From owner-freebsd-security@FreeBSD.ORG Wed Oct 26 16:48:22 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCC1D16A41F for ; Wed, 26 Oct 2005 16:48:22 +0000 (GMT) (envelope-from ray@redshift.com) Received: from mail.quickmeet.com (quickmeet.com [216.228.17.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A430743D48 for ; Wed, 26 Oct 2005 16:48:22 +0000 (GMT) (envelope-from ray@redshift.com) Received: from workstation (workstation [192.168.20.250]) by mail.quickmeet.com (Postfix) with SMTP id 0744C17032; Wed, 26 Oct 2005 09:21:16 -0700 (PDT) Message-Id: <3.0.1.32.20051026094825.00d41100@pop.redshift.com> X-Mailer: na X-Sender: redshift.com Date: Wed, 26 Oct 2005 09:48:25 -0700 To: John Fitzgerald , freebsd-security@FreeBSD.org From: ray@redshift.com In-Reply-To: <5e49673f0510251032w38312bb7kb082b15d97d00082@mail.gmail.co m> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Subject: Re: ipf stopped working on 5.3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Oct 2005 16:48:23 -0000 At 01:32 PM 10/25/2005 -0400, John Fitzgerald wrote: | I've had ipf working on a few 5.3 servers for quite awhile. Not too long ago | some developers had to do some coding work and were coming from dynamic | IP's. I (reluctantly) opened up SSH to the world. Immediately I started | seeing the attacks where bots of some sort would try to break in with a | variety of different users. | | So, I (thought) I closed it up again and told the developers to use a | dedicated proxy. They did, but I realized that I hadn't actually closed | things off. I was still getting attacked. I had tried, but ipf suddenly | wasn't working. Whenever I would change the firewall rules and ipf -D and | the ipf -E -f /etc/my.rules it would simply return: | | 1:ioctl(add/insert rule): No such process | | I didn't have the time to look into it at the time, but am now trying to | figure it out. Ipf is obviously not working and I don't know why. I have | tried recompiling the kernel a myriad of different ways. With/without ipfw, | with/without ipsec, etc. All to no avail. Is this a bug, did I get hacked? | | I have googled this quite a bit and the only thing that I found was possibly | a buildworld scenario where something got updated and it doesn't work now. I | didn't install src so I'm a bit out of luck on that one. | | FreeBSD 5.3-RELEASE | OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7d 17 Mar 2004 | usually that means you are trying to run it without being root, or you have a rule that doesn't belong to a group/head. I ran into something else once that caused that, but now I can't remember it. Feel free to send your ipf.rules if it's not to sensitive. Ray