-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > > This is a rather poorly written expect script that I use to tar up a cvs
> > > tree on a computer in a rather restrictive lab.
> >
> > I haven't been following this thread, but wouldn't key authentication be
> > easier, securer, more reliable?
>
> It uses keys, but the keys have a password on them. It really isn't all
> that good either way: one way I have passwords laying about, the other I
> have passwordless keys that are nearly as dangerous.

Place restrictions on the keys in the authorized_keys file on the server.
For example, you can set it up such that the key can only be used to copy
one particular file, and can only be used from one well-known client ip
address. This makes unencrypted keys much safer, and is clearly more
secure than having the unencrypted and unrestricted password in the clear
on the client.

And <insert obligatory topicality note here>. The openssh-dev list
(openssh-unix-devmindrot.org) is probablly a better place for this kind
of discussion.

 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet. Here's what I worry about. I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
        -- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE9B2x3swXMWWtptckRAou8AKDMpHsLGBjNG3H+MSYVC9fFR97BCgCgiNci
gbg3iNiAgUo2jludEY3xIQU=
=Eju3
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Niall Brady (bradynmaths.tcd.ie)
Date: Wed Jun 12 2002 - 12:57:12 CDT

On Tue, 11 Jun 2002 17:36:25 EDT, jack xiao said:
>
>I am ruunig ssh under FreeBSD4.5. It works fine, but I am wondering if =
>anybody has any experience of using ssh without inputing username and =
>password. It's for a cron job on my box...

http://linuxmafia.com/~rick/linux-info/ssh-publickey-process
would probably be the best sort of thing for you.

Probably best to keep this on freebsd-questions too ;-) [reply-to set
accordingly]

-- 
	Niall
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: palephpacbell.net
Date: Wed Jun 12 2002 - 18:00:14 CDT

Hi.

Does anyone know where the trusted bsd sources have gone to? I could not
find any on the trustedbsd.org site. I remember that there used be several
packages available for acl's, extended attrs, etc.

Thanks

Paul Fronberg
palephpacbell.net

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: cristobol5hotmail.com
Date: Thu Jun 13 2002 - 10:19:26 CDT

Hey there,

If you're like me, you've tried EVERYTHING to lose
weight.  I know how you feel - the special diets,
miracle pills, and fancy exercise equipment never helped
me lose a pound either.  It seemed like the harder I tried,
the bigger I got, until I heard about a product called
Extreme Power Plus.

You're probably thinking to yourself, "Oh geez, not another
miracle diet pill!"  Like you, I was skeptical at first, but
my sister swore it helped her lose 23 pounds in just two weeks,
so I told her I'd give it a shot.  I mean, there was nothing
to lose except a lot of weight!  Let me tell you, it was
the best decision I've ever made. Period.  Six months later,
as I'm writing this message to you, I've gone from 355 pounds
to 210 pounds, and I haven't changed my exercise routine or diet
at all.  Yes, I still eat pizza, and lots of it!

I was so happy with the results that I contacted the manufacturer
and got permission to resell it - at a BIG discount.  I want
to help other people lose weight like I did, because it
does so much for your self-esteem, not to mention your health.
I give you my personal pledge that Extreme Power Plus
absolutely WILL WORK FOR YOU.  If it doesn't, you can return it
any time for a full refund.

Interested, visit http://2002marketing.com/affiliate3/index.htm\  

If you are frustrated with trying other products, not having
any success, and just not getting the results you were promised,
then I recommend the only product that worked for me - EXTREME
POWER PLUS.

You're probably asking yourself, "Ok, so how does this stuff
actually work?"

Extreme Power Plus contains Lipotropic fat burners and ephedra which
is scientifically proven to increase metabolism and cause rapid
weight loss. No "hocus pocus" in these pills - just RESULTS, RESULTS,
RESULTS!!

Here is the bottom line ...

I can help you lose 10-15 pounds per week naturally, without
exercising and without having to eat rice cakes all day. 
Just try it for one month - there's nothing to lose, and everything
to gain.  You will lose weight fast - GUARANTEED.  That is my
pledge to you. 

