From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 17:32:39 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD53C16A41F for ; Tue, 25 Oct 2005 17:32:39 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E5FD43D4C for ; Tue, 25 Oct 2005 17:32:38 +0000 (GMT) (envelope-from jjfitzgerald@gmail.com) Received: by wproxy.gmail.com with SMTP id i23so632894wra for ; Tue, 25 Oct 2005 10:32:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=bDu2e+1RbZjKO+FnLJqRSWGIxC1ANLfce0tyCx/ot2kUrr0CscL6S/x08f8yB4AX5CJjxIS4WQ1sHxZSnBdYT6Kh0fl3hTS42+GXtcQoJQNhUeUbe8JPSPgogRTVbttDZ7PiImDops3/acY1dqmncI7RMc6PZMhW0hPUnXrkPOo= Received: by 10.54.110.17 with SMTP id i17mr3703719wrc; Tue, 25 Oct 2005 10:32:37 -0700 (PDT) Received: by 10.54.101.14 with HTTP; Tue, 25 Oct 2005 10:32:37 -0700 (PDT) Message-ID: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> Date: Tue, 25 Oct 2005 13:32:37 -0400 From: John Fitzgerald To: freebsd-security@FreeBSD.org MIME-Version: 1.0 X-Mailman-Approved-At: Tue, 25 Oct 2005 19:53:08 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 17:32:39 -0000 I've had ipf working on a few 5.3 servers for quite awhile. Not too long ag= o some developers had to do some coding work and were coming from dynamic IP's. I (reluctantly) opened up SSH to the world. Immediately I started seeing the attacks where bots of some sort would try to break in with a variety of different users. So, I (thought) I closed it up again and told the developers to use a dedicated proxy. They did, but I realized that I hadn't actually closed things off. I was still getting attacked. I had tried, but ipf suddenly wasn't working. Whenever I would change the firewall rules and ipf -D and the ipf -E -f /etc/my.rules it would simply return: 1:ioctl(add/insert rule): No such process I didn't have the time to look into it at the time, but am now trying to figure it out. Ipf is obviously not working and I don't know why. I have tried recompiling the kernel a myriad of different ways. With/without ipfw, with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked? I have googled this quite a bit and the only thing that I found was possibl= y a buildworld scenario where something got updated and it doesn't work now. = I didn't install src so I'm a bit out of luck on that one. FreeBSD 5.3-RELEASE OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 Cheers, JJ