesn't, in most of it's > current incarnations (Both client, and server), have an easy and sane way > to handle uploading files, securely or otherwise. WebDAV. There is excellent support for it in multiple web servers, libraries for it in multiple languages, and excellent command-line and graphical client-side support, especially on MS Windows where it's the protocol behind Explorer's "Web Folders" concept. People can just drag and drop to upload to a server. Works over SSL and with password auth, so you get your security there. Webdav has a versioning extension we're using as the basis for our Subversion project, at http://subversion.tigris.org/. Get more info on webdav at http://www.webdav.org/. > My secondary concern is ease of use. I'll have to leave it up to folks to decide that for themselves whether the webdav clients meet their needs. > Tertiarily, there is the concept of statefulness. HTTP is stateless, which > is well and good for people behind firewalls and such, but FTP is stateful. > This allows us to be MUCH more interactive with the server. HTTP maintains state a number of ways, and has no problem being "interactive", for whatever that means in the FTP case. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 12:45:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from anchor-post-34.mail.demon.net (anchor-post-34.mail.demon.net [194.217.242.92]) by hub.freebsd.org (Postfix) with ESMTP id D81C537B401 for ; Wed, 13 Jun 2001 12:45:50 -0700 (PDT) (envelope-from dmg@procopia.com) Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net) by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1) id 15AGaK-000M2B-0Y; Wed, 13 Jun 2001 20:45:48 +0100 Received: from wbra0013.cognos.com ([10.0.0.3] helo=procopia.com) by cerebus.parse.net with esmtp (Exim 3.16 #1) id 15AGZz-0008hN-00; Wed, 13 Jun 2001 20:45:27 +0100 Message-ID: <3B27C352.2FDA5007@procopia.com> Date: Wed, 13 Jun 2001 20:47:30 +0100 From: David Goddard X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Alex Holst Cc: freebsd-security@freebsd.org Subject: Re: Odd source IP for a scan X-Priority: 4 (Low) References: <3B27AACB.D8BC13F@procopia.com> <20010613203329.A13593@area51.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alex Holst wrote: > What's spoofed? Whoever owns 66.22.30.76 has told their DNS server to return > "host.domain.com" when asked for a hostname. > Query about 66.22.30.76 for record types PTR > Name: host.domain.com > Address: 66.22.30.76 Doh. Right - didn't occur to me. Should have done a whois first I guess. Looks like these guys have that for the entire netblock. My assumption was that host.domain.com really did exist and its IP was chosen to be the default in some tool. Better mail them and let them know they have a possible problem :-) Thanks (and sorry for the b/w wastage), Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 13: 3:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-13.dsl.lsan03.pacbell.net [63.207.60.13]) by hub.freebsd.org (Postfix) with ESMTP id 2FD9137B405 for ; Wed, 13 Jun 2001 13:03:14 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id B745266D15; Wed, 13 Jun 2001 13:03:13 -0700 (PDT) Date: Wed, 13 Jun 2001 13:03:13 -0700 From: Kris Kennaway To: Alex Popa Cc: security@freebsd.org Subject: Re: Compiling untrusted source -- what are the risks? Message-ID: <20010613130313.B64020@xor.obsecurity.org> References: <20010613092402.A8413@ldc.ro> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="3uo+9/B/ebqu+fSQ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010613092402.A8413@ldc.ro>; from razor@ldc.ro on Wed, Jun 13, 2001 at 09:24:02AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3uo+9/B/ebqu+fSQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote: > The step I am worried about is the compiling, since I do need to have > the include files and libraries available. The output should be a > statically linked file, which would run in a jail (separate one per > source file) which contains nothing more than the compiled binary, and > the input file. The evaluation program will run in a separate jail, > given only the output file from the program, and maybe an "expected > results" file. I plan on using ipfw to block all traffic on that > machine (will be a dedicated machine) not coming from a few trusted > uids (like root and the evaluation process). I also plan setting up > resource limits, and not running more evaluation jobs at the same time > (ruins timing). You could do this step in a jail if you wanted to. If you're using user-supplied makefiles, then they can run arbitrary commands. If you're using a fixed set of compiler invocations and the standard toolchain then it should probably be okay (I don't know of any ways to cause the compiler toolchain to execute arbitrary commands during compilation). Kris --3uo+9/B/ebqu+fSQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7J8cBWry0BWjoQKURAnVCAJwKwwzjdodfx89BqNVWpeuVy+vvWgCg7/CA ylR1W9vKquVUuo9DgSk8cxg= =Dj5c -----END PGP SIGNATURE----- --3uo+9/B/ebqu+fSQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 13:55:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id E0CAD37B407 for ; Wed, 13 Jun 2001 13:55:34 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEVZFW00.I0D; Wed, 13 Jun 2001 13:55:08 -0700 Message-ID: <3B27D344.82AEDED0@globalstar.com> Date: Wed, 13 Jun 2001 13:55:32 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Marcel Dijk Cc: Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcel Dijk wrote: > > > To the original poster, also keep in mind that firewalls at the other > > end of your connection could be making trouble for you too. You can use > > tcpdump(8) and firewall logging to see if traffic is getting to your > > FTP server at all. > > -- > > Crist J. Clark Network Security Engineer > > crist.clark@globalstar.com Globalstar, L.P. > > (408) 933-4387 FAX: (408) 933-4926 > > Traffic IS getting to the FTP server, because I can login. The thing is when > I have logged in and the client sends the LIST command it can't read the > directory and closes the connection. As discribed here: > > _______________________________________ > Can't build data connection: interrupted system call. > ABOR command succesfull. > Connection Lost > _______________________________________ > > So, connection TO the server seems to work but when the server tries to SEND > traffic to the client it fails. I realize that you are having no problem with your _control_ connection, your data connection is failing. I was interested in tcpdump(8) to make sure that the incoming data connection was actually making it to your server, or just to see what the heck was up with the data connection. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 14:23: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id 0AE7937B407 for ; Wed, 13 Jun 2001 14:22:46 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 13476 invoked by uid 666); 13 Jun 2001 21:22:43 -0000 Date: Thu, 14 Jun 2001 00:19:47 +0300 From: Alex Popa To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Compiling untrusted source -- what are the risks? Message-ID: <20010614001947.A13403@ldc.ro> References: <20010613092402.A8413@ldc.ro> <20010613130313.B64020@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010613130313.B64020@xor.obsecurity.org>; from kris@obsecurity.org on Wed, Jun 13, 2001 at 01:03:13PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 13, 2001 at 01:03:13PM -0700, Kris Kennaway wrote: > On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote: > > > The step I am worried about is the compiling, since I do need to have > > the include files and libraries available. > > [irrelevant part snipped] > > You could do this step in a jail if you wanted to. If you're using > user-supplied makefiles, then they can run arbitrary commands. If > you're using a fixed set of compiler invocations and the standard > toolchain then it should probably be okay (I don't know of any ways to > cause the compiler toolchain to execute arbitrary commands during > compilation). > > Kris I will probably go with something like (filename will be my own, not the user supplied filename): "gcc -Wall -W -Werror -pipe -static filename.c -o a.out" for the compiling step. The toolchain is exactly what I was worried about, and I really do not feel like providing a fresh jail for every compile. The running of the programs will go in a new jail and UID for every run, to prevent pollution. I also consider disabling SYSV semaphores and shared memory for that particular machine. Thank you a lot, Alex (who did paranoia++ a few too many times) ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 14:37:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id EE60137B401 for ; Wed, 13 Jun 2001 14:37:16 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id HAA07561; Thu, 14 Jun 2001 07:37:09 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37645) with ESMTP id <01K4QZAWGEE8VNYU2Y@cim.alcatel.com.au>; Thu, 14 Jun 2001 07:37:10 +1000 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f5DLb6D44664; Thu, 14 Jun 2001 07:37:06 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Thu, 14 Jun 2001 07:37:05 +1000 From: Peter Jeremy Subject: Re: Compiling untrusted source -- what are the risks? In-reply-to: <20010613130313.B64020@xor.obsecurity.org>; from kris@obsecurity.org on Wed, Jun 13, 2001 at 01:03:13PM -0700 To: Alex Popa Cc: Kris Kennaway , security@FreeBSD.ORG Mail-Followup-To: Alex Popa , Kris Kennaway , security@FreeBSD.ORG Message-id: <20010614073705.E95583@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <20010613092402.A8413@ldc.ro> <20010613130313.B64020@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-Jun-13 13:03:13 -0700, Kris Kennaway wrote: > If >you're using a fixed set of compiler invocations and the standard >toolchain then it should probably be okay (I don't know of any ways to >cause the compiler toolchain to execute arbitrary commands during >compilation). This is covered by Kris's "fixed set of compiler invocations", but it's worth noting that gcc can execute arbitrary commands with pathnames matching the regex ".*(cpp|cc1|cc1obj|cc1plus|as|ld)$" via the -B option or $GCC_EXEC_PREFIX environment. Note that some variants of gcc (including -CURRENT) use "cpp0" instead of "cpp". Looking at base system executables, this includes fold(1), btxld(8), fore_dnld(8), rtsold(8) and /usr/libexec/rpc.rwalld, though there's nothing stopping someone creating a suitably named shell-script and using -Bfoo to invoke it (though it has to be marked executable). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 14:59:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail4.home.nl (mail4.home.nl [213.51.129.228]) by hub.freebsd.org (Postfix) with ESMTP id 4EE4037B403 for ; Wed, 13 Jun 2001 14:59:13 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail4.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010613215940.DVZS407.mail4.home.nl@windows>; Wed, 13 Jun 2001 22:59:40 +0100 Message-ID: <03da01c0f454$313b3d50$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" Cc: "Evren Yurtesen" , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> Subject: Re: IPFW almost works now. Date: Thu, 14 Jun 2001 00:00:00 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I realize that you are having no problem with your _control_ connection, > your data connection is failing. I was interested in tcpdump(8) to make > sure that the incoming data connection was actually making it to your > server, or just to see what the heck was up with the data connection. OK, here is the TCPDUMP output (I think this is the part you need): 23:52:17.607813 qn-213-73-145-189.quicknet.nl.61636 > cc13708-a.groni1.gr.nl.home.com.ftp: P 116:142(26) ack 497 win 8264 (DF) 23:52:17.608026 cc13708-a.groni1.gr.nl.home.com.ftp > qn-213-73-145-189.quicknet.nl.61636: . ack 142 win 17520 (DF) [tos 0x10] 23:52:17.718530 arp who-has cc53628-a.groni1.gr.nl.home.com tell r1-fe1-0-sec.groni1.gr.home.nl 23:52:17.729564 cc13708-a.groni1.gr.nl.home.com.2124 > 205.188.8.76.aol: P 1131:1206(75) ack 649 win 16579 (DF) 23:52:17.926538 cc13708-a.groni1.gr.nl.home.com.ftp > qn-213-73-145-189.quicknet.nl.61636: P 497:527(30) ack 142 win 17520 (DF) [tos 0x10] 23:52:18.017964 qn-213-73-145-189.quicknet.nl.61636 > cc13708-a.groni1.gr.nl.home.com.ftp: P 142:148(6) ack 527 win 8234 (DF) 23:52:18.020112 cc13708-a.groni1.gr.nl.home.com.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S 1812366928:1812366928(0) win 16384 (DF) [tos 0x8] 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > cc13708-a.groni1.gr.nl.home.com.ftp-data: R 1812366928:1812366928(0) ack 1812366929 win 16384 (DF) [tos 0x8] 23:52:18.065191 205.188.8.76.aol > cc13708-a.groni1.gr.nl.home.com.2124: . ack 1206 win 16384 (DF) 23:52:18.116512 cc13708-a.groni1.gr.nl.home.com.ftp > qn-213-73-145-189.quicknet.nl.61636: . ack 148 win 17520 (DF) [tos 0x10] 23:52:18.170176 cc11639-a.groni1.gr.nl.home.com.1029 > 255.255.255.255.6963: udp 52 23:52:19.155212 0:50:f:21:f9:e6 > 1:80:c2:0:0:0 802.1d ui/C >>> Unknown IPX Data: (43 bytes) [000] 00 00 00 00 00 80 00 00 50 2A 99 34 05 00 00 00 ........ P*.4.... [010] 00 80 00 00 50 2A 99 34 05 80 47 00 00 14 00 02 ....P*.4 ..G..... [020] 00 0F 00 0F 47 72 6F 6E 69 6E 67 ....Gron ing len=43 0000 0000 0080 0000 502a 9934 0500 0000 0080 0000 502a 9934 0580 4700 0014 0002 000f 000f 4772 6f6e 696e 67 I hope you can understand that more than I can... And here is the output of IPFW.LOG: Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP 213.73.145.189:61617 213.51.193.168:5617 in via ed0 Jun 13 23:41:49 FreeBSD last message repeated 9 times Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615 I don't see any blocked packats but maybe you know why it's possible to connect to the FTP server but ther server can't send info back tp the client. It's not working in passive and normal mode... Hope you can help, Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 15:35:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 1220837B40D for ; Wed, 13 Jun 2001 15:35:36 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEW42L00.J1C; Wed, 13 Jun 2001 15:35:09 -0700 Message-ID: <3B27EAB5.3FE48A6C@globalstar.com> Date: Wed, 13 Jun 2001 15:35:33 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Marcel Dijk Cc: Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcel Dijk wrote: > > > I realize that you are having no problem with your _control_ connection, > > your data connection is failing. I was interested in tcpdump(8) to make > > sure that the incoming data connection was actually making it to your > > server, or just to see what the heck was up with the data connection. > > OK, here is the TCPDUMP output (I think this is the part you need): OK, we got your control connection some AIM traffic and IPX, all with some hideous auto-line-wrapping, but there looks to be a data connection problem in there too. [snip, format recovered] > 23:52:18.020112 cc13708-a.groni1.gr.nl.home.com.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S 1812366928:1812366928(0) win 16384 (DF) [tos 0x8] > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > cc13708-a.groni1.gr.nl.home.com.ftp-data: R 1812366928:1812366928(0) ack 1812366929 win 16384 (DF) [tos 0x8] [snip] The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming data connection attempt. This looks like a failed PORT (active FTP) attempt where we have a _client_ problem, not a problem at your FTP server. Hmmm, pretty fast net there, 45 ms. > I hope you can understand that more than I can... > > And here is the output of IPFW.LOG: > > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP 213.73.145.189:61617 > 213.51.193.168:5617 in via ed0 > Jun 13 23:41:49 FreeBSD last message repeated 9 times > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615 None of this traffic is seen in the dump you sent. This might be a PASV (passive) attempt? -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 16:56:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 09CD637B407 for ; Wed, 13 Jun 2001 16:56:29 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id QAA32354; Wed, 13 Jun 2001 16:55:07 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32348; Wed Jun 13 16:55:03 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5DNsw831494; Wed, 13 Jun 2001 16:54:58 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdT31490; Wed Jun 13 16:54:05 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5DNqZs12570; Wed, 13 Jun 2001 16:52:35 -0700 (PDT) Message-Id: <200106132352.f5DNqZs12570@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpds12564; Wed Jun 13 16:52:07 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Matt Dillon Cc: Nate Williams , Garrett Wollman , Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-reply-to: Your message of "Tue, 12 Jun 2001 16:56:37 PDT." <200106122356.f5CNubp50204@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 16:52:07 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200106122356.f5CNubp50204@earth.backplane.com>, Matt Dillon writes: > > :> Balderdash! HTTP and TCP both send files over identical TCP > :> connections, which makes them equally efficient. > : > :>From a raw protocol stack, yes. However, most FTP servers are optimized > :for streaming out large bits of static data, while HTTP servers are less > :optimized for this. > : > :FTP servers can be more easily optimized (KISS et al), and hence FTP is > :a better protocol for simple file transfers. > : > :Nate > > If you have to have a web server, and would only also have a ftp > server to 'optimize' transfers, I would submit that whatever > performance one perceives as having gained from running the ftp > server (which I think is Balderdash as well) is offset by the fact > that you are now running two pieces of server software that might > potentially create a security hazzard rather then one. > > Since I can't do without my web server, ftpd is the one I turn off. That's exactly what I do. Additionally if I need to use non-anonymous FTP, I use sftp, scp, or if behind a firewall one of the Kerberos services. > > Historically, a plain old Apache with no fancy modules turned on > is just as secure... in fact, even more secure... then ftpd. Maybe > because web servers focus on read-only stuff whereas ftpd tries to > be general purpose read/write/exec/chmod/only-god-knows-what-else. Not only that but HTTP is firewall friendly. FTP requires proxies. IP Filter provides a good client-side FTP proxy however a server-side FTP proxy is unknown in the opensource community. Given the exploits of various FTP daemons, of which FreeBSD has been fortunate to have such a secure ftpd, and exploits of the FTP protocol itself, e.g bounce, the wisdom of running an FTP server behind a firewall is unadvised. I agree that we're better off using HTTP. I'll be glad the day the FTP protocol has been finally put to rest. > > -Matt Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 17: 2:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3C9DA37B401 for ; Wed, 13 Jun 2001 17:02:22 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA32375; Wed, 13 Jun 2001 17:01:07 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32373; Wed Jun 13 17:01:06 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5E011j31558; Wed, 13 Jun 2001 17:01:01 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdF31532; Wed Jun 13 17:00:01 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5DNwZG12612; Wed, 13 Jun 2001 16:58:35 -0700 (PDT) Message-Id: <200106132358.f5DNwZG12612@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdB12606; Wed Jun 13 16:57:51 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Jamie Norwood Cc: Matt Dillon , Nate Williams , Garrett Wollman , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. In-reply-to: Your message of "Wed, 13 Jun 2001 00:03:46 EDT." <20010613000346.A398@mushhaven.