To order Extreme Power Plus on our secure server, just click
on the link below:

http://2002marketing.com/affiliate3/index.htm

If you have difficulty accessing the website above, please
try our mirror site by clicking on the link below:

http://2002marketing.com/affiliate3/index.htm

To see what some of our customers have said about this product,
visit http://2002marketing.com/affiliate3/index.htm

To see a list of ingredients and for more information
on test studies and how it will help you lose weight, visit
http://2002marketing.com/affiliate3/index.htm

*************************************************************
If you do not wish to receive any more emails from me, please
send an email to "affiliate2btamail.net.cn" requesting to be
removed.
*************************************************************

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Office (CenterforAge0201d60excite.com)
Date: Thu Jun 13 2002 - 05:41:01 CDT

Did you know there are three HGH products

There are three different types of HGH products.
The confusion is that all three are
advertised as if they were the same.
 
        The three types are:
 
1) --- Homeopathic HGH
2) --- Pre-cursor HGH
3) --- Real or synthetic HGH (delivered by injection
        or, by an oral spray method).
 
Do you know differences?
 
Call us and we'll explain them to you.
 
Our toll free number is 1-888-621-7300
An HGH staff member is available
9 to 5 Pacific Time.
If after hours, please leave you name
and day and evening phone numbers.
We will call you back in a no pressure,
educational manner.
If you are overseas call your long distance
operator and ask to be connected to our
phone number.  We will call you back so
we can pay for the long distance charges.
 
For more information on HGH read on............
 
HAVE YOU HEARD OF
HUMAN GROWTH HORMONE (HGH)???
 
     Released by your own pituitary gland, HGH starts declining
in your 20s, even more in your 30s and 40s, eventually resulting
in the shrinkage of major organs -- plus, all
other symptoms related to old age.
 
 
IN THOUSANDS OF CLINICAL STUDIES,
HGH HAS BEEN SHOWN TO ACCOMPLISH THE FOLLOWING:
 
* Reduce Body Fat and Build Lean Muscle
   WITHOUT EXERCISE!
 
* Enhance Sexual Performance
 
* Remove Wrinkles and Cellulite
 
* Lower Blood Pressure and Improve Cholesterol Profile
 
* Improve Sleep, Vision and Memory
 
* Restore Hair Color and Growth
 
* Strengthen the Immune System
 
* Increase Energy and Cardiac Output
 
* Turn back your body's Biological Time Clock 10 - 20 years
 
* Live Longer AND Stronger
 
All natural and organic plant based
 
FEEL 10 YEARS YOUNGER WITH ORAL SPRAY HGH.
GUARANTEED
 
    We are the manufacturer and we sell directly to Doctors,
Chiropractors, and consumers world wide the highest grade
 HGH Oral Spray available. 
 
     With internet marketing, we are able to save advertising
cost and pass those savings along to you.
But you must act now. 
 
To receive more information call  us now.
 
            TOLL FREE 1-888-621-7300
 
We must speak to you in person to qualify your usage.
 
     All of your questions will be addressed and answered in a friendly,
no pressure manner.  Our main purpose is to provide you with
 information so you can make an educated decision.
 
     For more information call
 
            1-888-621-7300
 
 If you are on line write down our
phone number and call us when you can.
 
Soon, you and your loved ones will be very glad you did.
 
Read what people are saying:
 
"The effects of 6 months of GH on
lean body mass and fat were equivalent
in magnitude to the changes incurred
during 10-20 years of aging."
Dr. Daniel Rudman, MD,
New England Journal of Medicine.
 
"Within four months, my body fat decreased
 form 30% down to 21%! I noticed my skin
 is more supple and my overall mental
 outlook improved significantly."
 D.W., New Jersey
 
"We have been on the spray for just 3 weeks
now, and besides the tremendous energy we
both feel, my husbands allergies and spells
of depression have lifted. I am healing
extremely fast after an accident and have
lost 7 lbs. without trying!"
C.B., Flagstaff. AZ
 
Thanks for reading our letter,
The HGH Staff
USA Division
 
PS:  The HGH Staff guarantees the
highest quality and lowest price.
 
