From owner-freebsd-security  Fri Jul 31 02:28:04 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA27486
          for freebsd-security-outgoing; Fri, 31 Jul 1998 02:28:04 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from hotpoint.dcs.qmw.ac.uk (hotpoint.dcs.qmw.ac.uk [138.37.88.162])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA27427
          for <freebsd-security@freebsd.org>; Fri, 31 Jul 1998 02:27:56 -0700 (PDT)
          (envelope-from scott@dcs.qmw.ac.uk)
Received: from brunos-sun.dcs.qmw.ac.uk [138.37.88.185];
          by hotpoint.dcs.qmw.ac.uk (8.8.7/8.8.5/S-4.0) with SMTP;
          for "<freebsd-security@freebsd.org>"; 
          id KAA11847; Fri, 31 Jul 1998 10:27:46 +0100 (BST)
Received: locally by brunos-sun (SMI-8.6/QMW-client-3.2b); 
          poster "scott";
          id KAA04492; Fri, 31 Jul 1998 10:21:28 +0100
Message-ID: <19980731102128.A4466@dcs.qmw.ac.uk>
Date: Fri, 31 Jul 1998 10:21:28 +0100
From: Scott Mitchell <scott@dcs.qmw.ac.uk>
To: freebsd-security@FreeBSD.ORG
Subject: Re: PPP.3000.exposure
References: <19980731000439.4580B7036A@spike.porcupine.org> <Pine.BSF.3.96.980731112116.27739F-100000@enya.hilink.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
In-Reply-To: <Pine.BSF.3.96.980731112116.27739F-100000@enya.hilink.com.au>; from Daniel O'Callaghan on Fri, Jul 31, 1998 at 11:29:22AM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jul 31, 1998 at 11:29:22AM +1000, Daniel O'Callaghan wrote:
> 
> 
> On Thu, 30 Jul 1998, Wietse Venema wrote:
> 
> > efb@cotdazr.org:
> > > 
> > > Had a random sweep and the question came up .. what and why does my
> > > port 3000 show to the world outside for .. can I block it .. should I
> > > sweat it .. the F.Bsd_205 box is the router as well as main server ..
> > > 
> > > Can I Wrap the 3000 at least so as not to kill iijppp and reduce my
> > > exposure and how ???
> > 
> > This is one feature of the ppp daemon that I didn't like at all.
> > To block, you'd need a kernel-based packet filter; or hack the
> > source and rip out the 
> 
> Brian will correct me if I am wrong, but I believe that for quite a while
> now ppp has not bound to 3000 if there is no password set for the machine. 
> Not perfect protection, of course, but something.  
> 
> It is not too hard to enable ipfw, either in-kernel or as lkm.  Just flick
> the switch in /etc/rc.conf (firewall="YES") and add the appropriate ipfw
> rules.
> 
> Danny

If you can live with logging in to the machine in order to tweak PPP, you
can have it bind to a UNIX domain socket instead.  With appropriate
permissions on the socket you can restrict access (to people in your
'dialer' group perhaps) without having to set a PPP password.  Works for
me.

	Scott.

-- 
===========================================================================
Scott Mitchell          | PGP Key ID |"If I can't have my coffee, I'm just 
<scott@dcs.qmw.ac.uk>   | 0x54B171B9 | like a dried up piece of roast goat"
QMW College, London, UK | 0xAA775B8B |     -- J. S. Bach.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message