From owner-freebsd-security@FreeBSD.ORG Tue Oct 25 20:27:35 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0565816A41F for ; Tue, 25 Oct 2005 20:27:35 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web30309.mail.mud.yahoo.com (web30309.mail.mud.yahoo.com [68.142.200.102]) by mx1.FreeBSD.org (Postfix) with SMTP id 9493E43D45 for ; Tue, 25 Oct 2005 20:27:34 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 73748 invoked by uid 60001); 25 Oct 2005 20:27:34 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=TtD8onG7rKN7NMJAH4ndK18AkUfb2JydKRv+Usk5LvzoypPUmNUNUPd/IPKfoMwjrCE1Nw9c2d4jw9G2YxceXg/0wVDWhztnmGLs6ne6qgrXz1uGdyQDeaq5DdrnxnrwTIwD4clv8mF1kO/rSglY8w9oCLnwzZjr0LqWuB7RdqY= ; Message-ID: <20051025202734.73746.qmail@web30309.mail.mud.yahoo.com> Received: from [213.54.64.152] by web30309.mail.mud.yahoo.com via HTTP; Tue, 25 Oct 2005 13:27:34 PDT Date: Tue, 25 Oct 2005 13:27:34 -0700 (PDT) From: Arne "Wörner" To: John Fitzgerald , freebsd-security@FreeBSD.org In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 20:27:35 -0000 I think you should try to implement a pf-based and/or a ipfw-based firewall (both works quite well for me) immediately, so that your system is not so much endangered... This is just a workaround... -Arne --- John Fitzgerald wrote: > I've had ipf working on a few 5.3 servers for quite awhile. Not > too long ago > some developers had to do some coding work and were coming from > dynamic > IP's. I (reluctantly) opened up SSH to the world. Immediately I > started > seeing the attacks where bots of some sort would try to break in > with a > variety of different users. > > So, I (thought) I closed it up again and told the developers to > use a > dedicated proxy. They did, but I realized that I hadn't actually > closed > things off. I was still getting attacked. I had tried, but ipf > suddenly > wasn't working. Whenever I would change the firewall rules and > ipf -D and > the ipf -E -f /etc/my.rules it would simply return: > > 1:ioctl(add/insert rule): No such process > > I didn't have the time to look into it at the time, but am now > trying to > figure it out. Ipf is obviously not working and I don't know > why. I have > tried recompiling the kernel a myriad of different ways. > With/without ipfw, > with/without ipsec, etc. All to no avail. Is this a bug, did I > get hacked? > > I have googled this quite a bit and the only thing that I found > was possibly > a buildworld scenario where something got updated and it doesn't > work now. I > didn't install src so I'm a bit out of luck on that one. > > FreeBSD 5.3-RELEASE > OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 > > Cheers, > JJ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com