 We manufacture and ship directly to your door.
 
Call us now 1-888-621-7300
 
=======   End of message ======== 
 
   The following statement is provided to be
in compliance with commercial email laws.
 
   If you do not wish to receive further
mailings, please click reply to: the_hgh_clinicbtamail.net.cn and type remove in the subject box.
Then click send.
 
   This message is in full compliance with
U.S. Federal requirements for commercial
email under bill S.1618 Title lll, Section 301,
Paragraph (a)(2)(C) passed by the 105th U.S.
Congress and is not considered SPAM
since it includes a remove mechanism.*
This message is not intended for residents in the
states of CA, NC, NV, RI, TN, VA & WA.
Screening of addresses has been done to the best
of our technical ability.
 
             Call us now 1-888-621-7300 for your
             free HGH consultation.

Thank you

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Chris Faulhaber (jedgarfxp.org)
Date: Thu Jun 13 2002 - 06:14:24 CDT

On Wed, Jun 12, 2002 at 04:00:14PM -0700, palephpacbell.net wrote:
> Hi.
>
> Does anyone know where the trusted bsd sources have gone to? I could not
> find any on the trustedbsd.org site. I remember that there used be several
> packages available for acl's, extended attrs, etc.
>

http://www.trustedbsd.org/components.html contains instructions on
obtaining current TrustedBSD sources via perforce and information
about the various projects. In particular, ACL's and Extended Attrs
have been in FreeBSD-CURRENT for quite a while.

-- 
Chris D. Faulhaber - jedgarfxp.org - jedgarFreeBSD.org
--------------------------------------------------------
FreeBSD: The Power To Serve   -   http://www.FreeBSD.org

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve

iEYEARECAAYFAj0IfpAACgkQObaG4P6BelBN/ACcCqo/cWHQWS7R0nWQ4iNsuvM+ eGsAniu7ExSf9mo74aD8ZMPVmb6k0KGC =mFtZ -----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Andrey Sverdlichenko (blazeinfosec.ru)
Date: Fri Jun 14 2002 - 05:38:26 CDT

On Tue, 2002-06-11 at 04:10, Mike Hoskins wrote:
 
> Is there a way to handle the state table in ipfw/ipf? I could write
> scripts to do 'failover', but I'm wandering if there's a way to 'share'
> the state table between active and standby units or to pass the state
> table from one firewall to another over a crossover.

It's a really hard thing to do. Our product implements failover with
ipf, but it's ugly: each 5 seconds user-level program gets state table
from kernel and transfers it to failover unit. But:

a) some TCP connections transfer more data in this seconds than TCP
window, so after switch ipf block new packets as "not fitting in
window". I make an ugly patch: first packets after switch to failover
unit are "trusted" and new sequence numbers set from them.

b) while fetching state table from kernel, it's locked, so no new
connections will be added and SYN's will be dropped. It is not important
to our customers, but YMMV.

Possibly the only way to do good stateful failover is made it in kernel,
with instant state changes transfer.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Attila Nagy (brafsn.hu)
Date: Fri Jun 14 2002 - 05:40:17 CDT

Hello,

> > Is there a way to handle the state table in ipfw/ipf? I could write
> > scripts to do 'failover', but I'm wandering if there's a way to 'share'
> > the state table between active and standby units or to pass the state
> > table from one firewall to another over a crossover.
This is implemented in IPF4 AFAIK.
You should try its alpha version...

--------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]-------
Attila Nagy e-mail: Attila.Nagyfsn.hu
Free Software Network (FSN.HU) phone work: +361 210 1415 (194)
                                                cell.: +3630 306 6758

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Sheldon Hearn (sheldonhstarjuice.net)
Date: Fri Jun 14 2002 - 06:32:09 CDT

On Fri, 14 Jun 2002 12:40:17 +0200, Attila Nagy wrote:

> > > Is there a way to handle the state table in ipfw/ipf? I could write
> > > scripts to do 'failover', but I'm wandering if there's a way to 'share'
> > > the state table between active and standby units or to pass the state
> > > table from one firewall to another over a crossover.

