From owner-freebsd-security Mon Mar 27 22: 5:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta1.snfc21.pbi.net (mta1.snfc21.pbi.net [206.13.28.122]) by hub.freebsd.org (Postfix) with ESMTP id C616637BD5B for ; Mon, 27 Mar 2000 22:05:13 -0800 (PST) (envelope-from madscientist@thegrid.net) Received: from remus ([63.193.246.169]) by mta1.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9) with SMTP id <0FS400HF4BF40G@mta1.snfc21.pbi.net> for freebsd-security@freebsd.org; Mon, 27 Mar 2000 22:01:54 -0800 (PST) Date: Mon, 27 Mar 2000 22:06:25 -0800 From: The Mad Scientist Subject: syslogd compatibility X-Sender: i289861@mail.thegrid.net To: freebsd-security@freebsd.org Message-id: <4.1.20000327220609.00927f00@mail.thegrid.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All, It seems that syslogd on -stable rejects any syslog packets if they do not originate from udp port 514. One of the machines I have is a sparc running 2.8 and its syslogd sends messages from a random high-numbered port. I've poked through the mailing list archives a little and didn't see anything relevant. Is there an undocumented command-line/conf file that will fix the problem? I'm not much of a hacker, but from the syslogd.c code I think I can see the relevant part that drops the packets. Would getting rid of these lines do the trick (~line 1802 in /usr/src/usr.sbin/syslogd/syslogd.c)? if (ntohs(ap->port) != 0 && ap->port != sin->sin_port) { dprintf("rejected in rule %d due to port mismatch.\n", i); continue; } Am I correct in assuming that the idea here is to put more trust in remote syslogds running as root? Are there any other security implications with removing this check? From syslogd -a 10.0.0.0/8 -vv -d cvthname(10.0.1.4) validate: dgram from IP 10.0.1.4, port 32803, name splitbrain.; rejected in rule 0 due to port mismatch. I also don't see any logs of these rejected packets... My FreeBSD machine is: FreeBSD watchtower 3.4-STABLE FreeBSD 3.4-STABLE #2: Tue Mar 7 21:50:38 PST 2000 root@watchtower:/usr/src/sys/compile/WATCHTOWER i386 The Solaris box is: SunOS splitbrain 5.8 Generic sun4m sparc SUNW,SPARCstation-10 Thanks for the help. -Dean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message