From owner-freebsd-security@FreeBSD.ORG Sat Nov 11 20:33:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFC0116A403 for ; Sat, 11 Nov 2006 20:33:02 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2996A43D53 for ; Sat, 11 Nov 2006 20:33:01 +0000 (GMT) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DD98.dip.t-dialin.net [84.165.221.152]) by redbull.bpaserver.net (Postfix) with ESMTP id 418972E1AD; Sat, 11 Nov 2006 21:32:57 +0100 (CET) Received: from webmail.leidinger.net (webmail.Leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id AB8EB5B4C35; Sat, 11 Nov 2006 21:32:55 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.13.8/8.13.8/Submit) id kABKWtqr055192; Sat, 11 Nov 2006 21:32:55 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from proxy.Leidinger.net (proxy.Leidinger.net [192.168.1.103]) by webmail.leidinger.net (Horde MIME library) with HTTP; Sat, 11 Nov 2006 21:32:55 +0100 Message-ID: <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Sat, 11 Nov 2006 21:32:55 +0100 From: Alexander Leidinger To: "R. B. Riddick" References: <216597.35069.qm@web30315.mail.mud.yahoo.com> In-Reply-To: <216597.35069.qm@web30315.mail.mud.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.386, required 6, autolearn=not spam, BAYES_00 -2.60, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, TW_EV 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Sun, 12 Nov 2006 05:20:22 +0000 Cc: freebsd-security@freebsd.org, "Julian H. Stacey" Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Nov 2006 20:33:02 -0000 Quoting "R. B. Riddick" (from Sat, 11 Nov =20 2006 11:00:49 -0800 (PST)): > --- "Julian H. Stacey" wrote: >> I tried adding >> =09${fwcmd} add pass tcp from any to any established >> from src/etc/rc.firewall case - simple. Which solved it. >> But I was scared, not undertstand what the established bit did, & >> how easily an attacker might fake something, etc. >> I found adding these tighter rules instead worked for me >> =09${fwcmd} tcp from any http to me established in via tun0 >> =09${fwcmd} tcp from me to any http established out via tun0 >> Should I still be worrying about =09established ? >> > Hmm... I personally use "check-states" and "keep-state", so that it is not > enough to fake the "established" flags, but the attacker had to know =20 > the ports, > the IPs, control over routing in pub inet(?) and some little secrets =20 > in the TCP > headers (I dont know exactly how it works): > add check-state > add pass icmp from any to any keep-state out xmit tun0 > add pass tcp from any to any setup keep-state out xmit tun0 > add pass udp from any to any domain keep-state out xmit tun0 These are the stats of the first 7 rules on my DSL line afer one day: 00100 6423992 376898110 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 20000 0 0 check-state 30000 10013 1047483 deny tcp from any to any established 30100 226 45640 deny ip from any to any not verrevpath in 30200 7 280 deny tcp from any to any tcpoptions !mss setup Another nice rule (stats after one day): 30800 3149862 117471324 deny ip from any to =20 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 Bye, Alexander. --=20 Committees have become so important nowadays that subcommittees have to be appointed to do the work. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-security@FreeBSD.ORG Sun Nov 12 17:19:48 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14E5D16A492 for ; Sun, 12 Nov 2006 17:19:48 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD1B043DF7 for ; Sun, 12 Nov 2006 17:19:24 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (nxm.secservers.com. [193.85.228.22]) by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id kACHJ9Lu070009; Sun, 12 Nov 2006 18:19:10 +0100 (CET) (envelope-from mime@traveller.cz) From: Michal Mertl To: Alexander Leidinger In-Reply-To: <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> References: <216597.35069.qm@web30315.mail.mud.yahoo.com> <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> Content-Type: text/plain; charset=ISO-8859-2 Date: Sun, 12 Nov 2006 18:19:03 +0100 Message-Id: <1163351944.7859.8.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, "Julian H. Stacey" , "R. B. Riddick" Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 17:19:48 -0000 Alexander Leidinger píše v so 11. 11. 2006 v 21:32 +0100: > Quoting "R. B. Riddick" (from Sat, 11 Nov > 2006 11:00:49 -0800 (PST)): > > > --- "Julian H. Stacey" wrote: > >> I tried adding > >> ${fwcmd} add pass tcp from any to any established > >> from src/etc/rc.firewall case - simple. Which solved it. > >> But I was scared, not undertstand what the established bit did, & > >> how easily an attacker might fake something, etc. > >> I found adding these tighter rules instead worked for me > >> ${fwcmd} tcp from any http to me established in via tun0 > >> ${fwcmd} tcp from me to any http established out via tun0 > >> Should I still be worrying about established ? > >> > > Hmm... I personally use "check-states" and "keep-state", so that it is not > > enough to fake the "established" flags, but the attacker had to know > > the ports, > > the IPs, control over routing in pub inet(?) and some little secrets > > in the TCP > > headers (I dont know exactly how it works): > > add check-state > > add pass icmp from any to any keep-state out xmit tun0 > > add pass tcp from any to any setup keep-state out xmit tun0 > > add pass udp from any to any domain keep-state out xmit tun0 > > These are the stats of the first 7 rules on my DSL line afer one day: > 00100 6423992 376898110 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 20000 0 0 check-state > 30000 10013 1047483 deny tcp from any to any established > 30100 226 