> This is implemented in IPF4 AFAIK.
> You should try its alpha version...

No. Darren said it's something he's considering for v4. At this stage,
he's not sure whether it'll be part of the standard distribution, a
value-add or included at all.

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Ivailo Tanusheff (I.Tanusheffprocreditbank.com)
Date: Fri Jun 14 2002 - 10:00:39 CDT

Dear Sirs,

I have the following configuration:

{Internet} <-> {SQUID1 + Net1} <-64K line-> [SQUID2] <-> {Net2}

I have the following problem:

In Net1 I have an important server to which there are connecting some
clients from Net2 trough http and the squid server. These clients have
to be able to use most of the 64K line between the two networks. In Net2
there are many clients useing the squid server as a proxy and are making
"bad" traffic.

My question is - how may I configure ipfw to shape the traffic for the
other users. I'd tried some ways of accomplishing that task, but it
seems to me, that when using proxy server, the destination IP address is
not in the IP header or I'm wrong. Can you help me?

Id tried:
su-2.05a# ipfw -a show
00500 0 0 pipe 1 ip from any to not <net1> out
00600 0 0 pipe 2 ip from any to not <net1> in
65535 397320 84804286 allow ip from any to any

As you see - there is no hit of going out of the net1.

Thank you in advantage,
Ivo

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: todschick38259arcor.de
Date: Sat Jun 15 2002 - 10:19:09 CDT

Entschuldigen Sie bitte die Störung!