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 16:57:51 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010613000346.A398@mushhaven.net>, Jamie Norwood writes: > On Tue, Jun 12, 2001 at 04:56:37PM -0700, Matt Dillon wrote: > > > > If you have to have a web server, and would only also have a ftp > > server to 'optimize' transfers, I would submit that whatever > > performance one perceives as having gained from running the ftp > > server (which I think is Balderdash as well) is offset by the fact > > that you are now running two pieces of server software that might > > potentially create a security hazzard rather then one. > > > > Since I can't do without my web server, ftpd is the one I turn off. > > > > Historically, a plain old Apache with no fancy modules turned on > > is just as secure... in fact, even more secure... then ftpd. Maybe > > because web servers focus on read-only stuff whereas ftpd tries to > > be general purpose read/write/exec/chmod/only-god-knows-what-else. > > So how, then, do you propose people upload files, a common use of ftp? > Since your alternative is 'bare-bones' Apache, you have just cut out a > function many of us rely on. Security through lack of usefulness is not > an option, IMHO. Generally uploading of files is done by users with valid accounts on the system, so sftp or scp would handle most file transfer challenges. Anonymous FTP could be handled through an HTTP POST. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 17:32:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id BE3F937B405 for ; Wed, 13 Jun 2001 17:32:34 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA32434; Wed, 13 Jun 2001 17:32:28 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32432; Wed Jun 13 17:32:15 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5E0WAB31713; Wed, 13 Jun 2001 17:32:10 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdv31707; Wed Jun 13 17:31:37 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5E0VbA12744; Wed, 13 Jun 2001 17:31:37 -0700 (PDT) Message-Id: <200106140031.f5E0VbA12744@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj12729; Wed Jun 13 17:31:25 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Jamie Norwood Cc: freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) In-reply-to: Your message of "Wed, 13 Jun 2001 11:14:21 EDT." <20010613111421.A777@mushhaven.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 17:31:25 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010613111421.A777@mushhaven.net>, Jamie Norwood writes: > On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote: > > Cy Schubert - ITSD Open Systems Group wrote: > > > On virtually every mailing list I'm on I've been advocating the > > > deprecation of FTP, only to get flamed by advocates of FTP. The reason > > > FTP is still used is because people want to use it. Until the majority > > > can be educated (convinced) it will continue to be used. Code (CGI > > > scripts, etc.) to perform uploads would be the start of the demise of > > > FTP. > > My main issue is that noone has yet given me a good reason WHY FTP should > be depreciated. All I keep hearing is most people saying 'Because HTTP > is better, though it needs to be fixed to do what FTP does', and a few > feeble cries of 'It's more secure to just have one service doing both, > and since Apache is more secure than FTP (Assuming, of course, you use > it in stock form and don't turn anything special on!), we should drop > FTP!'. > > Noone has addressed my concerns at all, and seem to mostly ignore them. > Just to be inflamatory about it, it is a common tactic when people are > presented with an argument they don't know how to counter, to just ignore > it. Because of its use of a control channel and data channel, FTP requires firewall proxies. IP Filter provides a good client-side FTP proxy however a server-side FTP proxy is unknown in the opensource community. Given the exploits of various FTP daemons, of which FreeBSD has been fortunate to have such a secure ftpd, and exploits of the FTP protocol itself, e.g FTP bounce, the wisdom of running an FTP server behind a firewall is ill advised. Secondly FTP doesn't support encryption. The FTP services that do, e.g. Kerberos, still use the goofy control and data channels, and use the FTP protocol with its vulnerability to circumvent firewalls making it difficult to impossible to firewall, posing a risk to all other servers behind the firewall. An FTP server sitting in a DMZ or better yet completely outside of a firewall (considered a hostile external system) would be acceptable though. > > My main concern is the facts that, first off, HTTP doesn't, in most of it's > current incarnations (Both client, and server), have an easy and sane way > to handle uploading files, securely or otherwise. Sftp and scp address non-anonymous FTP. HTTP POST and PUT could address anonymous FTP uploads. > > My secondary concern is ease of use. FTP is extremely easy to use, and > powerful at the same time. It has many well-written text-based applications > for it's use. HTTP has Lynx and Links, neither of which is adequet. Both > rely on having high-quality terminal emulation with no quirks, a rare > thing. I can pull up 'ftp' on any client, anywhere, and not have to worry > that curses/ncurses/xterm/whatever will not like some of it's code. I've > yet to see Lynx not look bad, and Links isn't much better. This is why FTP will never go away. In most end users' minds ease of use is more important than security. In most managers' minds $$$ are more important than security. Consider why many companies still don't support HTTPS. It's easier to not support it and most unsuspecting users don't know not to transmit their credit card information unencrypted over the Internet so they continue to purchase from sites using unsecured transactions. I think that the world as we see it today is not concerned about security issues until the cost of doing business becomes prohibitive requiring us to change. > > Tertiarily, there is the concept of statefulness. HTTP is stateless, which > is well and good for people behind firewalls and such, but FTP is stateful. > This allows us to be MUCH more interactive with the server. Applications that use HTTP PUT and POST can be just as interactive and useful. The reason we don't see any applications like this in widespread use is that the nail doesn't hurt enough for anyone to do anything about it yet. Once it does standards will change and applications will be built. It is discussions like this that cause people to to think and interact. After enough of these discussions eventually the light bulb will turn on in someone's head and we will have a new application based on HTTP or whatever else to replace FTP. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 20:35:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.halplant.com (24-168-203-47.wo.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id 458F737B407 for ; Wed, 13 Jun 2001 20:35:31 -0700 (PDT) (envelope-from A.J.Caines@halplant.com) Received: by mail.halplant.com (Postfix, from userid 1001) id 5A3D120A8; Wed, 13 Jun 2001 23:35:20 -0400 (EDT) Date: Wed, 13 Jun 2001 23:35:20 -0400 From: Andrew J Caines To: freebsd-security@FreeBSD.ORG Subject: Using AIDE (Was: Re: tripwire Message-ID: <20010613233520.M581@hal9000.servehttp.com> Reply-To: Andrew J Caines Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nospam@hiltonbsd.com on Wed, Jun 13, 2001 at 10:14:16AM -0500 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.3-STABLE X-PGP-Fingerprint: C59A 2F74 1139 9432 B457 0B61 DDF2 AA61 67C3 18A1 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stephen, > I have been using aide 0.7 on my systems and was interested if the "list" > thinks this is a "solid" enough solution for integrity checking? In what sense do you mean "solid"? I am also using AIDE 0.7, built from ports, and have found it to function at least as well as Tripwire*, while being simpler to use and having a nicely simple interface. I have not done much in the way of tuning or tweaking the default configuration and it appears to reliably pick up changes. As for performance, I do not notice any significant impact when building or updating a database on my desktop system, which is running my usual large number of server and desktop apps including a distributed.net client. *[Academic version, at least. I have not tried the 2.x version] -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@altavista.net | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 23:14:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32]) by hub.freebsd.org (Postfix) with SMTP id F084437B403 for ; Wed, 13 Jun 2001 23:14:05 -0700 (PDT) (envelope-from educatee2001@yahoo.com) Received: from unknown (HELO co3018900a) (210.7.158.144) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jun 2001 06:14:05 -0000 X-Apparently-From: Message-ID: <000a01c0f499$b7b48a90$0100c8c8@co3018900a> From: "educatee2001" To: "FreeBSD security" Subject: Any good NAT program? Date: Thu, 14 Jun 2001 16:17:39 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can anyone let me know a good industrial strength NAT that works on FreeBSD? Thanks. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 23:16:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from alchemistry.net (alchemistry.net [160.79.102.254]) by hub.freebsd.org (Postfix) with ESMTP id C9E1237B405 for ; Wed, 13 Jun 2001 23:16:50 -0700 (PDT) (envelope-from mail@krel.org) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.22 #1) id 15AQQr-000A1W-00 for freebsd-security@freebsd.org; Thu, 14 Jun 2001 02:16:41 -0400 Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with smtp (TLSv1:RC4-MD5:128) (Exim 3.22 #1) id 15AQQn-000A1D-00; Thu, 14 Jun 2001 02:16:37 -0400 Message-ID: <004f01c0f499$b1dfc620$0100a8c0@ilya> From: "Ilya" To: "educatee2001" , "FreeBSD security" References: <000a01c0f499$b7b48a90$0100c8c8@co3018900a> Subject: Re: Any good NAT program? Date: Thu, 14 Jun 2001 02:17:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org man natd ? ----- Original Message ----- From: "educatee2001" To: "FreeBSD security" Sent: Thursday, June 14, 2001 2:17 AM Subject: Any good NAT program? > Can anyone let me know a good industrial strength NAT that works on FreeBSD? > Thanks. > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 23:19:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from adric.genocide2600.com (genocide2600.com [208.34.8.242]) by hub.freebsd.org (Postfix) with ESMTP id 31E3A37B40D for ; Wed, 13 Jun 2001 23:19:06 -0700 (PDT) (envelope-from traviso@FreeBSDFoo.com) Received: by adric.genocide2600.com (Postfix, from userid 1004) id 238C52B274; Thu, 14 Jun 2001 00:19:08 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by adric.genocide2600.com (Postfix) with ESMTP id D8A482A316; Thu, 14 Jun 2001 00:19:08 -0600 (MDT) Date: Thu, 14 Jun 2001 00:19:08 -0600 (MDT) From: "[Travis]" X-Sender: traviso@genocide2600.com To: educatee2001 Cc: FreeBSD security Subject: Re: Any good NAT program? In-Reply-To: <000a01c0f499$b7b48a90$0100c8c8@co3018900a> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 14 Jun 2001, educatee2001 wrote: > Can anyone let me know a good industrial strength NAT that works on FreeBSD? Natd seems to work great >:) Travis =-=[Travis Ogden]-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ICQ UIN: #30220771 "Courage is not defined by those who AIM ID: Gen2600 fought and did not fall, but by those Email: who fought, fell, and rose again." traviso@FreeBSDFoo.com Website: http://www.FreeBSDFoo.com/~traviso =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 13 23:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 0767E37B407 for ; Wed, 13 Jun 2001 23:30:06 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id QAA14325; Thu, 14 Jun 2001 16:29:56 +1000 (EST) From: Darren Reed Message-Id: <200106140629.QAA14325@caligula.anu.edu.au> Subject: Re: Any good NAT program? To: educatee2001@yahoo.com (educatee2001) Date: Thu, 14 Jun 2001 16:29:54 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG (FreeBSD security) In-Reply-To: <000a01c0f499$b7b48a90$0100c8c8@co3018900a> from "educatee2001" at Jun 14, 2001 04:17:39 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org man ipnat In some mail from educatee2001, sie said: > > Can anyone let me know a good industrial strength NAT that works on FreeBSD? > Thanks. > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 0: 2:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id B6B8C37B407 for ; Thu, 14 Jun 2001 00:02:15 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GEW00JDCRJC8W@mta4.rcsntx.swbell.net> for freebsd-security@freebsd.org; Thu, 14 Jun 2001 02:02:00 -0500 (CDT) Date: Thu, 14 Jun 2001 01:59:11 -0500 From: Ryan Subject: Re: Any good NAT program? To: freebsd-security@freebsd.org Message-id: <000c01c0f49f$845ae260$01000001@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <000a01c0f499$b7b48a90$0100c8c8@co3018900a> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Industrial? FreeBSD is industrial get with the program here! wh00p mhx ----- Original Message ----- From: "educatee2001" To: "FreeBSD security" Sent: Thursday, June 14, 2001 1:17 AM Subject: Any good NAT program? > Can anyone let me know a good industrial strength NAT that works on FreeBSD? > Thanks. > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 0:19:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from brinstar.nerim.net (brinstar.nerim.net [62.4.16.71]) by hub.freebsd.org (Postfix) with ESMTP id 5FD1437B407 for ; Thu, 14 Jun 2001 00:19:06 -0700 (PDT) (envelope-from chojin@nerim.net) Received: from chojin (chojin.adsl.nerim.net [62.4.22.98]) by brinstar.nerim.net (8.11.2/Raphit-20001115) with SMTP id f5E7J4J26086 for ; Thu, 14 Jun 2001 09:19:05 +0200 (CEST) (envelope-from chojin@nerim.net) Message-ID: <004e01c0f4a2$4cca9cc0$0245a8c0@chojin> From: "Chojin" To: References: <000a01c0f499$b7b48a90$0100c8c8@co3018900a> <000c01c0f49f$845ae260$01000001@mhx800> Subject: Re: Any good NAT program? Date: Thu, 14 Jun 2001 09:19:06 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipnat works perfectly with FreeBSD ----- Original Message ----- From: "Ryan" To: Sent: Thursday, June 14, 2001 8:59 AM Subject: Re: Any good NAT program? > Industrial? FreeBSD is industrial get with the program here! > > wh00p > mhx > ----- Original Message ----- > From: "educatee2001" > To: "FreeBSD security" > Sent: Thursday, June 14, 2001 1:17 AM > Subject: Any good NAT program? > > > > Can anyone let me know a good industrial strength NAT that works on > FreeBSD? > > Thanks. > > > > > > _________________________________________________________ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 4: 2:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from finland.ispro.net.tr (finland.ispro.net.tr [212.174.120.1]) by hub.freebsd.org (Postfix) with ESMTP id 3712037B405 for ; Thu, 14 Jun 2001 04:02:03 -0700 (PDT) (envelope-from yurtesen@ispro.net.tr) Received: from localhost (yurtesen@localhost) by finland.ispro.net.tr (8.11.2/8.11.2) with ESMTP id f5EBD6O74922; Thu, 14 Jun 2001 14:13:06 +0300 (EEST) (envelope-from yurtesen@ispro.net.tr) Date: Thu, 14 Jun 2001 14:13:06 +0300 (EEST) From: Evren Yurtesen To: Chojin Cc: Subject: Re: Any good NAT program? In-Reply-To: <004e01c0f4a2$4cca9cc0$0245a8c0@chojin> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yes I agree =) I have been using it with 150 days uptime on a p150 with 32mb of ram and 6 ethernet cards with 3 networks 1 uplink and 2 empty cards and everything is still working like in its 1st day. Evren On Thu, 14 Jun 2001, Chojin wrote: > ipnat works perfectly with FreeBSD > > ----- Original Message ----- > From: "Ryan" > To: > Sent: Thursday, June 14, 2001 8:59 AM > Subject: Re: Any good NAT program? > > > > Industrial? FreeBSD is industrial get with the program here! > > > > wh00p > > mhx > > ----- Original Message ----- > > From: "educatee2001" > > To: "FreeBSD security" > > Sent: Thursday, June 14, 2001 1:17 AM > > Subject: Any good NAT program? > > > > > > > Can anyone let me know a good industrial strength NAT that works on > > FreeBSD? > > > Thanks. > > > > > > > > > _________________________________________________________ > > > Do You Yahoo!? > > > Get your free @yahoo.com address at http://mail.yahoo.com > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 6: 8:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe44.law12.hotmail.com [64.4.18.16]) by hub.freebsd.org (Postfix) with ESMTP id 365B637B408 for ; Thu, 14 Jun 2001 06:08:13 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 14 Jun 2001 06:08:12 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Subject: apache security question Date: Thu, 14 Jun 2001 08:08:36 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 14 Jun 2001 13:08:12.0735 (UTC) FILETIME=[11076CF0:01C0F4D3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I've been advised that someone is attempting to break into my box, and I know that this person is knowledgeable so I've been watching for unusual activity... I noticed this entry in one of my apache logfiles yesterday, and was wondering if anyone could explain to me what this is: mydomainname.com otherguyshostname.com - - [12/Jun/2001:18:21:35 -0500] "HEAD / HTTP/1.0" 200 0 "-" It appears to me like they somehow executed the 'head' command... how would one do this, and how could you stop it? Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 6:11:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id 3441937B414 for ; Thu, 14 Jun 2001 06:10:49 -0700 (PDT) (envelope-from neilf@mip.co.za) Received: from xyberpix.mip.co.za (xyberpix.mip.co.za [10.3.13.100]) by mip.co.za (8.9.3/8.9.3) with SMTP id PAA62635; Thu, 14 Jun 2001 15:10:37 +0200 (SAST) (envelope-from neilf@mip.co.za) From: Neil Fryer Organization: MIP Holdings To: "default013 - subscriptions" , "default013 - subscriptions" , Subject: Re: apache security question Date: Thu, 14 Jun 2001 15:09:24 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain; charset="iso-8859-1" References: In-Reply-To: MIME-Version: 1.0 Message-Id: <0106141510371Q.00481@xyberpix.mip.co.za> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 'ello Ok, afaik, this command could quite easily be run by telnetting into port 80 on your webserver, as you'll have this open anyway on your fw to allow web traffic, as for your other question, sorry can't help. Cheers Neil Fryer neilf@mip.co.za On Thu, 14 Jun 2001, default013 - subscriptions wrote: > Hello, I've been advised that someone is attempting to break into my box, > and I know that this person is knowledgeable so I've been watching for > unusual activity... > > I noticed this entry in one of my apache logfiles yesterday, and was > wondering if anyone could explain to me what this is: > > mydomainname.com otherguyshostname.com - - [12/Jun/2001:18:21:35 -0500] > "HEAD / HTTP/1.0" 200 0 "-" > > It appears to me like they somehow executed the 'head' command... how would > one do this, and how could you stop it? > > Thanks, Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- "Against stupidity, even the Gods struggle in vain." - Friedrich von Schiller To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 6:20:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe20.law12.hotmail.com [64.4.18.124]) by hub.freebsd.org (Postfix) with ESMTP id 1B8E037B403 for ; Thu, 14 Jun 2001 06:20:08 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 14 Jun 2001 06:20:08 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: Cc: "Neil Fryer" References: <0106141510371Q.00481@xyberpix.mip.co.za> Subject: Re: apache security question Date: Thu, 14 Jun 2001 08:20:33 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 14 Jun 2001 13:20:08.0027 (UTC) FILETIME=[BB6052B0:01C0F4D4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Neil, Thanks all, :) I attempted this in telnet and got a 'method not supported' message. ... I'm just being extra careful lately because I know that this guy is tryin to do things to my box... whatever this was, it didnt work so... thanks ----- Original Message ----- From: "Neil Fryer" To: "default013 - subscriptions" ; "default013 - subscriptions" ; Sent: Thursday, June 14, 2001 8:09 AM Subject: Re: apache security question > 'ello > > Ok, afaik, this command could quite easily be run by telnetting into port 80 on > your webserver, as you'll have this open anyway on your fw to allow web > traffic, as for your other question, sorry can't help. > > Cheers > Neil Fryer > neilf@mip.co.za > > > > On Thu, 14 Jun 2001, default013 - subscriptions wrote: > > Hello, I've been advised that someone is attempting to break into my box, > > and I know that this person is knowledgeable so I've been watching for > > unusual activity... > > > > I noticed this entry in one of my apache logfiles yesterday, and was > > wondering if anyone could explain to me what this is: > > > > mydomainname.com otherguyshostname.com - - [12/Jun/2001:18:21:35 -0500] > > "HEAD / HTTP/1.0" 200 0 "-" > > > > It appears to me like they somehow executed the 'head' command... how would > > one do this, and how could you stop it? > > > > Thanks, Jordan > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > -- > "Against stupidity, even the Gods struggle in vain." > - Friedrich von Schiller > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 6:22:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe24.law12.hotmail.com [64.4.18.81]) by hub.freebsd.org (Postfix) with ESMTP id E85CF37B409 for ; Thu, 14 Jun 2001 06:21:59 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 14 Jun 2001 06:21:59 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default013 - subscriptions" From: "default013 - subscriptions" To: References: <0106141510371Q.00481@xyberpix.mip.co.za> Subject: Re: apache security question Date: Thu, 14 Jun 2001 08:22:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: X-OriginalArrivalTime: 14 Jun 2001 13:21:59.0794 (UTC) FILETIME=[FDFE9D20:01C0F4D4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ohhh, I figured out what this is, this lists an error message with the apache version number... thats what he wanted apparently. Alrighty. Just thought I'd update, thanks again. ----- Original Message ----- From: "Neil Fryer" To: "default013 - subscriptions" ; "default013 - subscriptions" ; Sent: Thursday, June 14, 2001 8:09 AM Subject: Re: apache security question > 'ello > > Ok, afaik, this command could quite easily be run by telnetting into port 80 on > your webserver, as you'll have this open anyway on your fw to allow web > traffic, as for your other question, sorry can't help. > > Cheers > Neil Fryer > neilf@mip.co.za > > > > On Thu, 14 Jun 2001, default013 - subscriptions wrote: > > Hello, I've been advised that someone is attempting to break into my box, > > and I know that this person is knowledgeable so I've been watching for > > unusual activity... > > > > I noticed this entry in one of my apache logfiles yesterday, and was > > wondering if anyone could explain to me what this is: > > > > mydomainname.com otherguyshostname.com - - [12/Jun/2001:18:21:35 -0500] > > "HEAD / HTTP/1.0" 200 0 "-" > > > > It appears to me like they somehow executed the 'head' command... how would > > one do this, and how could you stop it? > > > > Thanks, Jordan > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > -- > "Against stupidity, even the Gods struggle in vain." > - Friedrich von Schiller > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 7: 7:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (sentinel.office1.bg [195.24.48.182]) by hub.freebsd.org (Postfix) with SMTP id 9C37637B401 for ; Thu, 14 Jun 2001 07:07:22 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 4846 invoked by uid 1000); 14 Jun 2001 14:05:59 -0000 Date: Thu, 14 Jun 2001 17:05:58 +0300 From: Peter Pentchev To: default013 - subscriptions Cc: freebsd-security@freebsd.org Subject: Re: apache security question Message-ID: <20010614170558.C3508@ringworld.oblivion.bg> Mail-Followup-To: default013 - subscriptions , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Thu, Jun 14, 2001 at 08:08:36AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 14, 2001 at 08:08:36AM -0500, default013 - subscriptions wrote: > Hello, I've been advised that someone is attempting to break into my box, > and I know that this person is knowledgeable so I've been watching for > unusual activity... > > I noticed this entry in one of my apache logfiles yesterday, and was > wondering if anyone could explain to me what this is: > > mydomainname.com otherguyshostname.com - - [12/Jun/2001:18:21:35 -0500] > "HEAD / HTTP/1.0" 200 0 "-" > > It appears to me like they somehow executed the 'head' command... how would > one do this, and how could you stop it? They did not execute the head(1) command that you would execute if you typed 'head /etc/motd' on your shell prompt; they made an HTTP HEAD request, the point of which is to get the headers you would get on a GET request, without the page itself - this is handy for browsers that want to check if a particular page has changed. But yes, as discussed in the thread, the goal was probably to check your Apache's version. G'luck, Peter -- This sentence contains exactly threee erors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 7:21: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from mb.dnsdata.com (adsl-64-166-7-170.dsl.snfc21.pacbell.net [64.166.7.170]) by hub.freebsd.org (Postfix) with ESMTP id 654AE37B403 for ; Thu, 14 Jun 2001 07:20:47 -0700 (PDT) (envelope-from bob.fayne@bea.com) Received: from mjollnir.bea.com (ext003271bea.bea.com [63.96.167.193] (may be forged)) by mb.dnsdata.com (8.11.3/8.11.3) with ESMTP id f5EEKhP92857 for ; Thu, 14 Jun 2001 07:20:47 -0700 (PDT) (envelope-from bob.fayne@bea.com) Message-Id: <5.1.0.14.2.20010614072034.037fcec0@san-jose.beasys.com> X-Sender: bob@san-jose.beasys.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 14 Jun 2001 07:20:37 -0700 To: freebsd-security@freebsd.org From: Bob Fayne Subject: pam_radius and template_user authentication Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been trying to get the 'template_user=username' option for pam_radius to work. When a user is not in the main password file, there is _no attempt_ to contact the radius server(s). I'm running 4.3-RELEASE. This is what my pam.conf looks like. sshd auth sufficient pam_skey.so sshd auth sufficient pam_radius.so try_first_pass template_user=me sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so pam_radius(8) says this: template_user=username specifies a user whose passwd(5) entry will be used as a tem- plate to create the session environment if the supplied user- name doesn't exist in local password database. Can someone point me in the right direction to get this working? Thanks in advance. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 8:41:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by hub.freebsd.org (Postfix) with ESMTP id 71EA737B405 for ; Thu, 14 Jun 2001 08:41:49 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010614164125.KCNT6179.mail2.home.nl@windows>; Thu, 14 Jun 2001 17:41:25 +0100 Message-ID: <046b01c0f4e8$a32a9200$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" Cc: "Evren Yurtesen" , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> Subject: Re: IPFW almost works now -> stateful rules Date: Thu, 14 Jun 2001 17:42:36 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > OK, we got your control connection some AIM traffic and IPX, all with > some hideous auto-line-wrapping, but there looks to be a data connection > problem in there too. > > [snip, format recovered] > > > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S 1812366928:1812366928(0) win 16384 (DF) [tos 0x8] > > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R 1812366928:1812366928(0) ack 1812366929 win 16384 (DF) [tos 0x8] > > [snip] > > The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming > data connection attempt. This looks like a failed PORT (active FTP) > attempt where we have a _client_ problem, not a problem at your FTP > server. But no matter what FTP client I use, I get the 'can't build data connection' error. For example if I try to connect with putty to my FTP server I get this message: 220 FreeBSD FTP server (Version 6.00LS) ready. 331 Password required for USER. 230 User USER logged in. 425 Can't build data connection: Connection refused. I think it has something to do with the rules because on the local LAN everything works fine. I now have used stateful rules as sugested by someone here. These are my rules: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ add 150 divert 8668 all from any to any via ed0 add 400 deny ip from 127.0.0.0/8 to any add 600 allow tcp from MY_IP to any out via ed0 add 602 check-state add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state add 635 allow udp from any to MY_IP in via ed0 add 645 allow udp from MY_IP to any out via ed0 add 650 allow log icmp from any to MY_IP in via ed0 add 660 allow log icmp from MY_IP to any out via ed0 add 800 allow all from 192.168.0.0/16 to any add 825 allow all from any to 192.168.0.0/16 #add 850 allow tcp from 192.168.0.0/16 to any #add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000 #add 870 allow udp from any to 192.168.0.0/16 #add 880 allow udp from 192.168.0.0/16 to any #add 890 allow icmp from any to 192.168.0.0/16 #add 895 allow icmp from 192.169.0.0/16 to any add 1000 deny log logamount 10 all from any to any in frag ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ As far as I know and have read this should do the trick but it doesn't. I have tries PASV and ACTIVE FTP and both don't work. TCPDUMP for ACTIVE FTP: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 17:04:08.066213 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: P 1519333814:1519333870(56) ack 2971297 win 17520 (DF) [tos 0x10] 17:04:08.067798 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: F 56:56(0) ack 1 win 17520 (DF) [tos 0x10] 17:04:09.066063 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:11.066093 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:15.066168 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:19.896234 MY_IP.ftp > rcshop.rc.rug.nl.3179: R 1601940135:1601940135(0) ack 38821350 win 17520 (DF) [tos 0x10] 17:04:20.246341 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 1634931384:1634931439(55) ack 38949462 win 17520 (DF) [tos 0x10] 17:04:20.300555 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) win 0 17:04:23.066290 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:27.456353 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 1653306261:1653306316(55) ack 39020811 win 17520 (DF) [tos 0x10] 17:04:27.793576 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) win 0 17:04:28.567868 rcshop.rc.rug.nl.3225 > MY_IP.ftp: S 39288962:39288962(0) win 8192 (DF) 17:04:28.568133 MY_IP.ftp > rcshop.rc.rug.nl.3225: S 1755167966:1755167966(0) ack 39288963 win 17520 (DF) 17:04:28.611680 rcshop.rc.rug.nl.3225 > MY_IP.ftp: . ack 1 win 8760 (DF) 17:04:28.940150 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 1:49(48) ack 1 win 17520 (DF) [tos 0x10] 17:04:29.039644 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 1:17(16) ack 49 win 8712 (DF) 17:04:29.041342 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 49:87(38) ack 17 win 17520 (DF) [tos 0x10] 17:04:29.091936 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 17:32(15) ack 87 win 8674 (DF) 17:04:29.103399 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 87:118(31) ack 32 win 17520 (DF) [tos 0x10] 17:04:29.160436 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 32:40(8) ack 118 win 8643 (DF) 17:04:29.160813 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 118:138(20) ack 40 win 17520 (DF) [tos 0x10] 17:04:29.200054 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 40:50(10) ack 138 win 8623 (DF) 17:04:29.200445 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 138:207(69) ack 50 win 17520 (DF) [tos 0x10] 17:04:29.257561 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 50:58(8) ack 207 win 8554 (DF) 17:04:29.263008 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 207:274(67) ack 58 win 17520 (DF) [tos 0x10] 17:04:29.474192 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 58:63(5) ack 274 win 8487 (DF) 17:04:29.474824 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 274:323(49) ack 63 win 17520 (DF) [tos 0x10] 17:04:29.556793 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 63:71(8) ack 323 win 8438 (DF) 17:04:29.557137 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 323:343(20) ack 71 win 17520 (DF) [tos 0x10] 17:04:29.601939 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 71:97(26) ack 343 win 8418 (DF) 17:04:29.602300 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 343:373(30) ack 97 win 17520 (DF) [tos 0x10] 17:04:29.674594 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 97:103(6) ack 373 win 8388 (DF) 17:04:29.678006 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:29.737127 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:29.766361 MY_IP.ftp > rcshop.rc.rug.nl.3225: . ack 103 win 17520 (DF) [tos 0x10] 17:04:32.676407 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:32.698254 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:32.735408 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:04:38.676511 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:38.713057 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:38.745020 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:04:39.066538 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:04:50.676698 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:04:50.738784 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S 39290295:39290295(0) ack 1755357775 win 8760 (DF) 17:04:50.738804 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:04:54.116774 MY_IP.ftp > rcshop.rc.rug.nl.3193: FP 1626444027:1626444119(92) ack 38919436 win 17520 (DF) [tos 0x10] 17:04:54.177805 rcshop.rc.rug.nl.3193 > MY_IP.ftp: R 38919436:38919436(0) win 0 17:05:03.056924 MY_IP.ftp > rcshop.rc.rug.nl.3195: FP 1628884294:1628884386(92) ack 38928537 win 17520 (DF) [tos 0x10] 17:05:03.105180 rcshop.rc.rug.nl.3195 > MY_IP.ftp: R 38928537:38928537(0) win 0 17:05:03.506902 MY_IP.ftp > rcshop.rc.rug.nl.3186: R 1613212531:1613212531(0) ack 38864851 win 17520 (DF) [tos 0x10] 17:05:11.067011 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:14.677052 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] 17:05:14.722646 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 (DF) 17:05:20.697275 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: P 1538468328:1538468384(56) ack 3043945 win 17520 (DF) [tos 0x10] 17:05:20.698755 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: F 56:56(0) ack 1 win 17520 (DF) [tos 0x10] 17:05:21.697161 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:23.697207 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:24.247257 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 0:55(55) ack 1 win 17520 (DF) [tos 0x10] 17:05:24.296611 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) win 0 17:05:27.697293 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:31.457349 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 0:55(55) ack 1 win 17520 (DF) [tos 0x10] 17:05:31.507791 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) win 0 17:05:35.697385 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP 0:56(56) ack 1 win 17520 (DF) [tos 0x10] 17:05:44.677746 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 373:428(55) ack 103 wi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If I try to connect with PSV FTP it still doesn't work. > I hope you can understand that more than I can... > > > > And here is the output of IPFW.LOG: > > > > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP 213.73.145.189:61617 > > MY_IP:5617 in via ed0 > > Jun 13 23:41:49 FreeBSD last message repeated 9 times > > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615 > > None of this traffic is seen in the dump you sent. This might be a > PASV (passive) attempt? There is no entry in the IPFW.LOG file of my attempts. This is starting to get a headache I guess, I've tried almost all of the sugestions metioned in this discussion. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 9: 0: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 6289C37B40A for ; Thu, 14 Jun 2001 08:59:29 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id LAA90429; Thu, 14 Jun 2001 11:59:28 -0400 (EDT) (envelope-from str) Date: Thu, 14 Jun 2001 11:59:28 -0400 (EDT) From: Igor Roshchin Message-Id: <200106141559.LAA90429@giganda.komkon.org> To: nascar24@home.nl Subject: Re: IPFW almost works now -> stateful rules Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <046b01c0f4e8$a32a9200$0900a8c0@windows> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If those rules are all rules you have, and I didn't miss any line, no ftp would be allowed to go through, since there is no rule for the port 21. Aren't you mixing something ? ftp is at port 21. Port 22 is ssh. (Check /etc/services) However, I am puzzled, how do you manage to establish the initial connect at all. Igor > From: "Marcel Dijk" > Subject: Re: IPFW almost works now -> stateful rules > Date: Thu, 14 Jun 2001 17:42:36 +0200 > > > OK, we got your control connection some AIM traffic and IPX, all with > > some hideous auto-line-wrapping, but there looks to be a data connection > > problem in there too. > > > > [snip, format recovered] > > > > > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S > 1812366928:1812366928(0) win 16384 (DF) [tos 0x8] > > > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R > 1812366928:1812366928(0) ack 1812366929 win 16384 (DF) [tos 0x8] > > > > [snip] > > > > The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming > > data connection attempt. This looks like a failed PORT (active FTP) > > attempt where we have a _client_ problem, not a problem at your FTP > > server. > > But no matter what FTP client I use, I get the 'can't build data connection' > error. For example if I try to connect with putty to my FTP server I get > this message: > > 220 FreeBSD FTP server (Version 6.00LS) ready. > 331 Password required for USER. > 230 User USER logged in. > 425 Can't build data connection: Connection refused. > > I think it has something to do with the rules because on the local LAN > everything works fine. > > I now have used stateful rules as sugested by someone here. > > These are my rules: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > add 150 divert 8668 all from any to any via ed0 > add 400 deny ip from 127.0.0.0/8 to any > > add 600 allow tcp from MY_IP to any out via ed0 > > add 602 check-state > add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state > add 635 allow udp from any to MY_IP in via ed0 > add 645 allow udp from MY_IP to any out via ed0 > add 650 allow log icmp from any to MY_IP in via ed0 > add 660 allow log icmp from MY_IP to any out via ed0 > > add 800 allow all from 192.168.0.0/16 to any > add 825 allow all from any to 192.168.0.0/16 > > #add 850 allow tcp from 192.168.0.0/16 to any > #add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000 > #add 870 allow udp from any to 192.168.0.0/16 > #add 880 allow udp from 192.168.0.0/16 to any > #add 890 allow icmp from any to 192.168.0.0/16 > #add 895 allow icmp from 192.169.0.0/16 to any > > add 1000 deny log logamount 10 all from any to any in frag > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > As far as I know and have read this should do the trick but it doesn't. I > have tries PASV and ACTIVE FTP and both don't work. > > TCPDUMP for ACTIVE FTP: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > 17:04:08.066213 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: P > 1519333814:1519333870(56) ack 2971297 win 17520 (DF) [tos 0x10] > 17:04:08.067798 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: F > 56:56(0) ack 1 win 17520 (DF) [tos 0x10] > 17:04:09.066063 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:11.066093 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:15.066168 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:19.896234 MY_IP.ftp > rcshop.rc.rug.nl.3179: R > 1601940135:1601940135(0) ack 38821350 win 17520 (DF) [tos 0x10] > 17:04:20.246341 MY_IP.ftp > rcshop.rc.rug.nl.3197: P > 1634931384:1634931439(55) ack 38949462 win 17520 (DF) [tos 0x10] > 17:04:20.300555 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) > win 0 > 17:04:23.066290 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:27.456353 MY_IP.ftp > rcshop.rc.rug.nl.3204: P > 1653306261:1653306316(55) ack 39020811 win 17520 (DF) [tos 0x10] > 17:04:27.793576 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) > win 0 > 17:04:28.567868 rcshop.rc.rug.nl.3225 > MY_IP.ftp: S 39288962:39288962(0) > win 8192 (DF) > 17:04:28.568133 MY_IP.ftp > rcshop.rc.rug.nl.3225: S > 1755167966:1755167966(0) ack 39288963 win 17520 (DF) > 17:04:28.611680 rcshop.rc.rug.nl.3225 > MY_IP.ftp: . ack 1 win 8760 (DF) > 17:04:28.940150 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 1:49(48) ack 1 win > 17520 (DF) [tos 0x10] > 17:04:29.039644 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 1:17(16) ack 49 win > 8712 (DF) > 17:04:29.041342 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 49:87(38) ack 17 win > 17520 (DF) [tos 0x10] > 17:04:29.091936 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 17:32(15) ack 87 win > 8674 (DF) > 17:04:29.103399 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 87:118(31) ack 32 win > 17520 (DF) [tos 0x10] > 17:04:29.160436 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 32:40(8) ack 118 win > 8643 (DF) > 17:04:29.160813 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 118:138(20) ack 40 win > 17520 (DF) [tos 0x10] > 17:04:29.200054 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 40:50(10) ack 138 win > 8623 (DF) > 17:04:29.200445 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 138:207(69) ack 50 win > 17520 (DF) [tos 0x10] > 17:04:29.257561 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 50:58(8) ack 207 win > 8554 (DF) > 17:04:29.263008 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 207:274(67) ack 58 win > 17520 (DF) [tos 0x10] > 17:04:29.474192 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 58:63(5) ack 274 win > 8487 (DF) > 17:04:29.474824 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 274:323(49) ack 63 win > 17520 (DF) [tos 0x10] > 17:04:29.556793 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 63:71(8) ack 323 win > 8438 (DF) > 17:04:29.557137 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 323:343(20) ack 71 win > 17520 (DF) [tos 0x10] > 17:04:29.601939 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 71:97(26) ack 343 win > 8418 (DF) > 17:04:29.602300 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 343:373(30) ack 97 win > 17520 (DF) [tos 0x10] > 17:04:29.674594 rcshop.rc.rug.nl.3225 > MY_IP.ftp: P 97:103(6) ack 373 win > 8388 (DF) > 17:04:29.678006 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] > 17:04:29.737127 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 (DF) > 17:04:29.766361 MY_IP.ftp > rcshop.rc.rug.nl.3225: . ack 103 win 17520 (DF) > [tos 0x10] > 17:04:32.676407 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] > 17:04:32.698254 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 (DF) > 17:04:32.735408 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:04:38.676511 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] > 17:04:38.713057 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 (DF) > 17:04:38.745020 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:04:39.066538 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:04:50.676698 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] > 17:04:50.738784 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: S > 39290295:39290295(0) ack 1755357775 win 8760 (DF) > 17:04:50.738804 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:04:54.116774 MY_IP.ftp > rcshop.rc.rug.nl.3193: FP > 1626444027:1626444119(92) ack 38919436 win 17520 (DF) [tos 0x10] > 17:04:54.177805 rcshop.rc.rug.nl.3193 > MY_IP.ftp: R 38919436:38919436(0) > win 0 > 17:05:03.056924 MY_IP.ftp > rcshop.rc.rug.nl.3195: FP > 1628884294:1628884386(92) ack 38928537 win 17520 (DF) [tos 0x10] > 17:05:03.105180 rcshop.rc.rug.nl.3195 > MY_IP.ftp: R 38928537:38928537(0) > win 0 > 17:05:03.506902 MY_IP.ftp > rcshop.rc.rug.nl.3186: R > 1613212531:1613212531(0) ack 38864851 win 17520 (DF) [tos 0x10] > 17:05:11.067011 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.tr-rsrb-p1: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:14.677052 MY_IP.ftp-data > rcshop.rc.rug.nl.3227: S > 1755357774:1755357774(0) win 16384 (DF) [tos 0x8] > 17:05:14.722646 rcshop.rc.rug.nl.3227 > MY_IP.ftp-data: . ack 1 win 8760 > (DF) > 17:05:20.697275 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: P > 1538468328:1538468384(56) ack 3043945 win 17520 (DF) [tos 0x10] > 17:05:20.698755 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: F > 56:56(0) ack 1 win 17520 (DF) [tos 0x10] > 17:05:21.697161 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:23.697207 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:24.247257 MY_IP.ftp > rcshop.rc.rug.nl.3197: P 0:55(55) ack 1 win > 17520 (DF) [tos 0x10] > 17:05:24.296611 rcshop.rc.rug.nl.3197 > MY_IP.ftp: R 38949462:38949462(0) > win 0 > 17:05:27.697293 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:31.457349 MY_IP.ftp > rcshop.rc.rug.nl.3204: P 0:55(55) ack 1 win > 17520 (DF) [tos 0x10] > 17:05:31.507791 rcshop.rc.rug.nl.3204 > MY_IP.ftp: R 39020811:39020811(0) > win 0 > 17:05:35.697385 MY_IP.ftp > cc34895-a.groni1.gr.nl.home.com.raid-am: FP > 0:56(56) ack 1 win 17520 (DF) [tos 0x10] > 17:05:44.677746 MY_IP.ftp > rcshop.rc.rug.nl.3225: P 373:428(55) ack 103 wi > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > If I try to connect with PSV FTP it still doesn't work. > > > I hope you can understand that more than I can... > > > > > > And here is the output of IPFW.LOG: > > > > > > Jun 13 23:41:47 FreeBSD /kernel: ipfw: 615 Accept TCP > 213.73.145.189:61617 > > > MY_IP:5617 in via ed0 > > > Jun 13 23:41:49 FreeBSD last message repeated 9 times > > > Jun 13 23:41:49 FreeBSD /kernel: ipfw: limit 10 reached on entry 615 > > > > None of this traffic is seen in the dump you sent. This might be a > > PASV (passive) attempt? > > > There is no entry in the IPFW.LOG file of my attempts. > > This is starting to get a headache I guess, I've tried almost all of the > sugestions metioned in this discussion. > > Marcel > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 9:47:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6D60937B403 for ; Thu, 14 Jun 2001 09:47:20 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 784 invoked by uid 1000); 14 Jun 2001 16:45:56 -0000 Date: Thu, 14 Jun 2001 19:45:56 +0300 From: Peter Pentchev To: Igor Roshchin Cc: nascar24@home.nl, freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules Message-ID: <20010614194556.A729@ringworld.oblivion.bg> Mail-Followup-To: Igor Roshchin , nascar24@home.nl, freebsd-security@FreeBSD.ORG References: <046b01c0f4e8$a32a9200$0900a8c0@windows> <200106141559.LAA90429@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106141559.LAA90429@giganda.komkon.org>; from str@giganda.komkon.org on Thu, Jun 14, 2001 at 11:59:28AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 14, 2001 at 11:59:28AM -0400, Igor Roshchin wrote: > > > If those rules are all rules you have, > and I didn't miss any line, > no ftp would be allowed to go through, since > there is no rule for the port 21. > Aren't you mixing something ? ftp is at port 21. > Port 22 is ssh. > (Check /etc/services) > > However, I am puzzled, how do you manage to establish the initial connect > at all. This has been discussed before: his FTP server is listening on a high port. G'luck, Peter -- If this sentence were in Chinese, it would say something else. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 9:49:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.goonda.org (mail.goonda.org [208.37.165.142]) by hub.freebsd.org (Postfix) with SMTP id E272D37B405 for ; Thu, 14 Jun 2001 09:49:36 -0700 (PDT) (envelope-from goonda@bastard.net) Received: (qmail 26533 invoked from network); 14 Jun 2001 16:49:34 -0000 Received: from unknown (HELO phat.bastard.net) (208.37.165.141) by mail.goonda.org with SMTP; 14 Jun 2001 16:49:34 -0000 Received: from localhost (localhost [127.0.0.1]) by phat.bastard.net (8.11.4/8.11.4) with ESMTP id f5EGnWu55144 for ; Thu, 14 Jun 2001 12:49:33 -0400 (EDT) (envelope-from goonda@bastard.net) Date: Thu, 14 Jun 2001 12:49:32 -0400 (EDT) From: anindya To: Subject: remote syslog question Message-ID: <20010614123656.K55091-100000@phat.bastard.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi folks, I've been running a very nice 4.3-STABLE system with IPF as my firewall for some time now, without problems. Of course I am sending my syslogs to a remote host, but I want to keep an additional copy of the ipf logs locally. My syslog.conf has just 2 lines: *.* @loghost local0.* /var/log/ipflog I was guessing that the local0.* stuff would be sent to both places, but that is not the case; I don't get ipf logs on my loghost. What change do I need to make in order to send local0.* to both places? man 5 syslog.conf doesn't indicate that you can take multiple actions for a given facility/priority. Thanks, --Anindya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 9:50:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtprt16.wanadoo.fr (smtprt16.wanadoo.fr [193.252.19.183]) by hub.freebsd.org (Postfix) with ESMTP id 564A437B406 for ; Thu, 14 Jun 2001 09:50:32 -0700 (PDT) (envelope-from thiebaut.adsl@wanadoo.fr) Received: from andira.wanadoo.fr (193.252.19.152) by smtprt16.wanadoo.fr; 14 Jun 2001 18:50:30 +0200 Received: from NAPNAPK2000 (193.252.108.180) by andira.wanadoo.fr; 14 Jun 2001 18:50:18 +0200 From: =?us-ascii?Q?Thiebaut?= To: Subject: RE: IPFILTER byte/packet counting Date: Thu, 14 Jun 2001 18:49:40 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010612230624.D62873@hades.hell.gr> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The output is probably what you want :-) > You can also try this : "IP Accounting Package for Darren Reed's IP Filter Using the count option of IP Filter, this small package will create web pages suitable for your billing department. Please send your modifications to ipacct@empnet.com for future versions! Using IP Filter and this ipacct package, what can you do? Count traffic for virtual-hosted web sites on an IP Filter capable web server Count traffic for clients (campus networks, co-location servers, the whole thing) Put all of it into a web page suitable for a billing department Or just use it to see who is using bandwidth Using the individual web page feature, give each of your clients an opportunity to see how much bandwidth they alone are using " Taken from : http://www2.empnet.com/ipacct/ By, Th. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 9:52: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 70B6537B403 for ; Thu, 14 Jun 2001 09:51:46 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXITK00.93E; Thu, 14 Jun 2001 09:51:20 -0700 Message-ID: <3B28EBA0.42917E22@globalstar.com> Date: Thu, 14 Jun 2001 09:51:44 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Pentchev Cc: Igor Roshchin , nascar24@home.nl, freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules References: <046b01c0f4e8$a32a9200$0900a8c0@windows> <200106141559.LAA90429@giganda.komkon.org> <20010614194556.A729@ringworld.oblivion.bg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter Pentchev wrote: > > On Thu, Jun 14, 2001 at 11:59:28AM -0400, Igor Roshchin wrote: > > > > > > If those rules are all rules you have, > > and I didn't miss any line, > > no ftp would be allowed to go through, since > > there is no rule for the port 21. > > Aren't you mixing something ? ftp is at port 21. > > Port 22 is ssh. > > (Check /etc/services) > > > > However, I am puzzled, how do you manage to establish the initial connect > > at all. > > This has been discussed before: his FTP server is listening on a high port. But his tcpdump(8) output indicates the 'ftp' port is being used... I hope he didn't edit /etc/services (yee-uck). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 9:56:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id E642B37B403 for ; Thu, 14 Jun 2001 09:56:07 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXJ0U00.45Q; Thu, 14 Jun 2001 09:55:42 -0700 Message-ID: <3B28ECA6.C29995BF@globalstar.com> Date: Thu, 14 Jun 2001 09:56:06 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: anindya Cc: freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614123656.K55091-100000@phat.bastard.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org anindya wrote: > > Hi folks, > > I've been running a very nice 4.3-STABLE system with > IPF as my firewall for some time now, without problems. Of > course I am sending my syslogs to a remote host, but > I want to keep an additional copy of the ipf logs locally. > My syslog.conf has just 2 lines: > > *.* @loghost > local0.* /var/log/ipflog > > I was guessing that the local0.* stuff would be sent to > both places, but that is not the case; I don't get > ipf logs on my loghost. [snip] What does the syslog.conf(5) on the log host look like? What does it do with the local0 facility? If you do a tcpdump(8), do you see the local0 messages leaving the firewall and getting to the log host? -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 10:10:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.goonda.org (mail.goonda.org [208.37.165.142]) by hub.freebsd.org (Postfix) with SMTP id A4DD937B401 for ; Thu, 14 Jun 2001 10:10:21 -0700 (PDT) (envelope-from goonda@bastard.net) Received: (qmail 26677 invoked from network); 14 Jun 2001 17:10:20 -0000 Received: from unknown (HELO phat.bastard.net) (208.37.165.141) by mail.goonda.org with SMTP; 14 Jun 2001 17:10:20 -0000 Received: from localhost (localhost [127.0.0.1]) by phat.bastard.net (8.11.4/8.11.4) with ESMTP id f5EHAJu55305 for ; Thu, 14 Jun 2001 13:10:19 -0400 (EDT) (envelope-from goonda@bastard.net) Date: Thu, 14 Jun 2001 13:10:19 -0400 (EDT) From: anindya To: Subject: Re: remote syslog question Message-ID: <20010614131003.B55181-100000@phat.bastard.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What does the syslog.conf(5) on the log host look like? What does > it do with the local0 facility? I have a default syslog.conf on the loghost, and have simply added one line: local0.* /var/log/ipflog If you do a tcpdump(8), do you see > the local0 messages leaving the firewall and getting to the log host? Yes, every other type of syslog message goes to the loghost no problems. Also, if I comment out the local0.* line on the firewall, I start getting ipf messages, so its all working correctly, the real question is, is it possible to send local0.* to both places? thanks, --Anindya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 10:15:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id D9AB537B405 for ; Thu, 14 Jun 2001 10:15:25 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-3-o.placeware.com [209.1.15.35]) by allmaui.com (8.8.8/8.8.5) with ESMTP id NAA19393; Thu, 14 Jun 2001 13:15:22 -0400 Message-ID: <3B28F243.5FFE3706@allmaui.com> Date: Thu, 14 Jun 2001 10:20:04 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: anindya Cc: freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614123656.K55091-100000@phat.bastard.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org we simply have two lines for each facility. One for remote logging and one for local logging. local*.* has nothing to do with local logging. It is an available facility for programs such as sudo which by default uses local2.*. Craig anindya wrote: > Hi folks, > > I've been running a very nice 4.3-STABLE system with > IPF as my firewall for some time now, without problems. Of > course I am sending my syslogs to a remote host, but > I want to keep an additional copy of the ipf logs locally. > My syslog.conf has just 2 lines: > > *.* @loghost > local0.* /var/log/ipflog > > I was guessing that the local0.* stuff would be sent to > both places, but that is not the case; I don't get > ipf logs on my loghost. What change do I need > to make in order to send local0.* to both places? > man 5 syslog.conf doesn't indicate that you can > take multiple actions for a given facility/priority. > will do what I want, but I figure there must be > an easier way.> > > Thanks, > --Anindya > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 10:24:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 702B837B401 for ; Thu, 14 Jun 2001 10:24:47 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXKCM00.35O; Thu, 14 Jun 2001 10:24:22 -0700 Message-ID: <3B28F35D.F9B0BA04@globalstar.com> Date: Thu, 14 Jun 2001 10:24:45 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Marcel Dijk Cc: Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcel Dijk wrote: > > > OK, we got your control connection some AIM traffic and IPX, all with > > some hideous auto-line-wrapping, but there looks to be a data connection > > problem in there too. > > > > [snip, format recovered] > > > > > 23:52:18.020112 MY_IP.ftp-data > qn-213-73-145-189.quicknet.nl.1626: S > 1812366928:1812366928(0) win 16384 (DF) [tos 0x8] > > > 23:52:18.065074 qn-213-73-145-189.quicknet.nl.1626 > MY_IP.ftp-data: R > 1812366928:1812366928(0) ack 1812366929 win 16384 (DF) [tos 0x8] > > > > [snip] > > > > The client, qn-213-73-145-189.quicknet.nl, is rejecting the incoming > > data connection attempt. This looks like a failed PORT (active FTP) > > attempt where we have a _client_ problem, not a problem at your FTP > > server. > > But no matter what FTP client I use, I get the 'can't build data connection' > error. For example if I try to connect with putty to my FTP server I get > this message: > > 220 FreeBSD FTP server (Version 6.00LS) ready. > 331 Password required for USER. > 230 User USER logged in. > 425 Can't build data connection: Connection refused. > > I think it has something to do with the rules because on the local LAN > everything works fine. > > I now have used stateful rules as sugested by someone here. That keep-state does not do anything for you. You have broken your loopback also. > These are my rules: >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > add 150 divert 8668 all from any to any via ed0 > add 400 deny ip from 127.0.0.0/8 to any > > add 600 allow tcp from MY_IP to any out via ed0 > > add 602 check-state > add 603 allow log tcp from any to MY_IP 22,5617,10000 in setup keep-state > add 635 allow udp from any to MY_IP in via ed0 > add 645 allow udp from MY_IP to any out via ed0 > add 650 allow log icmp from any to MY_IP in via ed0 > add 660 allow log icmp from MY_IP to any out via ed0 > > add 800 allow all from 192.168.0.0/16 to any > add 825 allow all from any to 192.168.0.0/16 > > #add 850 allow tcp from 192.168.0.0/16 to any > #add 860 allow tcp from any to 192.168.0.0/16 22,5617,10000 > #add 870 allow udp from any to 192.168.0.0/16 > #add 880 allow udp from 192.168.0.0/16 to any > #add 890 allow icmp from any to 192.168.0.0/16 > #add 895 allow icmp from 192.169.0.0/16 to any > > add 1000 deny log logamount 10 all from any to any in frag > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OK, comparing your tcpdump(8) to your firewall rules, I notice the tcpdump says you are using port 'ftp.' Did you edit /etc/services? I don't see ftp being passed and I thought you were using a non-standard