45640 deny ip from any to any not verrevpath in > 30200 7 280 deny tcp from any to any tcpoptions !mss setup > > Another nice rule (stats after one day): > 30800 3149862 117471324 deny ip from any to > 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 I am using something similar (with table instead of list filled from http://www.cymru.com/Documents/bogon-bn-agg.txt ). Your number seem to be extremely high to me - I have it on a router with thousands of public IPs behind it and see nowhere as many hits. Michal This is pretty unbelievable to me as I have similar (and more encompassing) rule on a router serving thousands of > > Bye, > Alexander. > From owner-freebsd-security@FreeBSD.ORG Sun Nov 12 17:34:04 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 322E616A403 for ; Sun, 12 Nov 2006 17:34:04 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6783643D5F for ; Sun, 12 Nov 2006 17:34:03 +0000 (GMT) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5DD98.dip.t-dialin.net [84.165.221.152]) by redbull.bpaserver.net (Postfix) with ESMTP id 1A69D2E057; Sun, 12 Nov 2006 18:33:55 +0100 (CET) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by outgoing.leidinger.net (Postfix) with ESMTP id 7DA8E5B4C35; Sun, 12 Nov 2006 18:33:52 +0100 (CET) Date: Sun, 12 Nov 2006 18:33:51 +0100 From: Alexander Leidinger To: Michal Mertl Message-ID: <20061112183351.099c3c10@Magellan.Leidinger.net> In-Reply-To: <1163351944.7859.8.camel@genius.i.cz> References: <216597.35069.qm@web30315.mail.mud.yahoo.com> <20061111213255.94jv54t544g4w8g4@webmail.leidinger.net> <1163351944.7859.8.camel@genius.i.cz> X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.10.6; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.309, required 6, BAYES_00 -2.60, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, TW_EV 0.08, TW_PF 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No X-Mailman-Approved-At: Sun, 12 Nov 2006 22:06:46 +0000 Cc: freebsd-security@freebsd.org, "Julian H. Stacey" , "R. B. Riddick" Subject: Re: src/etc/rc.firewall simple ${fw_pass} tcp from any to anyestablished X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 17:34:04 -0000 Quoting Michal Mertl (Sun, 12 Nov 2006 18:19:03 +0100): > Alexander Leidinger p=C3=AD=C5=A1e v so 11. 11. 2006 v 21:32 +0100: > > Quoting "R. B. Riddick" (from Sat, 11 Nov =20 > > 2006 11:00:49 -0800 (PST)): > >=20 > > > --- "Julian H. Stacey" wrote: > > >> I tried adding > > >> ${fwcmd} add pass tcp from any to any established > > >> from src/etc/rc.firewall case - simple. Which solved it. > > >> But I was scared, not undertstand what the established bit did, & > > >> how easily an attacker might fake something, etc. > > >> I found adding these tighter rules instead worked for me > > >> ${fwcmd} tcp from any http to me established in via tun0 > > >> ${fwcmd} tcp from me to any http established out via tun0 > > >> Should I still be worrying about established ? > > >> > > > Hmm... I personally use "check-states" and "keep-state", so that it i= s not > > > enough to fake the "established" flags, but the attacker had to know = =20 > > > the ports, > > > the IPs, control over routing in pub inet(?) and some little secrets = =20 > > > in the TCP > > > headers (I dont know exactly how it works): > > > add check-state > > > add pass icmp from any to any keep-state out xmit tun0 > > > add pass tcp from any to any setup keep-state out xmit tun0 > > > add pass udp from any to any domain keep-state out xmit tun0 > >=20 > > These are the stats of the first 7 rules on my DSL line afer one day: > > 00100 6423992 376898110 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 20000 0 0 check-state > > 30000 10013 1047483 deny tcp from any to any established > > 30100 226 45640 deny ip from any to any not verrevpath in > > 30200 7 280 deny tcp from any to any tcpoptions !mss setup > >=20 > > Another nice rule (stats after one day): > > 30800 3149862 117471324 deny ip from any to =20 > > 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 >=20 > I am using something similar (with table instead of list filled from > http://www.cymru.com/Documents/bogon-bn-agg.txt ). >=20 > Your number seem to be extremely high to me - I have it on a router with > thousands of public IPs behind it and see nowhere as many hits. This is a 4.11-stable system. # uptime 6:22PM up 1 day, 22:44, 1 user, load averages: 0.01, 0.05, 0.06 # ipfw -a show 00100 11653484 696947498 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 20000 0 0 check-state 30000 17150 1428089 deny tcp from any to any established 30100 235 48648 deny ip from any to any not verrevpath in 30200 16 640 deny tcp from any to any tcpoptions !mss setup 30300 0 0 deny ip from XXX 30400 0 0 allow ip from XXX 30500 275 48395 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.= 0.2.0/24,224.0.0.0/4,240.0.0.0/4 via wi0 30600 0 0 deny ip from 192.168.1.0/24,192.168.2.0/24 to any= in via tun0 30700 0 0 deny ip from any to 10.0.0.0/8,172.16.0.0/12 via = tun0 30800 5713020 213062040 deny ip from any to 0.0.0.0/8,169.254.0.0/16,192.= 0.2.0/24,224.0.0.0/4,240.0.0.0/4 via tun0 30900 0 0 deny ip from 10.0.0.0/8,172.16.0.0/12 to any via = wi0 31000 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/2= 4,224.0.0.0/4,240.0.0.0/4 to any via wi0 31100 0 0 deny ip = from 10.0.0.0/8,172.16.0.0/12 to any via tun0 31200 0 0 deny ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/2= 4,224.0.0.0/4,240.0.0.0/4 to any via tun0=20 Maybe dial-up/DSL lines are more interesting to hack for the botnet owners than whatever you have behind this router. Bye, Alexander. --=20 Adelai: A package is just a box until it's delivered.=20 http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137