Mir ist etwas zu Ohren gekommen.
Eine relativ aussergewöhnliche Gerüchteküche,
aus der man mir ein schwerverdauliches Süppchen vorgesetzt hat,
ist der Grund meiner Mail.
Unappetitlich ist gar kein Ausdruck!
Ist es möglich auf funktechnischem Wege(in welchen Frequenzbereichen?)
 jemanden zu beeinflussen oder zu manipulieren?
Oder sogar zu schikanieren und terrorisieren?
Unter dem Motto:"Einen am Sender?Nich ganz alleine?
Kleine Mannim Ohr?Falsche Wellenlänge?Bohnen in den Ohren?
Auf den Zahn gefühlt(Amalgam)?Mal unverbindlich reinhören?
Der Pullacher Wanzentanz?
Ist das Spinnerei?Das geht doch gar nicht,oder?
Und wenn wie sieht das ethisch moralisch aus?
Zur technischen Seite der Sache gibt es zwar Berichte und Webseiten:
Totalitaer,de - Die Waffe gegen die Kritik
http://www.fosar-bludorf.com/Tempelhof/
http://jya.com/haarp.htm
http://www.zeitenschrift.at/magazin/zs_24_15/1_mikrowaffen.htm
http://www.bse-plus.de/d/doc/lbrief/lbmincontr.htm
http://home.nexgo.de/kraven/bigb/big3.html
http://w3.nrl.navy.mil/projects/haarp/index.html
http://cryptome.org/
http://www.parascope.com/ds/mkultra0.htm
http://www.trufax.org/menu/mind.html
http://www.trufax.org/menu/elect.html
http://mindcontrolforum.com/
http://www.trufax.org/menu/elect.html
usw.
usw.
usw.
,aber,das kann doch nicht sein,das soetwas gemacht wird,oder?
Eine Menschenrechtsverletzung sonder gleichen!?!
Ist es möglich,durch Präparation,der
Ohren und im Zusammenspiel mit eventuell vorhandenem Zahnersatz?
Mit relativ einfacher Funktechnik??
In diesem Land?Hier und heute???
Unter welchen Motiven?
Wo ist eigentlich die Abteilung 5 des BND und des Verfassungsschutzes?
Kann es sein,daß es Leute gibt,die dem BND/Verfassungsschutz,auf
funktechnischem Wege
permanent einen Situationsbericht abliefern,ohne es selbst zu merken,im
Kindesalter machbar gemacht??
Werden durch solche inoffiziellen Mitarbeiter,beim BND und
Verfassungsschutz,nach Stasimanier,
Informationen von und über,rein theoretisch, jeden Bundesbürger,gesammelt?
Gibt es dann noch ein Recht auf Privatsphere? Wer kontrolliert eigentlich
den BND,MAD und Verfassungsschutz auf Unterwanderung???
In der Mail geht es mir eigentlich um die Frage,ob es kriminellen Elementen,
aus dem Motiv der Bereicherung,oder Gruppierungen aus ideologischen Motiven,
möglich ist ,sich Wissen und Technik anzueignen,die zu anderen Zeiten,
aus anderen Motiven(Westfernsehen?),entwickelt wurde.
Und stellt der technische Wissensstand,
der der Allgemeinheit bekannt ist wirklich das Ende der Fahnenstange dar?
Ist es denn nicht kriminellen Elementen genauso möglich,
ich sage das jetzt mal verharmlost und verniedlichend,
einzelne Personen oder Gruppen mit relativ einfachen Mitteln,
aus welchen Motiven auch immer, auszuspionieren?
Und stellt diese "Ausspioniererei" nicht einen erheblichen Eingriff in die
Privatsphäre dar?
Ist es möglich einzelne Personen oder Gruppen,
eine Akzeptans einer gewissen Öffentlichkeit(suggeriert?),
die z.B. mit Hilfe von Internetseiten,wie zum Beispiel dem
"Pranger"geschaffen werden könnte,
mal vorausgestzt,zu terroriesieren und oder zu schikanieren,
und das in aller (suggerierten)Öffentlichkeit?Haben die Leute die da am
Pranger,
oder auf irgendeiner anderen Seite verunglimpft,oder gar Verleumdet werden,
eigentlich eine Chance zur Gegenöffentlichkeit?Ist das nicht Rufmord?
Vor einigen Jahren bin ich per Zufall auf die Seite "Der Pranger" gestoßen,
damals lief das noch nicht unter dem Deckmantel der Partnervermittlung.
Können sich einzelne Personen,oder Interessengemeinschaften,
aus reinem Selbstzweck,solcher Seiten bedienen,
um unter dem Deckmantel einer fragwürdigen Zivilkourage,
durch anzetteln irgendwelcher Hetzkampagnen,eigene,
ganz persöhnliche Interessen durchsetzen?
Können solche Seiten zur Koordination von kriminellen machenschaften dienen?
Die Frage,ist es Möglichkeit oder Unmöglichkeit,technisch und
gesellschaftlich,
einzelne Personen,oder auch Gruppierungen,aus einer
kriminellen/ideologischen
Energei heraus,zu manipulieren oder zu beeinflussen,terrorisieren oder zu
schickanieren,und zwar gezielt.
Zielgruppenmanipulation durch Massenmedien sind alltägliche Manipulation,
der mansich,mehr oder weniger,entziehen kann.
Wird das Recht auf Privatsphäre,schleichend,tiefenpsychologisch,
durch Sendungen,wie,zum Beispiel "Big brother",untergraben?
Sollte bei einem der Angemailten ein gewisser Wissensstand zum Thema
vorhanden sein,
wäre ich über Hinweise zum Thema froh.
Auf der Suche nach Antworten auf meine Fragen
maile ich verschiedene Adressen aus dem Internet an,
und hoffe aufkonstruktive Antworten und Kritiken.
Über einen Besuch auf der Seite
<http://hometown.aol.de/reinerhohn38259/homepage/index.html>
würde ich mich freuen.
Sollten Sie von mir mehrfach angeschrieben worden
sein,so bitte ich Sie,mir dies zu entschuldigen,
das war nicht beabsichtigt.
Der Grund für meine Anonymität ist die Tatsache,
daß bei derlei Fragenstellerei,
verständlicherweise,schnell der Ruf nach der Psychatrie laut wird.
Was auch Methode hat(ist).
Sollten Sie die Mail als Belästigung empfinden,
möchte ich mich hiermit dafür entschuldigen!
Big brother is watching you?