port for FTP. The problem with active FTP: Your machine can send packets out to a client via rule 600, but the responses from the client will be dropped since there is no rule passing the responses. _That_ is where you would want a 'keep-state,' in rule 600, not 603. The problem with passive FTP: Your machine will never allow in the connection attempts from a client. Here is what I would do, # Pass loopback traffic add 100 allow ip from any to any via lo0 # Protect loopback address add 200 deny ip from 127.0.0.0/8 to any add 300 deny ip from any to 127.0.0.0/8 # Block spoofs add 400 deny ip from MY_IP to any in via ed0 # Check dynamic rules add 400 check-state # Make dynamic entries for all outgoing traffic add 500 allow tcp from MY_IP to any keep-state out via ed0 add 600 allow udp from MY_IP to any keep-state out via ed0 # Just pass ICMP add 700 allow icmp from MY_IP to any out via ed0 # Allow ping replies and requests, and various error messages add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 # Pass everything on private LAN (do we have another interface? # Otherwise, these rules are dangerous) add 1000 allow ip from 192.168.0.0/16 to any add 1100 allow ip from any to 192.168.0.0/16 # Log the rejects that have fallen through add 65000 deny log ip from any to any -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 10:36: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id AC29737B401 for ; Thu, 14 Jun 2001 10:35:44 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXKUV00.E38; Thu, 14 Jun 2001 10:35:19 -0700 Message-ID: <3B28F5EE.509B1261@globalstar.com> Date: Thu, 14 Jun 2001 10:35:42 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Marcel Dijk , Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Crist Clark wrote: Oops. Correcting an oversight in the rules I posted. Sorry for the self-follow-up. [snip] > Here is what I would do, > > # Pass loopback traffic > add 100 allow ip from any to any via lo0 > # Protect loopback address > add 200 deny ip from 127.0.0.0/8 to any > add 300 deny ip from any to 127.0.0.0/8 > # Block spoofs > add 400 deny ip from MY_IP to any in via ed0 > # Check dynamic rules > add 400 check-state > # Make dynamic entries for all outgoing traffic > add 500 allow tcp from MY_IP to any keep-state out via ed0 > add 600 allow udp from MY_IP to any keep-state out via ed0 # Services we offer to the world add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in via ed0 > # Just pass ICMP > add 700 allow icmp from MY_IP to any out via ed0 > # Allow ping replies and requests, and various error messages > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > # Pass everything on private LAN (do we have another interface? > # Otherwise, these rules are dangerous) > add 1000 allow ip from 192.168.0.0/16 to any > add 1100 allow ip from any to 192.168.0.0/16 > # Log the rejects that have fallen through > add 65000 deny log ip from any to any > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 10:38:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id B24DA37B406 for ; Thu, 14 Jun 2001 10:38:07 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXKYU00.U45; Thu, 14 Jun 2001 10:37:42 -0700 Message-ID: <3B28F67D.4A1EB608@globalstar.com> Date: Thu, 14 Jun 2001 10:38:05 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: anindya Cc: freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614131003.B55181-100000@phat.bastard.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org anindya wrote: > > > What does the syslog.conf(5) on the log host look like? What does > > it do with the local0 facility? > > I have a default syslog.conf on the loghost, and have simply added > one line: > > local0.* /var/log/ipflog And /var/log/ipflog exists and the syslogd(8) daemon was SIGHUP'ed or restarted since the change? > If you do a tcpdump(8), do you see > > the local0 messages leaving the firewall and getting to the log host? > > Yes, every other type of syslog message goes to the loghost no problems. > Also, if I comment out the local0.* line on the firewall, > I start getting ipf messages, so its all working correctly, > the real question is, is it possible to send local0.* to > both places? Hrm. You are saying that if you comment out the 'local0.*' line in the firewall's syslog.conf(5), then the log host starts logging the ipf(8) stuff correctly? That is to say, it looks like that the local0.* line on the firewall seems to prevent it from forwarding the messages to log host? That would be really strange. No matter what is happening, you may want to run the syslogd(8) processes in debug mode to see what they are actually up to. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 11:32: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id CBCE537B403 for ; Thu, 14 Jun 2001 11:31:52 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 65137 invoked by uid 1000); 14 Jun 2001 18:30:28 -0000 Date: Thu, 14 Jun 2001 21:30:28 +0300 From: Peter Pentchev To: Craig Cowen Cc: anindya , freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question Message-ID: <20010614213028.F729@ringworld.oblivion.bg> Mail-Followup-To: Craig Cowen , anindya , freebsd-security@FreeBSD.ORG References: <20010614123656.K55091-100000@phat.bastard.net> <3B28F243.5FFE3706@allmaui.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B28F243.5FFE3706@allmaui.com>; from craig@allmaui.com on Thu, Jun 14, 2001 at 10:20:04AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 14, 2001 at 10:20:04AM -0700, Craig Cowen wrote: > we simply have two lines for each facility. > One for remote logging and one for local logging. > local*.* has nothing to do with local logging. > It is an available facility for programs such as sudo which by default > uses local2.*. And maybe the original poster has configured ipfilter to log to local0.something.. G'luck, Peter -- I've heard that this sentence is a rumor. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 11:34:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from void.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 4542337B403 for ; Thu, 14 Jun 2001 11:34:27 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from mailserv.xpert.com ([199.203.132.135]) by void.xpert.com with esmtp (Exim 3.20 #1) id 15Abvc-0006SK-00 for freebsd-security@freebsd.org; Thu, 14 Jun 2001 21:33:12 +0300 Received: by mailserv.xpert.com with Internet Mail Service (5.5.2650.21) id ; Thu, 14 Jun 2001 21:34:12 +0300 Message-ID: From: Yonatan Bokovza To: "'freebsd-security@freebsd.org'" Subject: RE: apache security question Date: Thu, 14 Jun 2001 21:34:09 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org and if you'r totaly paranoid and this is the only instance you saw "HEAD /" in the logs, you might consider filtering this IP in your firewall. You do have a firewall, right? > -----Original Message----- > From: default013 - subscriptions > [mailto:default013subscriptions@hotmail.com] > Sent: Thursday, June 14, 2001 16:21 > To: freebsd-security@FreeBSD.ORG > Cc: Neil Fryer > Subject: Re: apache security question > > > Neil, > > Thanks all, :) > > I attempted this in telnet and got a 'method not supported' > message. ... I'm > just being extra careful lately because I know that this guy > is tryin to do > things to my box... whatever this was, it didnt work so... thanks > > ----- Original Message ----- > From: "Neil Fryer" > To: "default013 - subscriptions" > ; > "default013 - subscriptions" ; > > Sent: Thursday, June 14, 2001 8:09 AM > Subject: Re: apache security question > > > > 'ello > > > > Ok, afaik, this command could quite easily be run by > telnetting into port > 80 on > > your webserver, as you'll have this open anyway on your fw > to allow web > > traffic, as for your other question, sorry can't help. > > > > Cheers > > Neil Fryer > > neilf@mip.co.za > > > > > > > > On Thu, 14 Jun 2001, default013 - subscriptions wrote: > > > Hello, I've been advised that someone is attempting to > break into my > box, > > > and I know that this person is knowledgeable so I've been > watching for > > > unusual activity... > > > > > > I noticed this entry in one of my apache logfiles > yesterday, and was > > > wondering if anyone could explain to me what this is: > > > > > > mydomainname.com otherguyshostname.com - - > [12/Jun/2001:18:21:35 -0500] > > > "HEAD / HTTP/1.0" 200 0 "-" > > > > > > It appears to me like they somehow executed the 'head' > command... how > would > > > one do this, and how could you stop it? > > > > > > Thanks, Jordan > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > -- > > "Against stupidity, even the Gods struggle in vain." > > - Friedrich von Schiller > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 11:41:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 4ABEE37B405 for ; Thu, 14 Jun 2001 11:41:34 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-3-o.placeware.com [209.1.15.35]) by allmaui.com (8.8.8/8.8.5) with ESMTP id OAA13791; Thu, 14 Jun 2001 14:41:27 -0400 Message-ID: <3B29066F.CC0A8D20@allmaui.com> Date: Thu, 14 Jun 2001 11:46:08 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Pentchev Cc: anindya , freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614123656.K55091-100000@phat.bastard.net> <3B28F243.5FFE3706@allmaui.com> <20010614213028.F729@ringworld.oblivion.bg> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, maybe I misunderstood the question. Just trying to help. Peter Pentchev wrote: > On Thu, Jun 14, 2001 at 10:20:04AM -0700, Craig Cowen wrote: > > we simply have two lines for each facility. > > One for remote logging and one for local logging. > > local*.* has nothing to do with local logging. > > It is an available facility for programs such as sudo which by default > > uses local2.*. > > And maybe the original poster has configured ipfilter to log > to local0.something.. > > G'luck, > Peter > > -- > I've heard that this sentence is a rumor. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 12: 4:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8DF3737B401 for ; Thu, 14 Jun 2001 12:04:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 51836 invoked by uid 1000); 14 Jun 2001 19:04:27 -0000 Date: Thu, 14 Jun 2001 21:04:27 +0200 From: "Karsten W. Rohrbach" To: Kris Kennaway Cc: Alex Popa , security@freebsd.org Subject: Re: Compiling untrusted source -- what are the risks? Message-ID: <20010614210427.E49807@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Kris Kennaway , Alex Popa , security@freebsd.org References: <20010613092402.A8413@ldc.ro> <20010613130313.B64020@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="924gEkU1VlJlwnwX" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010613130313.B64020@xor.obsecurity.org>; from kris@obsecurity.org on Wed, Jun 13, 2001 at 01:03:13PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --924gEkU1VlJlwnwX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kris Kennaway(kris@obsecurity.org)@2001.06.13 13:03:13 +0000: > On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote: >=20 > > The step I am worried about is the compiling, since I do need to have > > the include files and libraries available. The output should be a > > statically linked file, which would run in a jail (separate one per > > source file) which contains nothing more than the compiled binary, and > > the input file. The evaluation program will run in a separate jail, > > given only the output file from the program, and maybe an "expected > > results" file. I plan on using ipfw to block all traffic on that > > machine (will be a dedicated machine) not coming from a few trusted > > uids (like root and the evaluation process). I also plan setting up > > resource limits, and not running more evaluation jobs at the same time > > (ruins timing). >=20 > You could do this step in a jail if you wanted to. If you're using > user-supplied makefiles, then they can run arbitrary commands. If > you're using a fixed set of compiler invocations and the standard > toolchain then it should probably be okay (I don't know of any ways to > cause the compiler toolchain to execute arbitrary commands during > compilation). >=20 although, being a paranoid bastard myself, i would reconstruct the whole jail after creating a backup of the work environment only when the evaluation process for one package is finished. this gives you a clean slate point of start for everything again. /k --=20 > Only wimps use tape backups; real men put their software on ftp-servers > and let the rest of the world mirror it. --Linus Torvalds KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --924gEkU1VlJlwnwX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KQq7M0BPTilkv0YRAg6AAJ9bQm0Z+cpG7ot+U4U8AS4qBDbKpwCgimiJ 2rGsx2jvvXWiPkJdndAey1A= =e+DU -----END PGP SIGNATURE----- --924gEkU1VlJlwnwX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 12: 6:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 44CAC37B405 for ; Thu, 14 Jun 2001 12:06:17 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 51954 invoked by uid 1000); 14 Jun 2001 19:06:38 -0000 Date: Thu, 14 Jun 2001 21:06:38 +0200 From: "Karsten W. Rohrbach" To: Crist Clark Cc: Marcel Dijk , Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now. Message-ID: <20010614210638.F49807@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Crist Clark , Marcel Dijk , Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9/eUdp+dLtKXvemk" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B27D344.82AEDED0@globalstar.com>; from crist.clark@globalstar.com on Wed, Jun 13, 2001 at 01:55:32PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --9/eUdp+dLtKXvemk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Crist Clark(crist.clark@globalstar.com)@2001.06.13 13:55:32 +0000: > Marcel Dijk wrote: > >=20 > > > To the original poster, also keep in mind that firewalls at the other > > > end of your connection could be making trouble for you too. You can u= se > > > tcpdump(8) and firewall logging to see if traffic is getting to your > > > FTP server at all. > > > -- > > > Crist J. Clark Network Security Engine= er > > > crist.clark@globalstar.com Globalstar, L.P. > > > (408) 933-4387 FAX: (408) 933-4926 > >=20 > > Traffic IS getting to the FTP server, because I can login. The thing is= when > > I have logged in and the client sends the LIST command it can't read the > > directory and closes the connection. As discribed here: > >=20 > > _______________________________________ > > Can't build data connection: interrupted system call. > > ABOR command succesfull. > > Connection Lost > > _______________________________________ > >=20 > > So, connection TO the server seems to work but when the server tries to= SEND > > traffic to the client it fails. >=20 > I realize that you are having no problem with your _control_ connection, > your data connection is failing. I was interested in tcpdump(8) to make > sure that the incoming data connection was actually making it to your > server, or just to see what the heck was up with the data connection. ipfilter's protocol dependend stateful filtering could do serous magic here... /k --=20 > "I didn't change a thing and from the moment I didn't change it, > it didn't work anymore." --Anonymous KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --9/eUdp+dLtKXvemk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KQs+M0BPTilkv0YRAneHAJ4k/bNTCXHPvXP4ey4bQCaLCd03CACgnor6 RD0MY/J/jIREuShWVr9QSSk= =iReI -----END PGP SIGNATURE----- --9/eUdp+dLtKXvemk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 12:22:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 590ED37B403 for ; Thu, 14 Jun 2001 12:22:20 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 52487 invoked by uid 1000); 14 Jun 2001 19:22:41 -0000 Date: Thu, 14 Jun 2001 21:22:41 +0200 From: "Karsten W. Rohrbach" To: Yonatan Bokovza Cc: "'freebsd-security@freebsd.org'" Subject: Re: apache security question Message-ID: <20010614212241.G49807@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Yonatan Bokovza , "'freebsd-security@freebsd.org'" References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/9ZOS6odDaRI+0hI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Yonatan@xpert.com on Thu, Jun 14, 2001 at 09:34:09PM +0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --/9ZOS6odDaRI+0hI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Yonatan Bokovza(Yonatan@xpert.com)@2001.06.14 21:34:09 +0000: > and if you'r totaly paranoid and this is > the only instance you saw "HEAD /" in the logs, > you might consider filtering this IP in your firewall. hell no, apache has instrumentation for this: order deny,allow deny from all if you have it in a section you might also used instead of i propose, anyway, you consult the HTTP 1.1 protocol specs _before_ doing this since you will break several things, including in-between proxy functionality. the specs are available at http://www.w3c.org/ > You do have a firewall, right? why? for a web-only server? *grin* the only service that listens is httpd on tcp port 80, for severe network scanning and synflood handling consult the blackhole(4) man page. so, what for do you need a firewall now? ;-) ipopts? short packets? okay, but you can do that on the box itself, again. icmp storms and the like cannot be handled efficiently by most firewalling products, so you want to implement it on the connected next tier equipment or even the border of your network. > > I attempted this in telnet and got a 'method not supported'=20 > > message. ... I'm > > just being extra careful lately because I know that this guy=20 > > is tryin to do > > things to my box... whatever this was, it didnt work so... thanks i think you already have some serious misconfiguration on your box, or you did not ask the right question to you webserver ;-) --- rohrbach@WM:datasink[~]5% telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Thu, 14 Jun 2001 19:15:58 GMT Server: Apache/1.3.19 (Unix) Connection: close Content-Type: text/html Connection closed by foreign host. --- > > > > mydomainname.com otherguyshostname.com - -=20 > > [12/Jun/2001:18:21:35 -0500] > > > > "HEAD / HTTP/1.0" 200 0 "-" this is not an intrusion attempt. this might be a survey to find out your software version and extension modules. do not obscure hostnames in mails, it will lead to more confusion than really helpful replies.=20 > > > > It appears to me like they somehow executed the 'head'=20 > > command... how > > would > > > > one do this, and how could you stop it? HTTP HEAD gives you the headers of the corresponding GET operation. different from GET, where you will also get the object data, HEAD transmits only the headers like with GET but no (file) object data. /k --=20 > Microsoft isn't the answer. Microsoft is the question, and the answer is = no. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --/9ZOS6odDaRI+0hI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KQ8BM0BPTilkv0YRAlGHAJ9BzGB3Ym31t5NheiqWUy2Jk7Ah/ACfS9Zg VBDNJTvQidEwE2DSAxmwjJY= =XGL/ -----END PGP SIGNATURE----- --/9ZOS6odDaRI+0hI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 13:15:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.goonda.org (mail.goonda.org [208.37.165.142]) by hub.freebsd.org (Postfix) with SMTP id 3AE1937B407 for ; Thu, 14 Jun 2001 13:15:50 -0700 (PDT) (envelope-from goonda@bastard.net) Received: (qmail 27795 invoked from network); 14 Jun 2001 20:15:48 -0000 Received: from unknown (HELO phat.bastard.net) (208.37.165.141) by mail.goonda.org with SMTP; 14 Jun 2001 20:15:48 -0000 Received: from localhost (localhost [127.0.0.1]) by phat.bastard.net (8.11.4/8.11.4) with ESMTP id f5EKFmu56409 for ; Thu, 14 Jun 2001 16:15:48 -0400 (EDT) (envelope-from goonda@bastard.net) Date: Thu, 14 Jun 2001 16:15:48 -0400 (EDT) From: anindya To: Subject: Re: remote syslog question In-Reply-To: <3B28F67D.4A1EB608@globalstar.com> Message-ID: <20010614161245.D56348-100000@phat.bastard.