From owner-freebsd-security@FreeBSD.ORG Tue Aug 23 16:54:41 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E36F16A41F; Tue, 23 Aug 2005 16:54:41 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B12443D48; Tue, 23 Aug 2005 16:54:39 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from Andro-Beta.Leidinger.net (p54A5D60A.dip.t-dialin.net [84.165.214.10]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.1/8.13.1) with ESMTP id j7NGl874049369; Tue, 23 Aug 2005 18:47:20 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (localhost [127.0.0.1]) by Andro-Beta.Leidinger.net (8.13.3/8.13.3) with ESMTP id j7NGri8q077121; Tue, 23 Aug 2005 18:53:44 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from 141.113.101.31 ([141.113.101.31]) by netchild.homeip.net (Horde MIME library) with HTTP for ; Tue, 23 Aug 2005 18:53:44 +0200 Message-ID: <20050823185344.8wuabf44ys0cgw44@netchild.homeip.net> X-Priority: 3 (Normal) Date: Tue, 23 Aug 2005 18:53:44 +0200 From: Alexander Leidinger To: Stephen Major References: <430b138a.7c0e796e.1155.547a@mx.gmail.com> In-Reply-To: <430b138a.7c0e796e.1155.547a@mx.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) / FreeBSD-4.11 X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Wed, 24 Aug 2005 12:11:18 +0000 Cc: freebsd-security@freebsd.org, remko@freebsd.org, 'Pat Maddox' , 'FreeBSD Questions' Subject: RE: Security warning with sshd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 16:54:41 -0000 Stephen Major wrote: > The issue he is having I had the exact same problems, as soon as I changed > my config to the one below poof no more problems. You can set your firewall > however you want. I was just saying what gets rid of the problem he is > having with ssh. I wasn't commenting the ssh issue, since it isn't clear why the problem exists. At least I haven't seen a problem analysis where the cause of this was shown. Maybe I missed it. So your posting may be the right solution or not. I don't know yet, and I don't care about this in this mail, since I wasn't talking about the ssh issue (see below). > So instead of ripping apart what I have said why do you not provide a better > solution to the original question asked. I wasn't ripping apart what you said. I just wanted to be helpful and share a little bit of knowledge. You're mixing stateful with non-stateful rules and this may result in unwanted packets traveling through the firewall. I thought you (and maybe others) may be interested in this. BTW.: in some environments this is a hole in the firewall and needs to be fixed, so one shouldn't use this part of your example. Since the security mailinglist is in the CC, we can't let this problem be uncommented. Another helpful suggestion: Please don't quote everything and please write your comments below the parts where they belong. This is common behavior in the FreeBSD lists and doing the opposide will result in less (useful) responses from some members of the lists (because it makes the mail harder to read and people may decide to not spend the time to read the mail and point out problem solutions or small bugs in your offering of a solution). Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 To add insult to injury. -- Phaedrus