Excuse please the disturbance!

Me something came to ears.
A relatively unusual rumor kitchen,
from which one put forward to me a heavydigestible soup,
is the reason of my Mail.
Unappetizing is no printout!
Is it possible on radio Wege(in for which frequency ranges?) to
influence or manipulate someone?
Terrorize or to even chicane and?
Under the Motto:"Einen at the Sender?Nich quite alone?
Small Mannim Ohr?Fal Wellenlaenge?Bohnen in the ears?
On the tooth clean-hear gefuehlt(Amalgam)?Mal witthout obligation?
The Pullacher bug wanzentanz?
Isn't the Spinnerei?Das goes nevertheless at all, or?
And if as looks ethicalally morally?
For the technical page of the thing there is to report and web page:
Totalitaer,de - Die Waffe gegen die Kritik
http://www.fosar-bludorf.com/Tempelhof/
http://jya.com/haarp.htm
http://www.zeitenschrift.at/magazin/zs_24_15/1_mikrowaffen.htm
http://www.bse-plus.de/d/doc/lbrief/lbmincontr.htm
http://home.nexgo.de/kraven/bigb/big3.html
http://w3.nrl.navy.mil/projects/haarp/index.html
http://cryptome.org/
http://www.parascope.com/ds/mkultra0.htm
http://www.trufax.org/menu/mind.html
http://www.trufax.org/menu/elect.html
http://mindcontrolforum.com/
http://www.trufax.org/menu/elect.html
usw.
usw.
usw.
but, that cannot be nevertheless, which is made soetwas, or?
A violation of human rights resemble special!?!
Is it possible, by preparation, the ears and in interaction with
possibly available artificial dentures?
With relatively simple radio engineering??
In this Land?Hier and today???
Under which motives?
Where is the department actually 5 of the BND and the protection of the
constitution?
Can it be that there are people, which deliver the Federal
Intelligence Service/protection of the constitution, on radio way
permanently a situation report, without noticing it, in the infancy
feasiblly made?
By such unofficial coworkers, with the BND and protection of the
constitution, after Stasimanier, is information collected of and
over,purely theoretically, each Federal citizen?
Is there then still another right to Privatsphere?
Who actually checks the BND, WAD and protection of the constitution for
infiltration???
Into the Mail actually concerns it to me the question whether it
criminal items, from which motive of enriching, or groupings from
ideological motives is possible, to acquire itself knowledge and
technique which were developed at other times, from other
Motiven(Westfernsehen?).And does the technical knowledge status place, to
that the public admits is really the end of the flag bar?
Is it not to criminal items just as possible, I legend that now times
played down and does nice-end, individual persons or groups with
relatively simple means, to spy from whatever motives always?
And doesn't this " Ausspioniererei " represent a substantial
intervention into the privatsphaere?
It is possible individual persons or groups, one acceptance to of a
certain Oeffentlichkeit(suggeriert?), e.g. by Internet pages, how for
example the " Pranger"geschaffen could become, times vorausgestzt, to
terroriesieren and or chicane, and in everything (the people
suggerierten)Oeffentlichkeit?Haben there at the Pranger, or on any
other page to be reviled, or slandered, actually a chance to the
Gegenoeffentlichkeit?Ist that not character assassination?
Some years ago I am by coincidence the page " the Pranger "
encountered, at that time ran not yet under the cover of the partner
switching.Itself can individual persons, or communities of interests, from
pure self purpose, such pages to serve, over under the cover of a doubtful
Zivilkourage, through plot any rushing campaigns, own, quite
persoehnliche interests to intersperse?
Can such pages serve for the co-ordination of criminal machinations?
The question, is it possibility or impossibility, technically and
socially, individual persons, or also groupings of manipulating or of
influencing from an criminal/ideological Energei, terrorizes or to
schickanieren, directed.Target group manipulation by mass media are
everyday manipulation, from which, more or less, can extract itself.
Does the right to privatsphaere, creeping, by transmissions become
deep psychological, how, for example " Big undermine brother"?
If the Angemailten should be available a certain knowledge status to
the topic with one, I would be glad over notes to the topic
On the search for responses to my questions maile I different
addresses from the Internet on, and hope up-constructional responses
and criticisms.Over an attendance on the page
<http://hometown.aol.de/reinerhohn38259/homepage/index.html>
wuerde I are pleased.If you should have been written down by me several
times, then please
I you to excuse me this that was not intended.
The reason for my anonymity is the fact that with such
Fragenstellerei, understandably, fast after the call the Psychatrie
loud becomes. Which also method hat(ist).
If you should feel the Mail as annoyance, I would like to apologize
hereby for it! Big is watching you?