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fernando P . Schapachnik provided me the answer in email: simply swap the order of the lines in syslog.conf. Apparently syslogd matches does specific match first, then processes the rules top-to-bottom. I knew it had to be something simple ;) BTW, local0 is the default facility that ipfilter uses, which is why I am using it in my examples. Thanks, --Anindya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 13:17:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from nol.co.za (nol.co.za [196.33.45.2]) by hub.freebsd.org (Postfix) with ESMTP id 8722537B401 for ; Thu, 14 Jun 2001 13:17:36 -0700 (PDT) (envelope-from tim@nol.co.za) Received: from cafe2.sz.co.za ([196.33.45.155] helo=netgod.nol.co.za) by nol.co.za with esmtp (Exim 3.13 #1) id 15AdYP-0003SL-00 for freebsd-security@freebsd.org; Thu, 14 Jun 2001 22:17:21 +0200 Message-Id: <5.0.2.1.2.20010614221434.00aaeec0@nol.co.za> X-Sender: tim@nol.co.za X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 14 Jun 2001 22:20:29 +0200 To: freebsd-security@freebsd.org From: "Timothy S. Bowers" Subject: DOS attack ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm getting this same error message all the time, even after I increased the kernel maxusers setting to 512. bug in 3com drivers ? dos attack ? xl1: no memory for rx list -- packet dropped! Thanks, Timothy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 13:48:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id D0C4A37B40D for ; Thu, 14 Jun 2001 13:48:03 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXTRE00.66G; Thu, 14 Jun 2001 13:47:38 -0700 Message-ID: <3B292302.53CB3461@globalstar.com> Date: Thu, 14 Jun 2001 13:48:02 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: anindya Cc: freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614161245.D56348-100000@phat.bastard.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org anindya wrote: > > Fernando P . Schapachnik provided me the answer in email: simply > swap the order of the lines in syslog.conf. Apparently syslogd > matches does specific match first, then processes the rules > top-to-bottom. I knew it had to be something simple ;) Huh? This sounds like a bug to me. I don't see how order of lines can (or should) matter within a block. OTOH, the documentation may be lacking here. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 13:59:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 632D237B403 for ; Thu, 14 Jun 2001 13:59:19 -0700 (PDT) (envelope-from petef@hex.databits.net) Received: (qmail 45698 invoked by uid 1001); 14 Jun 2001 20:59:15 -0000 Date: Thu, 14 Jun 2001 16:59:15 -0400 From: Pete Fritchman To: "Timothy S. Bowers" Cc: freebsd-security@freebsd.org Subject: Re: DOS attack ? Message-ID: <20010614165915.C40416@databits.net> References: <5.0.2.1.2.20010614221434.00aaeec0@nol.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.0.2.1.2.20010614221434.00aaeec0@nol.co.za>; from tim@nol.co.za on Thu, Jun 14, 2001 at 10:20:29PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org from xl(4): xl%d: no memory for rx list The driver failed to allocate an mbuf for the receiver ring. You want to increase the "NMBCLUSTERS" kernel config variable. See the archives for appropriate values/etc. It's not necessarily a DOS attack, your machine is just getting a lot of traffic. -pete ++ 14/06/01 22:20 +0200 - Timothy S. Bowers: | I'm getting this same error message all the time, even after I increased the kernel maxusers setting to 512. | bug in 3com drivers ? dos attack ? | | xl1: no memory for rx list -- packet dropped! | | Thanks, | Timothy | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 15: 9:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id A434F37B403 for ; Thu, 14 Jun 2001 15:09:27 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id TAA04709; Thu, 14 Jun 2001 19:09:25 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Thu, 14 Jun 2001 19:09:24 -0300 From: "Fernando P . Schapachnik" To: Crist Clark Cc: anindya , freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question Message-ID: <20010614190924.A2857@ns1.via-net-works.net.ar> References: <20010614161245.D56348-100000@phat.bastard.net> <3B292302.53CB3461@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3B292302.53CB3461@globalstar.com>; from crist.clark@globalstar.com on Thu, Jun 14, 2001 at 01:48:02PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Crist Clark escribió: > anindya wrote: > > > > Fernando P . Schapachnik provided me the answer in email: simply > > swap the order of the lines in syslog.conf. Apparently syslogd > > matches does specific match first, then processes the rules > > top-to-bottom. I knew it had to be something simple ;) > > Huh? This sounds like a bug to me. I don't see how order of lines can > (or should) matter within a block. OTOH, the documentation may be lacking > here. It is *some how* documented in syslog.conf(5). See the paragraph about comparison flags and the meaning of `*'. Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 15:27:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id BDFB037B407 for ; Thu, 14 Jun 2001 15:27:36 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEXYDB00.177; Thu, 14 Jun 2001 15:27:11 -0700 Message-ID: <3B293A57.1442E4CD@globalstar.com> Date: Thu, 14 Jun 2001 15:27:35 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: "Fernando P . Schapachnik" Cc: anindya , freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614161245.D56348-100000@phat.bastard.net> <3B292302.53CB3461@globalstar.com> <20010614190924.A2857@ns1.via-net-works.net.ar> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Fernando P . Schapachnik" wrote: > = > En un mensaje anterior, Crist Clark escribi=F3: > > anindya wrote: > > > > > > Fernando P . Schapachnik provided me the answer in email: simply > > > swap the order of the lines in syslog.conf. Apparently syslogd > > > matches does specific match first, then processes the rules > > > top-to-bottom. I knew it had to be something simple ;) > > > > Huh? This sounds like a bug to me. I don't see how order of lines can= > > (or should) matter within a block. OTOH, the documentation may be lac= king > > here. > = > It is *some how* documented in syslog.conf(5). See the paragraph > about comparison flags and the meaning of `*'. Hmmm. Not that I see. The paragraph on comparison flags, The comparison flags may be used to specify exactly what is logged. = The default set of comparison flags are ``=3D>'' (or, if you prefer, ``>= =3D''), which means that messages from the specified facility list of a prio= rity level equal or greater than level will be logged. Nothing there has to do with lines within a block interacting in any way. Comparison flags just impact the levels logged in a given "selector." As for the meaning of, '*', An asterisk (``*'') can be used to specify all facilities all levels= or all programs. Nothing about lines interacting. I guess I must not be looking at the same parts or missing something in these? -- = Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 15:30:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id EFE0C37B401 for ; Thu, 14 Jun 2001 15:30:12 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 6460 invoked by uid 1001); 14 Jun 2001 22:30:42 -0000 Message-ID: <20010614223042.6459.qmail@d170h113.resnet.uconn.edu> References: <200106140031.f5E0VbA12744@cwsys.cwsent.com> In-Reply-To: <200106140031.f5E0VbA12744@cwsys.cwsent.com> From: "Peter C. Lai" To: Cy Schubert - ITSD Open Systems Group Cc: Jamie Norwood , freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Date: Thu, 14 Jun 2001 22:30:41 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cy Schubert - ITSD Open Systems Group writes: > > Applications that use HTTP PUT and POST can be just as interactive and > useful. The reason we don't see any applications like this in > widespread use is that the nail doesn't hurt enough for anyone to do > anything about it yet. Once it does standards will change and > applications will be built. It is discussions like this that cause > people to to think and interact. After enough of these discussions > eventually the light bulb will turn on in someone's head and we will > have a new application based on HTTP or whatever else to replace FTP. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I recently completed a project for school where all user interaction was completed via HTTP POST and PUT with event handling generated via ASP or PHP scripts (required features included form handling, ODBC/SQL handling, and file transfer). In fact, one could make a very nice file transfer client out of purely CGI/PHP using HTTP. Installed on a machine with apache, one wouldn't even need ftpd. Encryption would then be achieved by using HTTPS. ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 15:48:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 5B78437B406 for ; Thu, 14 Jun 2001 15:48:40 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id SAA02219; Thu, 14 Jun 2001 18:48:24 -0400 (EDT) (envelope-from str) Date: Thu, 14 Jun 2001 18:48:24 -0400 (EDT) From: Igor Roshchin Message-Id: <200106142248.SAA02219@giganda.komkon.org> To: sirmoo@cowbert.2y.net Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20010614223042.6459.qmail@d170h113.resnet.uconn.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: "Peter C. Lai" > Date: Thu, 14 Jun 2001 22:30:41 GMT > > Cy Schubert - ITSD Open Systems Group writes: > > > > > Applications that use HTTP PUT and POST can be just as interactive and > > useful. The reason we don't see any applications like this in > > widespread use is that the nail doesn't hurt enough for anyone to do > > anything about it yet. Once it does standards will change and > > applications will be built. It is discussions like this that cause > > people to to think and interact. After enough of these discussions > > eventually the light bulb will turn on in someone's head and we will > > have a new application based on HTTP or whatever else to replace FTP. > > > > I recently completed a project for school where all user interaction was > completed via HTTP POST and PUT with event handling generated via ASP or PHP > scripts (required features included form handling, ODBC/SQL handling, and > file transfer). In fact, one could make a very nice file transfer client out > of purely CGI/PHP using HTTP. Installed on a machine with apache, one > wouldn't even need ftpd. Encryption would then be achieved by using HTTPS. > ----------- In fact, it is possible to do file transfer via telnet, or many other TCP-based protocols (including secure, or secured (e.g. with SSL) ones)... Even X/Y/ZMODEM with a few scripts can be used for that :)... I think, nobody argues that. The question is about simplicity of use, and effectiveness of transfer. Having ZMODEM, a few scripts on top of that, and telnetd, one wouldn't even need to have ftpd, httpd, etc, etc.. :) Well, if my irony is not quite clear, all I mean: script-based (especially, CGI) file transfer is a HACK, not a protocol... Regards, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 19:24:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id A906337B401 for ; Thu, 14 Jun 2001 19:24:15 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 12087 invoked by uid 0); 15 Jun 2001 02:24:14 -0000 Received: from p3ee21631.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.49) by mail.gmx.net (mail04) with SMTP; 15 Jun 2001 02:24:14 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id WAA07541 for freebsd-security@FreeBSD.ORG; Thu, 14 Jun 2001 22:01:04 +0200 Date: Thu, 14 Jun 2001 22:01:04 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question Message-ID: <20010614220104.M17514@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20010614123656.K55091-100000@phat.bastard.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010614123656.K55091-100000@phat.bastard.net>; from anindya@goonda.org on Thu, Jun 14, 2001 at 12:49:32PM -0400 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 14, 2001 at 12:49 -0400, anindya wrote: > > I've been running a very nice 4.3-STABLE system with IPF as my > firewall for some time now, without problems. > > [ ... tee in syslog.conf(5) to local and loghost snipped ... ] > > I don't get ipf logs on my loghost. What change do I need to > make in order to send local0.* to both places? Maybe I'm totally off, but do you get ipf logs at all? Is your ipf(4) configured to log, do your rules tell it to log something, is ipmon(8) running, and does it run the messages through syslogd(8)? There's a chance for your setup to write ipf generated logs directly into the filesystem without syslogd seeing them at all. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 19:24:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id A9F0D37B405 for ; Thu, 14 Jun 2001 19:24:15 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 12096 invoked by uid 0); 15 Jun 2001 02:24:14 -0000 Received: from p3ee21631.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.49) by mail.gmx.net (mail04) with SMTP; 15 Jun 2001 02:24:14 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA07509 for freebsd-security@freebsd.org; Thu, 14 Jun 2001 21:45:42 +0200 Date: Thu, 14 Jun 2001 21:45:42 +0200 From: Gerhard Sittig To: "'freebsd-security@freebsd.org'" Subject: Re: apache security question Message-ID: <20010614214542.K17514@speedy.gsinet> Mail-Followup-To: "'freebsd-security@freebsd.org'" References: <20010614212241.G49807@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010614212241.G49807@mail.webmonster.de>; from karsten@rohrbach.de on Thu, Jun 14, 2001 at 09:22:41PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote: > > Yonatan Bokovza(Yonatan@xpert.com)@2001.06.14 21:34:09 +0000: > > > > You do have a firewall, right? > > why? for a web-only server? *grin* > the only service that listens is httpd on tcp port 80, for > severe network scanning and synflood handling consult the > blackhole(4) man page. Consulting the "man 4 blackhole" output was exactly what I did lately when the TCP_RESTRICT_RST setting became obsolete. Your statement made me curious, because I remembered the WARNING section: ----- man 4 blackhole -------------------------------------------- [ ... ] WARNING The TCP and UDP blackhole features should not be regarded as a replace- ment for ipfw(8) as a tool for firewalling your system. In order to cre- ate a highly secure system, you should use ipfw(8) to protect your sys- tem, and not the blackhole feature. This mechanism is not a substitute for securing your system, but should be used together with other security mechanisms. [ ... ] ----- man 4 blackhole -------------------------------------------- virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 20:15:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 2E20E37B403 for ; Thu, 14 Jun 2001 20:15:43 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id AAA98589; Fri, 15 Jun 2001 00:15:54 -0300 (ART) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Fri, 15 Jun 2001 00:15:54 -0300 From: "Fernando P . Schapachnik" To: Crist Clark Cc: anindya , freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question Message-ID: <20010615001554.A95644@ns1.via-net-works.net.ar> References: <20010614161245.D56348-100000@phat.bastard.net> <3B292302.53CB3461@globalstar.com> <20010614190924.A2857@ns1.via-net-works.net.ar> <3B293A57.1442E4CD@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3B293A57.1442E4CD@globalstar.com>; from crist.clark@globalstar.com on Thu, Jun 14, 2001 at 03:27:35PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org En un mensaje anterior, Crist Clark escribió: > Hmmm. Not that I see. The paragraph on comparison flags, [...] Sorry, you are right. I quick read the man page and thought it was there. Now I can't find it, but I saw it somewhere (on a mailing list maybe?). I can't test it right now, but seem to recall that Sun's syslog behaves the same (or maybe I've been using FreeBSD's for quite a long time now). Regards. Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 22:12:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id ED76A37B405 for ; Thu, 14 Jun 2001 22:12:49 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 23787 invoked by uid 1000); 15 Jun 2001 05:12:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 2001 05:12:48 -0000 Date: Fri, 15 Jun 2001 00:12:48 -0500 (CDT) From: Mike Silbersack To: Gerhard Sittig Cc: "'freebsd-security@freebsd.org'" Subject: Re: apache security question In-Reply-To: <20010614214542.K17514@speedy.gsinet> Message-ID: <20010615000706.M23752-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 14 Jun 2001, Gerhard Sittig wrote: > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote: > > why? for a web-only server? *grin* > > the only service that listens is httpd on tcp port 80, for > > severe network scanning and synflood handling consult the > > blackhole(4) man page. > > Consulting the "man 4 blackhole" output was exactly what I did > lately when the TCP_RESTRICT_RST setting became obsolete. Your > statement made me curious, because I remembered the WARNING > section: In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going to help you weather an attack any better than doing nothing; the built-in ratelimiting features handle this already. restrict_rst and blackhole can, at best, frustrate people probing your network, but little more. ipfw could protect other hosts if we're talking about a router, but can't help a FreeBSD box it's running on much.* So... don't worry about it. (Or filter upstream if you are being attacked and are forced to worry about it.) Mike "Silby" Silbersack * Some attack tools have recognizeable signatures, you could block those with ipfw. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 23:36:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by hub.freebsd.org (Postfix) with ESMTP id 97A8137B403 for ; Thu, 14 Jun 2001 23:36:42 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010615063641.ULJS22865.mail1.home.nl@windows>; Fri, 15 Jun 2001 08:36:41 +0200 Message-ID: <04c901c0f565$a8588750$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" , "Peter Pentchev" Cc: "Igor Roshchin" , References: <046b01c0f4e8$a32a9200$0900a8c0@windows> <200106141559.LAA90429@giganda.komkon.org> <20010614194556.A729@ringworld.oblivion.bg> <3B28EBA0.42917E22@globalstar.com> Subject: Re: IPFW almost works now -> stateful rules Date: Fri, 15 Jun 2001 08:37:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > On Thu, Jun 14, 2001 at 11:59:28AM -0400, Igor Roshchin wrote: > > > > > > > > > If those rules are all rules you have, > > > and I didn't miss any line, > > > no ftp would be allowed to go through, since > > > there is no rule for the port 21. > > > Aren't you mixing something ? ftp is at port 21. > > > Port 22 is ssh. > > > (Check /etc/services) > > > > > > However, I am puzzled, how do you manage to establish the initial connect > > > at all. > > > > This has been discussed before: his FTP server is listening on a high port. > > But his tcpdump(8) output indicates the 'ftp' port is being used... > I hope he didn't edit /etc/services (yee-uck). Yes I did, I commented the original line out and typed in a new one with my own port. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 14 23:52:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.rdc2.bc.home.com (mail1.rdc2.bc.home.com [24.2.10.84]) by hub.freebsd.org (Postfix) with ESMTP id B876137B401 for ; Thu, 14 Jun 2001 23:52:28 -0700 (PDT) (envelope-from dk@a3.ca) Received: from crackbaby ([24.77.119.42]) by mail1.rdc2.bc.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010615065228.MEDI5976.mail1.rdc2.bc.home.com@crackbaby> for ; Thu, 14 Jun 2001 23:52:28 -0700 Message-ID: <005901c0f568$d43dd5c0$2a774d18@vc.shawcable.net> From: "peter" To: Subject: Date: Fri, 15 Jun 2001 00:00:15 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0056_01C0F52E.27BD6C00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0056_01C0F52E.27BD6C00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable auth d8898a56 subscribe freebsd-security dk@a3.ca ------=_NextPart_000_0056_01C0F52E.27BD6C00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