Veuillez excuser le dérangement!

Moi quelque chose concernant des oreilles est venu.
   Une cuisine de bruit relativement inhabituelle, dont on m'a placé un
Sueppchen schwerverdauliches devant, est la raison de mes Mail.Aucune
expression n'est peu appétissante!
   Il est possible sur un Wege(in funktechnischem pour quelles réponses
fréquentielles?) quelqu'un influencer ou manipuler?
Ou même schikanieren et terroriser?
   Sous le Motto:"Einen au Sender?Nich tout à fait seulement?
   Petits Mannim Ohr?Falsche Wellenlaenge?Bohnen dans les oreilles?
   Sur la dent gefuehlt(Amalgam)?Mal non contraignant reinhoeren?
   Le Pullacher Wanzentanz?
Le Spinnerei?Das n'est-il quand même pas du tout va, ou?
   Et si comme cela paraît éthiquement moralement?
   Au côté technique de la chose, il y a certes des rapports et des
Webseiten:
Totalitaer,de - Die Waffe gegen die Kritik
http://www.fosar-bludorf.com/Tempelhof/
http://jya.com/haarp.htm
http://www.zeitenschrift.at/magazin/zs_24_15/1_mikrowaffen.htm
http://www.bse-plus.de/d/doc/lbrief/lbmincontr.htm
http://home.nexgo.de/kraven/bigb/big3.html
http://w3.nrl.navy.mil/projects/haarp/index.html
http://cryptome.org/
http://www.parascope.com/ds/mkultra0.htm
http://www.trufax.org/menu/mind.html
http://www.trufax.org/menu/elect.html
http://mindcontrolforum.com/
http://www.trufax.org/menu/elect.html
usw.
usw.
usw.
toutefois qui ne peut quand même pas être qui on fait soetwas, ou?
   Une violation des droits de l'homme séparer ressembler!?!
   Il est possible, par la préparation, des oreilles et dans l'effet avec
la prothèse dentaire éventuellement existante?
Avec la technique de radio relativement simple??
   Dans ce Land?Hier et aujourd'hui
   Sous quels motifs?
   Où le département est-il en réalité 5 du BND et de la protection
d'constitution?
peut il être qu'il y a les personnes qui livrent en permanence le
BND/Verfassungsschutz, de manière funktechnischem un rapport de situation,
sans le remarquer le -même , dans l'enfance rendu possible??
Par de tels collaborateurs officieux, avec le BND et la protection
d'constitution, après manière, des informations sont-elles rassemblées et
plus de, purement théoriquement, chaque citoyen allemand?
   Il y a alors encore un droit à des Privatsphere? Qui contrôle en
réalité le BND, mad et protection d'constitution sur une infiltration???
Il s'agit en réalité dans le Mail me la question de savoir si lui éléments
criminels, dont le motif de l'enrichissement, ou de groupements des motifs
idéologiques, possible de s'acquérir le savoir et la technique qui à
d'autres temps, est autre MotivenEt place-t-il le savoir technique dont le
public vraiment la fin la barre de drapeau a connaissance ?
   Il n'est pas donc exactement la même chose possible pour des éléments
criminels, moi cela maintenant fois verharmlost et minimisant une légende,
personnes ou groupes particuliers avec des moyens relativement simples, de
quels motifs aussi toujours, auszuspionieren?(Westfernsehen?), a été
développé.
Et ce "Ausspioniererei" ne représente-t-il pas une intervention
considérable dans la vie privée?
   Il est possible personnes ou groupes particuliers, pour certain
Oeffentlichkeit(suggeriert?), celui p. ex. à l'aide des côtés Internet,
comme par exemple "le Pranger"geschaffen pourrait, fois vorausgestzt
schikanieren terroriesieren et ou ,
et qui toute (suggerierten)Oeffentlichkeit?Haben les personnes ceux là, ou
d'un autre côté verunglimpft, ou on ne pas calomnie, en réalité une
chance au Gegenoeffentlichkeit?Ist qui meurtre d'appel?
Il y a quelques années, je ne suis pas encore par hasard sur le côté
"celui" poussé, fonctionnais alors cela sous la couche de pont de
l'entremise partenaire.
   Des personnes particulières, ou des communautés d'intérêts le
peuventelles, d'un autobut pur, de tels côtés servent, sous la couche de
pont d'un Zivilkourage douteux, tracent plus de des campagnes de
précipitation, propres intérêts tout à fait persoehnliche entremêlent?
De tels côtés peuvent-ils servir à la coordination des manoeuvres
criminelles?
Question, est lui possibilité ou impossibilité de manipuler ou
d'influencer techniquement et socialement, particulière personnes, ou
aussi groupements, criminelle/ponctuel idéologique Energei dehors, ,
terroriser ou schickanieren, et ce.Une manipulation de groupe cible par
des masse-médias être la manipulation quotidienne qui peut extraire
mansich, plus ou moins.
   Le droit à la vie privée est-il miné, ramment, tiefenpsychologisch, par
des envois, comme, par exemple "des Big brother"?
   Avec un les Angemailten si un certain savoir devait exister sur le
thème, je serais heureux sur des indications sur le thème.Sur la recherche
des réponses à mes questions je différentes adresses maile d'Internet
dessus, et espère réponses et critiques aufkonstruktive.
   Sur une visite du côté
http://hometown.aol.de/reinerhohn38259/homepage/index.html>
je me réjouirais.
   Si vous deviez avoir été écrit à différentes reprises par moi, je vous
demande de m'excuser cela qui n'était pas envisagé.
La raison de mon anonymat est le fait qu'avec telle des Fragenstellerei,
l'appel devient ce qui est bien compréhensible, rapidement bruyant après
le Psychatrie.
   Ce que la méthode a également (ist).
   Si vous deviez ressentir les Mail comme un ennui, je voudrais m'excuser
par ceci pour cela!
   Big brother is watching you?