auth d8898a56 subscribe freebsd-security dk@a3.ca

------=_NextPart_000_0056_01C0F52E.27BD6C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 3:52:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id D7B5237B411 for ; Fri, 15 Jun 2001 03:52:32 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 76952 invoked by uid 1000); 15 Jun 2001 10:52:53 -0000 Date: Fri, 15 Jun 2001 12:52:53 +0200 From: "Karsten W. Rohrbach" To: Mike Silbersack Cc: Gerhard Sittig , "'freebsd-security@freebsd.org'" Subject: Re: apache security question Message-ID: <20010615125253.B75938@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Mike Silbersack , Gerhard Sittig , "'freebsd-security@freebsd.org'" References: <20010614214542.K17514@speedy.gsinet> <20010615000706.M23752-100000@achilles.silby.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="p4qYPpj5QlsIQJ0K" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010615000706.M23752-100000@achilles.silby.com>; from silby@silby.com on Fri, Jun 15, 2001 at 12:12:48AM -0500 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --p4qYPpj5QlsIQJ0K Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Mike Silbersack(silby@silby.com)@2001.06.15 00:12:48 +0000: >=20 > On Thu, 14 Jun 2001, Gerhard Sittig wrote: >=20 > > On Thu, Jun 14, 2001 at 21:22 +0200, Karsten W. Rohrbach wrote: > > > why? for a web-only server? *grin* > > > the only service that listens is httpd on tcp port 80, for > > > severe network scanning and synflood handling consult the > > > blackhole(4) man page. > > > > Consulting the "man 4 blackhole" output was exactly what I did > > lately when the TCP_RESTRICT_RST setting became obsolete. Your > > statement made me curious, because I remembered the WARNING > > section: >=20 > In actuality, using TCP_RESTICT_RST, blackhole, or ipfw isn't really going > to help you weather an attack any better than doing nothing; the built-in > ratelimiting features handle this already. ratelimiting turned out to be too relaxed for several servers i got in the field. was this changed from 4.2 to 4.3? >=20 > restrict_rst and blackhole can, at best, frustrate people probing your > network, but little more. ipfw could protect other hosts if we're talking > about a router, but can't help a FreeBSD box it's running on much.* i did not want to say that blackhole(4) is a replacement for ipf(4). since the b0rkedness of the rule parser, ipfw(4) is not an option anymore for me. try mathing multiple destination ports in one rule :-/ >=20 > So... don't worry about it. (Or filter upstream if you are being attacked > and are forced to worry about it.) that's exactly what i wrote in the original mail, would it not have been removed. > * Some attack tools have recognizeable signatures, you could block those > with ipfw. oh, yes, and snort or similar things on a gateway in front of it to see new ones ;-) /k --=20 > KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --p4qYPpj5QlsIQJ0K Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7KekFM0BPTilkv0YRAmdkAJ9u05TbH4gLt8HImWexOVRe9Sn8owCfSmDQ JuYX+QFt4L+46FIRML3NTu8= =z60e -----END PGP SIGNATURE----- --p4qYPpj5QlsIQJ0K-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 5:38:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by hub.freebsd.org (Postfix) with ESMTP id C8C7A37B406 for ; Fri, 15 Jun 2001 05:38:06 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from windows ([213.51.193.168]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20010615133744.PVSF6179.mail2.home.nl@windows>; Fri, 15 Jun 2001 14:37:44 +0100 Message-ID: <05b201c0f598$25819fa0$0900a8c0@windows> From: "Marcel Dijk" To: "Crist Clark" , "Evren Yurtesen" , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , "Jason DiCioccio" , References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com> Subject: Re: IPFW almost works now -> stateful rules Date: Fri, 15 Jun 2001 14:38:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Here is what I would do, > > # Pass loopback traffic > add 100 allow ip from any to any via lo0 > # Protect loopback address > add 200 deny ip from 127.0.0.0/8 to any > add 300 deny ip from any to 127.0.0.0/8 > # Block spoofs > add 400 deny ip from MY_IP to any in via ed0 > # Check dynamic rules > add 400 check-state > # Make dynamic entries for all outgoing traffic > add 500 allow tcp from MY_IP to any keep-state out via ed0 > add 600 allow udp from MY_IP to any keep-state out via ed0 > # Services we offer to the world > add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in via ed0 > # Just pass ICMP > add 700 allow icmp from MY_IP to any out via ed0 > # Allow ping replies and requests, and various error messages > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > # Pass everything on private LAN (do we have another interface? > # Otherwise, these rules are dangerous) > add 1000 allow ip from 192.168.0.0/16 to any > add 1100 allow ip from any to 192.168.0.0/16 > # Log the rejects that have fallen through > add 65000 deny log ip from any to any > -- > > Crist J. Clark Network Security Engineer > > crist.clark@globalstar.com Globalstar, L.P. > > (408) 933-4387 FAX: (408) 933-4926 I have entered these lines in my rc.firewall.rules. I now can ping/www/etc. ON the firewall, but the machines BEHIND the firewall (on the local LAN) can't access the internet anymore. I am puzzled about what to do now. Marcel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 7:47:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C3E1137B406 for ; Fri, 15 Jun 2001 07:47:29 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA07718 for ; Fri, 15 Jun 2001 07:47:29 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda07716; Fri Jun 15 07:47:25 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5FElKR00674 for ; Fri, 15 Jun 2001 07:47:20 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdpkB666; Fri Jun 15 07:46:51 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5FEjP900945 for ; Fri, 15 Jun 2001 07:45:25 -0700 (PDT) Message-Id: <200106151445.f5FEjP900945@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdLJX930; Fri Jun 15 07:45:12 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert Cc: freebsd-security@FreeBSD.ORG Subject: Re: tripwire In-reply-to: Your message of "Wed, 13 Jun 2001 10:14:16 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 15 Jun 2001 07:45:12 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , "Stephen Hilton " writes: > Dear Mr. Schubert > > Regarding your post about the tripwire port, I think this is a good idea > in that some feedback could be obtained regarding the policy file setup. > > I have been using aide 0.7 on my systems and was interested if the "list" > thinks this is a "solid" enough solution for integrity checking? I am aware > that aide is a memory hog, but the systems I administer are used primarily > during business hours, so aide can be run at night without user performance > impact. > > Thanks for all your FreeBSD and IPFilter support, > > Sincerely, > > Stephen Hilton > nospam@hiltonbsd.com > Thank you for your kind words. Sorry for the late reply. I've fallen behind on reading my security & FreeBSD mailing lists mailbox, over 400 emails. Just not enough time in the day any more. :( I've used both Tripwire and Aide, and I maintain the FreeBSD tripwire-131 and aide ports. My preference so far has been Tripwire because of its interactive option. Other than that and taking into account some what I might consider relatively minor differences when viewed at from the 35,000 ft. level, the two packages are quite similar in function. Version 1 of Tripwire, especially 1.2, does not manage its memory all that well either. The folks at Tripwiresecurity have told me that version 2 greatly improves its memory management allowing one to monitor greater numbers of files. I've hit the wall, so to speak, with number of files monitored by Tripwire-1.3.1. The Tripwire-2.3.1 port, once complete, should resolve that issue for me. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 8:48:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by hub.freebsd.org (Postfix) with ESMTP id 709AA37B406 for ; Fri, 15 Jun 2001 08:48:20 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp2.sentex.ca (8.11.1/8.11.1) with ESMTP id f5FFmFN12357 for ; Fri, 15 Jun 2001 11:48:16 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010615114159.03626180@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 15 Jun 2001 11:42:41 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Does anyone know either way if FreeBSD is or is not vulnerable ? ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Thu, 14 Jun 2001 23:38:03 -0700 >From: Jason R Thorpe >To: Przemyslaw Frasunek >Cc: Georgi Guninski , > Bugtraq >Subject: Re: OpenBSD 2.9,2.8 local root compromise >Reply-To: thorpej@zembu.com >Mail-Followup-To: Jason R Thorpe , > Przemyslaw Frasunek , > Georgi Guninski , > Bugtraq >User-Agent: Mutt/1.2.5i >Organization: Zembu Labs, Inc. >X-Virus-Scanned: by AMaViS perl-10 > >On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote: > > > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > > > OpenBSD 2.9,2.8 > > > Have not tested on other OSes but they may be vulnerable > > > > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id > > privileges before allowing detach. > >Uh, the fundamental problem is that there's a chance to PT_ATTACH to >such a process before the P_SUGID bit is set in the proc. This can >happen when, e.g. the ucred structure is copied (there is a potentially >blocking malloc() call in that path). > >A cursory glance shows several places where the FreeBSD kernel has >code like: > > /* sanity check */ > /* blocking call */ > /* change user/group ID */ > /* set P_SUGID */ > >During the /* blocking call */, another process can sneak in and PT_ATTACH >the process that is about to become sugid. > >-- > -- Jason R. Thorpe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 9:49:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3594F37B403 for ; Fri, 15 Jun 2001 09:49:34 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GEZDDV00.5AA; Fri, 15 Jun 2001 09:49:07 -0700 Message-ID: <3B2A3C9B.2B10A6BF@globalstar.com> Date: Fri, 15 Jun 2001 09:49:31 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Marcel Dijk Cc: Evren Yurtesen , "Antoine Beaupre (LMC)" , "Thomas T. Veldhouse" , Jason DiCioccio , freebsd-security@FreeBSD.ORG Subject: Re: IPFW almost works now -> stateful rules References: <3B2698EF.BD7EF0DB@globalstar.com> <02a201c0f415$4dad56b0$0900a8c0@windows> <3B27D344.82AEDED0@globalstar.com> <03da01c0f454$313b3d50$0900a8c0@windows> <3B27EAB5.3FE48A6C@globalstar.com> <046b01c0f4e8$a32a9200$0900a8c0@windows> <3B28F35D.F9B0BA04@globalstar.com> <3B28F5EE.509B1261@globalstar.com> <05b201c0f598$25819fa0$0900a8c0@windows> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcel Dijk wrote: > > > Here is what I would do, > > > > # Pass loopback traffic > > add 100 allow ip from any to any via lo0 > > # Protect loopback address > > add 200 deny ip from 127.0.0.0/8 to any > > add 300 deny ip from any to 127.0.0.0/8 > > # Block spoofs > > add 400 deny ip from MY_IP to any in via ed0 > > # Check dynamic rules > > add 400 check-state > > # Make dynamic entries for all outgoing traffic > > add 500 allow tcp from MY_IP to any keep-state out via ed0 > > add 600 allow udp from MY_IP to any keep-state out via ed0 > > # Services we offer to the world > > add 650 allow log tcp from any to MY_IP 22,5617,10000 keep-state in > via ed0 > > # Just pass ICMP > > add 700 allow icmp from MY_IP to any out via ed0 > > # Allow ping replies and requests, and various error messages > > add 800 allow icmp from any to MY_IP in via ed0 icmptypes 0,3,8,11,12 > > # Pass everything on private LAN (do we have another interface? > > # Otherwise, these rules are dangerous) > > add 1000 allow ip from 192.168.0.0/16 to any > > add 1100 allow ip from any to 192.168.0.0/16 > > # Log the rejects that have fallen through > > add 65000 deny log ip from any to any > > -- > > > Crist J. Clark Network Security Engineer > > > crist.clark@globalstar.com Globalstar, L.P. > > > (408) 933-4387 FAX: (408) 933-4926 > > I have entered these lines in my rc.firewall.rules. I now can ping/www/etc. > ON the firewall, but the machines BEHIND the firewall (on the local LAN) > can't access the internet anymore. > > I am puzzled about what to do now. Sorry. I should have mentioned I wrote those off the top of my head. I didn't pull them from a working firewall, and I did not test them. Of course, if you used the exact rules above, your NAT problem is probably very simple... I didn't put in a divert(4) rule. ;) I'd slip in, add divert natd ip from any to any via ed0 Between the two '400' rules above (which I also misnumbered in my haste). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 10: 4:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id 2F73F37B401 for ; Fri, 15 Jun 2001 10:04:46 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id SAA14735 for ; Fri, 15 Jun 2001 18:04:45 +0100 Date: Fri, 15 Jun 2001 18:04:44 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: freebsd-security@freebsd.org Subject: FW: OpenBSD 2.9,2.8 local root compromise (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Someone asked about 4.3 being susceptible to this attack.... ---------- Forwarded message ---------- Date: Fri, 15 Jun 2001 08:41:13 -0500 From: Will Senn To: OpenBSDTech Subject: FW: OpenBSD 2.9,2.8 local root compromise -----Original Message----- From: Przemyslaw Frasunek [mailto:venglin@freebsd.lublin.pl] Sent: Thursday, June 14, 2001 12:10 PM To: Georgi Guninski Cc: Bugtraq Subject: Re: OpenBSD 2.9,2.8 local root compromise On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > OpenBSD 2.9,2.8 > Have not tested on other OSes but they may be vulnerable FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id privileges before allowing detach. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 10:12:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 5DAAE37B405 for ; Fri, 15 Jun 2001 10:12:22 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 41270 invoked by uid 1000); 15 Jun 2001 17:10:58 -0000 Date: Fri, 15 Jun 2001 20:10:58 +0300 From: Peter Pentchev To: rich@rdrose.org Cc: freebsd-security@freebsd.org Subject: Re: FW: OpenBSD 2.9,2.8 local root compromise (fwd) Message-ID: <20010615201058.O94445@ringworld.oblivion.bg> Mail-Followup-To: rich@rdrose.org, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from rich@rdrose.org on Fri, Jun 15, 2001 at 06:04:44PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That 'someone' quoted this same message, and a follow-up, explaining why someone else actually thinks 4.3 *might* be vulnerable. G'luck, Peter -- If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. On Fri, Jun 15, 2001 at 06:04:44PM +0100, rich@rdrose.org wrote: > Someone asked about 4.3 being susceptible to this attack.... > > ---------- Forwarded message ---------- > Date: Fri, 15 Jun 2001 08:41:13 -0500 > From: Will Senn > To: OpenBSDTech > Subject: FW: OpenBSD 2.9,2.8 local root compromise > > -----Original Message----- > From: Przemyslaw Frasunek [mailto:venglin@freebsd.lublin.pl] > Sent: Thursday, June 14, 2001 12:10 PM > To: Georgi Guninski > Cc: Bugtraq > Subject: Re: OpenBSD 2.9,2.8 local root compromise > > > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > > OpenBSD 2.9,2.8 > > Have not tested on other OSes but they may be vulnerable > > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id > privileges before allowing detach. > > -- > * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * > * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 10:14: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.serv.u-szeged.hu (sol.serv.u-szeged.hu [160.114.51.3]) by hub.freebsd.org (Postfix) with ESMTP id 7F0DC37B401 for ; Fri, 15 Jun 2001 10:13:47 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.serv.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id TAA14874; Fri, 15 Jun 2001 19:13:45 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 15AxAF-0000pt-00 for ; Fri, 15 Jun 2001 19:13:43 +0200 Date: Fri, 15 Jun 2001 19:13:43 +0200 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Fwd: Re: OpenBSD 2.9,2.8 local root compromise Message-ID: <20010615191343.B545@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I do not think this should go without some investigation. The fact that the exploit code does not work as posted proves nothing. I am confident however that the Security Officer Team is already doing its job. ----- Forwarded message from Jason R Thorpe ----- Date: Thu, 14 Jun 2001 23:38:03 -0700 From: Jason R Thorpe To: Przemyslaw Frasunek Cc: Georgi Guninski , Bugtraq Subject: Re: OpenBSD 2.9,2.8 local root compromise Organization: Zembu Labs, Inc. On Thu, Jun 14, 2001 at 07:09:31PM +0200, Przemyslaw Frasunek wrote: > On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > > OpenBSD 2.9,2.8 > > Have not tested on other OSes but they may be vulnerable > > FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id > privileges before allowing detach. Uh, the fundamental problem is that there's a chance to PT_ATTACH to such a process before the P_SUGID bit is set in the proc. This can happen when, e.g. the ucred structure is copied (there is a potentially blocking malloc() call in that path). A cursory glance shows several places where the FreeBSD kernel has code like: /* sanity check */ /* blocking call */ /* change user/group ID */ /* set P_SUGID */ During the /* blocking call */, another process can sneak in and PT_ATTACH the process that is about to become sugid. -- -- Jason R. Thorpe ----- End forwarded message ----- -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 10:14: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 37AF837B403 for ; Fri, 15 Jun 2001 10:13:51 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by smtp1.sentex.ca (8.11.2/8.11.1) with ESMTP id f5FHDiv22957; Fri, 15 Jun 2001 13:13:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010615130316.041d7720@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 15 Jun 2001 13:08:09 -0400 To: rich@rdrose.org, freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: FW: OpenBSD 2.9,2.8 local root compromise (fwd) In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:04 PM 6/15/01 +0100, rich@rdrose.org wrote: >Someone asked about 4.3 being susceptible to this attack.... A followup to the message you quote below seems to imply this is not the case and FreeBSD might be vulnerable. Hence the request for clarification. See the message from Jason R Thorpe which I posted in my original question to this list. ---Mike >---------- Forwarded message ---------- >Date: Fri, 15 Jun 2001 08:41:13 -0500 >From: Will Senn >To: OpenBSDTech >Subject: FW: OpenBSD 2.9,2.8 local root compromise > >-----Original Message----- >From: Przemyslaw Frasunek [mailto:venglin@freebsd.lublin.pl] >Sent: Thursday, June 14, 2001 12:10 PM >To: Georgi Guninski >Cc: Bugtraq >Subject: Re: OpenBSD 2.9,2.8 local root compromise > > >On Thu, Jun 14, 2001 at 05:14:46PM +0300, Georgi Guninski wrote: > > OpenBSD 2.9,2.8 > > Have not tested on other OSes but they may be vulnerable > >FreeBSD 4.3-STABLE isn't vulnerable. Looks like it's dropping set[ug]id >privileges before allowing detach. > >-- >* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * >* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 10:51:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id E3E0E37B403 for ; Fri, 15 Jun 2001 10:51:07 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id DAA09548; Sat, 16 Jun 2001 03:50:43 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 16 Jun 2001 03:50:43 +1000 (EST) From: Ian Smith To: "Karsten W. Rohrbach" Cc: Yonatan Bokovza , freebsd-security@FreeBSD.ORG Subject: Re: apache security question In-Reply-To: <20010614212241.G49807@mail.webmonster.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 14 Jun 2001, Karsten W. Rohrbach wrote: > > > > > It appears to me like they somehow executed the 'head' > > > command... how > > > would > > > > > one do this, and how could you stop it? > > HTTP HEAD gives you the headers of the corresponding GET operation. > different from GET, where you will also get the object data, HEAD > transmits only the headers like with GET but no (file) object data. And so, HEAD requests are not any more harmful nor dangerous than GET requests, which one is presumably happy to permit to a web server :-) Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 11:53:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39]) by hub.freebsd.org (Postfix) with ESMTP id 51E8937B401 for ; Fri, 15 Jun 2001 11:53:28 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 25444 invoked by uid 1000); 15 Jun 2001 18:53:25 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 15 Jun 2001 18:53:25 -0000 Date: Fri, 15 Jun 2001 13:53:25 -0500 (CDT) From: Mike Silbersack To: "Karsten W. Rohrbach" Cc: Gerhard Sittig , "'freebsd-security@freebsd.org'" Subject: Re: apache security question In-Reply-To: <20010615125253.B75938@mail.webmonster.de> Message-ID: <20010615134459.R25403-100000@achilles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 15 Jun 2001, Karsten W. Rohrbach wrote: > ratelimiting turned out to be too relaxed for several servers i got in > the field. was this changed from 4.2 to 4.3? It changed a bit, contact me via private e-mail with info on what it wasn't able to handle and we'll see if we can enhance it. > i did not want to say that blackhole(4) is a replacement for ipf(4). > since the b0rkedness of the rule parser, ipfw(4) is not an option > anymore for me. try mathing multiple destination ports in one rule :-/ > > > > > So... don't worry about it. (Or filter upstream if you are being attacked > > and are forced to worry about it.) > > that's exactly what i wrote in the original mail, would it not have been > removed. Oops, guess I got too cut happy. Sorry. > > * Some attack tools have recognizeable signatures, you could block those > > with ipfw. > > oh, yes, and snort or similar things on a gateway in front of it to see > new ones ;-) I should really check out that program one of these days. I must be one of the few to not yet use it. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 11:54:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.93.208]) by hub.freebsd.org (Postfix) with ESMTP id 2450D37B406 for ; Fri, 15 Jun 2001 11:54:28 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: Controlling imap access To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 15 Jun 2001 13:54:32 -0500 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 06/15/2001 01:49:05 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there ia way using pam to have user authenticate for imap access, but be unable to login ? George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 12:45:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 54CEC37B405 for ; Fri, 15 Jun 2001 12:45:52 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 44053 invoked by uid 1000); 15 Jun 2001 19:44:29 -0000 Date: Fri, 15 Jun 2001 22:44:29 +0300 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: Controlling imap access Message-ID: <20010615224429.S94445@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Jun 15, 2001 at 01:54:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 15, 2001 at 01:54:32PM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > Is there ia way using pam to have user authenticate for imap access, but be > unable to login ? There should be, if your IMAP server checks for a different PAM service than 'login'. The PAM service name is the first field in /etc/pam.conf method descriptions. It would be sensible for the IMAP server to look for a, say, 'imap' service :) G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 13: 4:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 78F0037B401 for ; Fri, 15 Jun 2001 13:04:24 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id WAA34886; Fri, 15 Jun 2001 22:04:20 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Karsten W. Rohrbach" Cc: Mike Silbersack , Gerhard Sittig , "'freebsd-security@freebsd.org'" Subject: Re: apache security question References: <20010614214542.K17514@speedy.gsinet> <20010615000706.M23752-100000@achilles.silby.com> <20010615125253.B75938@mail.webmonster.de> From: Dag-Erling Smorgrav Date: 15 Jun 2001 22:04:20 +0200 In-Reply-To: <20010615125253.B75938@mail.webmonster.de> Message-ID: Lines: 18 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > i did not want to say that blackhole(4) is a replacement for ipf(4). > since the b0rkedness of the rule parser, ipfw(4) is not an option > anymore for me. try mathing multiple destination ports in one rule :-/ Sure, it works just fine: 01700 allow tcp from 10.0.0.0/24 to me 21,22,5999 keep-state in recv xl0 setup 01800 allow tcp from 10.0.0.0/24 to me 49152-65535 keep-state in recv xl0 setup 01900 allow tcp from any to me 113,80,22 keep-state in recv xl0 setup You're limited to six items (a range is a single item) per endpoint per rule, and only the first item can be a range (due to a misfeature in the parser), but it works fine. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 15:24:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from crag.niss.com (niss.com [169.207.33.46]) by hub.freebsd.org (Postfix) with ESMTP id A52FE37B403 for ; Fri, 15 Jun 2001 15:24:29 -0700 (PDT) (envelope-from listS+freebsd-security@niss.com) Received: from crag.niss.com (localhost.niss.com [127.0.0.1]) by crag.niss.com (8.9.3/8.9.3) with ESMTP id RAA28756 for ; Fri, 15 Jun 2001 17:24:28 -0500 (CDT) (envelope-from listS+freebsd-security@niss.com) Message-Id: <200106152224.RAA28756@crag.niss.com> From: listS+freebsd-security@niss.com To: freebsd-security@freebsd.org Subject: Host's df/mount information exposed inside jail. Why? MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <28753.992643868.1@crag.niss.com> Date: Fri, 15 Jun 2001 17:24:28 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kudo's to Poul-Henning Kamp, Robert Watson, and company for jails. I just made the time to create my first one and it was much easier then I expected. (More disk intensive then I expected too, but that's another story.) My question is about df and mount. I was surprised to find both commands revealed information from the host environment. In checking the mail archives I see this is not a local problem so I assume it is deliberate. Does anyone know why this choice was made? Also, is there any way to disable it? Thanks, Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 16:17:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.93.208]) by hub.freebsd.org (Postfix) with ESMTP id BF68937B405 for ; Fri, 15 Jun 2001 16:17:22 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: ftp using ssl To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.1a August 17, 1999 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 15 Jun 2001 18:16:42 -0500 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 06/15/2001 06:12:00 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there a package that implements this ? George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 16:43:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from allmaui.com (server25.aitcom.net [208.234.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 5910337B407 for ; Fri, 15 Jun 2001 16:43:49 -0700 (PDT) (envelope-from craig@allmaui.com) Received: from allmaui.com (pwnat-3-o.placeware.com [209.1.15.35]) by allmaui.com (8.8.8/8.8.5) with ESMTP id TAA28076; Fri, 15 Jun 2001 19:43:34 -0400 Message-ID: <3B2A9EC0.3D7FCAA5@allmaui.com> Date: Fri, 15 Jun 2001 16:48:16 -0700 From: Craig Cowen X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftp using ssl References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sftp, it is a part of ssh www.openssh.com George.Giles@mcmail.vanderbilt.edu wrote: > Is there a package that implements this ? > > George > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 17:38:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id EB36337B403; Fri, 15 Jun 2001 17:38:39 -0700 (PDT) (envelope-from dima@unixfreak.org) Received: from hornet.unixfreak.org (hornet [63.198.170.140]) by bazooka.unixfreak.org (Postfix) with ESMTP id 0564A3E28; Fri, 15 Jun 2001 17:38:38 -0700 (PDT) To: Brad Huntting Cc: freebsd-gnats-submit@FreeBSD.org, security@freebsd.org Subject: Re: misc/28188: Cron is being started to early in /etc/rc (potential security hole) In-Reply-To: <200106152257.f5FMvkC67939@freefall.freebsd.org>; from huntting@glarp.com on "Fri, 15 Jun 2001 15:57:46 -0700 (PDT)" Date: Fri, 15 Jun 2001 17:38:37 -0700 From: Dima Dorfman Message-Id: <20010616003838.0564A3E28@bazooka.unixfreak.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brad Huntting writes: > >Description: > Cron allows users to run jobs at boot time by specifying "@reboot". > While this is a very usefull feature, it is also a potential security > hole if these jobs are started before the kern.securelevel level is > raised. This is a general problem; cron just makes it easy to take advantage of. The problem is that the securelevel is raised as late as possible; it is the last thing to happen in /etc/rc in -stable, and second to last in -current (background fsck's are started after it). The real solution[1] is to move the setting of securelevel up, above the starting of most of the non-essential daemons (e.g., sshd, cron, et al). Anyone from -security care to comment on the feasibility of this? Any reason why it isn't already done like this? OpenBSD sets it quite early, FWIW. Thanks, Dima Dorfman dima@unixfreak.org [1] Actually, the real solution is to axe the entire concept of securelevel. Of course, this won't be done until a suitable replacement is available (e.g., MAC). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 15 19:46:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from alchemistry.net (alchemistry.net [160.79.102.254]) by hub.freebsd.org (Postfix) with ESMTP id 5E0BE37B408 for ; Fri, 15 Jun 2001 19:46:13 -0700 (PDT) (envelope-from mail@krel.org) Received: from amavis by alchemistry.net with scanned-ok (Exim 3.22 #1) id 15B66G-000Et1-00 for freebsd-security@freebsd.org; Fri, 15 Jun 2001 22:46:12 -0400 Received: from [192.168.0.1] (helo=ilya) by alchemistry.net with smtp (TLSv1:RC4-MD5:128) (Exim 3.22 #1) id 15B66E-000Ess-00; Fri, 15 Jun 2001 22:46:10 -0400 Message-ID: <009901c0f60e$a105c9a0$0100a8c0@ilya> From: "Ilya" To: , References: Subject: Re: Controlling imap access Date: Fri, 15 Jun 2001 22:47:05 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org take a look at pam_mysql - works perfect for me in exim/cyrus/mysql setup ----- Original Message ----- From: To: Sent: Friday, June 15, 2001 2:54 PM Subject: Controlling imap access > Is there ia way using pam to have user authenticate for imap access, but be > unable to login ? > > George > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 16 0:15:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 10A7537B406 for ; Sat, 16 Jun 2001 00:14:58 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id AAA10635; Sat, 16 Jun 2001 00:14:55 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda10633; Sat Jun 16 00:14:37 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5G7EWh07330; Sat, 16 Jun 2001 00:14:32 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdez7328; Sat Jun 16 00:13:48 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5G7DlI05467; Sat, 16 Jun 2001 00:13:47 -0700 (PDT) Message-Id: <200106160713.f5G7DlI05467@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdID5441; Sat Jun 16 00:12:56 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "default013 - subscriptions" Cc: freebsd-security@FreeBSD.ORG, jedgar@fxp.org Subject: Re: trouble with glob patch (ftp exploit) In-reply-to: Your message of "Wed, 13 Jun 2001 14:14:18 CDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 16 Jun 2001 00:12:56 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , "default013 - subscriptio ns" writes: > Hi, thanks for the tip, but I attempted the new instructions and got this > error... > It seemed like it went a bit farther but... > > [/usr/src/lib/libc]# make all install > Warning: Object directory not changed from original /usr/src/lib/libc > cc -pg -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBI > NTERFACE_PRIVATE -DINET6 -DPOSIX_Mo > cc: Internal compiler error: program cc1 got fatal signal 11 > *** Error code 1 > > Stop in /usr/src/lib/libc. > [/usr/src/lib/libc]# cd /usr/src/libexec/ftpd > [/usr/src/libexec/ftpd]# make all install > Warning: Object directory not changed from original /usr/src/libexec/ftpd > cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -I/us > r/src/libexec/ftpd/../../contrib-cc > cc: Internal compiler error: program cc1 got fatal signal 11 > *** Error code 1 > > Stop in /usr/src/libexec/ftpd. Looks like some kind of hardware problem; memory, CPU, MB. Also make sure that your case is being sufficiently cooled and that the CPU fan is not plugged with dust. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 16 8:53:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from postman.lipetsk.ru (postman.lipetsk.ru [195.34.224.68]) by hub.freebsd.org (Postfix) with ESMTP id 6824537B408 for ; Sat, 16 Jun 2001 08:53:25 -0700 (PDT) (envelope-from skynick@stu.lipetsk.su) Received: from lstu by relay.lipetsk.ru with UUCP id ; Sat, 16 Jun 2001 19:53:13 +0400 Received: from corsair.stu.lipetsk.ru (root@corsair.lstu [192.168.15.51]) by maverick.stu.int (8.9.3/8.8.5) with ESMTP id TAA79869 for Sat, 16 Jun 2001 19:51:36 +0400 (MSD) Received: from skynick (root@loopback [127.0.0.1]) by corsair.stu.lipetsk.ru (8.11.3/8.11.1) with SMTP id f5GFpVv61386 for ; Sat, 16 Jun 2001 19:51:35 +0400 (MSD) (envelope-from skynick@stu.lipetsk.ru) Message-ID: <029701c0f67c$38eeb700$131fa8c0@skynick> From: "Nick A. Leuta" To: References: Subject: Re: ftp using ssl Date: Sat, 16 Jun 2001 19:50:52 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Is there a package that implements this ? > George SSLftp, ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/ (it is a location of SSLtelnet from ports too :-) ) -- SkyNick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 16 11:53:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 4A1E037B407 for ; Sat, 16 Jun 2001 11:53:19 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.154.2]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GF1DS400.5DW; Sat, 16 Jun 2001 11:52:52 -0700 Message-ID: <3B2BAB11.99A0E52C@globalstar.com> Date: Sat, 16 Jun 2001 11:53:05 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: anindya Cc: freebsd-security@FreeBSD.ORG Subject: Re: remote syslog question References: <20010614161245.D56348-100000@phat.bastard.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org anindya wrote: > > Fernando P . Schapachnik provided me the answer in email: simply > swap the order of the lines in syslog.conf. Apparently syslogd > matches does specific match first, then processes the rules > top-to-bottom. I knew it had to be something simple ;) > > BTW, local0 is the default facility that ipfilter uses, > which is why I am using it in my examples. I have been trying to reproduce this problem on a FreeBSD-STABLE box, but have been unable to. Whether I put, local0.* /var/log/local0.log *.* /var/log/all.log Or, *.* /var/log/all.log local0.* /var/log/local0.log In syslog.conf, I get the same results. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 16 14:34:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 7AC7C37B401; Sat, 16 Jun 2001 14:34:35 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.154.2]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GF1L8P00.DBX; Sat, 16 Jun 2001 14:34:01 -0700 Message-ID: <3B2BD0D5.1DBC1B38@globalstar.com> Date: Sat, 16 Jun 2001 14:34:13 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.72 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Dima Dorfman Cc: Brad Huntting , freebsd-gnats-submit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: misc/28188: Cron is being started to early in /etc/rc (potential security hole) References: <20010616003838.0564A3E28@bazooka.unixfreak.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dima Dorfman wrote: > > Brad Huntting writes: > > >Description: > > Cron allows users to run jobs at boot time by specifying "@reboot". > > While this is a very usefull feature, it is also a potential security > > hole if these jobs are started before the kern.securelevel level is > > raised. > > This is a general problem; cron just makes it easy to take advantage > of. The problem is that the securelevel is raised as late as > possible; it is the last thing to happen in /etc/rc in -stable, and > second to last in -current (background fsck's are started after it). > The real solution[1] is to move the setting of securelevel up, above > the starting of most of the non-essential daemons (e.g., sshd, cron, > et al). Anyone from -security care to comment on the feasibility of > this? Any reason why it isn't already done like this? OpenBSD sets > it quite early, FWIW. Can't comment on the history of it too much, but my guess is that the usual assumption is that all of the steps in the startup process are trusted (the rc-scripts), so there is no need to kick up the securelevel until the end. I am familiar with the way OpenBSD does it. You have to watch that you start "non-essential" daemons like NTP before you notch up the securelevel and other little things. But you are right of course, the most secure way to go is raise securelevel as early as possible in the boot sequence (although off of the top of my head, I can't think of anything besides cron(8) that would run non-"trusted" code). I will have a look at the -STABLE scripts to see what we can do in the 4.x branch. As for -CURRENT, it would be a good idea for the people working on importing the new NetBSD rc-scripts to keep this in mind... Of course, maybe (hope, hope) the NetBSD people already handled this intelligently? (I'll try to peek at that too if I can bear to update my -CURRENT source over a dial-up.) -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 16 16: 6:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from hunkular.glarp.com (hunkular.glarp.com [199.117.25.251]) by hub.freebsd.org (Postfix) with ESMTP id 3FEE337B401; Sat, 16 Jun 2001 16:06:40 -0700 (PDT) (envelope-from huntting@hunkular.glarp.com) Received: from hunkular.glarp.com (localhost [127.0.0.1]) by hunkular.glarp.com (8.11.3/8.11.3) with ESMTP id f5GN6Xx45201; Sat, 16 Jun 2001 17:06:33 -0600 (MDT) (envelope-from huntting@hunkular.glarp.com) Message-Id: <200106162306.f5GN6Xx45201@hunkular.glarp.com> To: "Crist Clark" Cc: Dima Dorfman , Brad Huntting , freebsd-gnats-submit@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: misc/28188: Cron is being started to early in /etc/rc (potential security hole) In-Reply-To: Your message of "Sat, 16 Jun 2001 14:34:13 PDT." <3B2BD0D5.1DBC1B38@globalstar.com> Date: Sat, 16 Jun 2001 17:06:33 -0600 From: Brad Huntting Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > But you are right of course, the most secure way to go is raise > securelevel as early as possible in the boot sequence (although > off of the top of my head, I can't think of anything besides cron(8) > that would run non-"trusted" code).[...] Sendmail (runs programs specified in .forward files), inetd (ftp, telnet, etc) sshd (user shells), httpd (cgi-bin's).... Cron's @reboot is just the easiest one to exploit. brad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message