Könnte mir jemand bei der korrekten Überstzung helfen?
Could someone help me with the correct translation?
Quelqu'un pourrait-il m'aider lors du Ueberstzung correct?

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: How Can ThisBe (howcanthisbe300hotmail.com)
Date: Sat Jun 15 2002 - 10:55:14 CDT

I do not want to start any Brett Glass rants, just want to let people know
about a script I found. It basically runs throught the steps need to get a
FreeBSD box updated. I ran the script on my 4.6 box without a problem. It
looks like the kind of thing that would help people new to FreeBSD get the
latest security patches without a problem. For more experienced people its a
nice simple alternative.

There is more info on the site:
http://lvl.sourceforge.net/autoupdate.php

And a direct download link:
http://lvl.sourceforge.net/dl/scripts/autoupdate.tar.gz

Thats all

Non
(yes, this is from a hotmail account, so what?)

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Doug Barton (DougBFreeBSD.org)
Date: Sat Jun 15 2002 - 13:56:22 CDT

This topic is not appropriate to freebsd-security either.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: grimm (grimmplanetquake.com)
Date: Sun Jun 16 2002 - 12:42:01 CDT

Greetings,

        Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box,
where I configured a jail environment. Here are some details for
first time readers:

I have a host computer called dagobah, which
runs a virtual system in a jailed environment, called
darkside. This system is running FreeBSD 4.5-RELEASE.

host (dagobah) xl0 IP 143.XX.XX.238
     jail (darkside) IP alias to xl0 (192.168.200.13)

What had happened is that once I setup IPFW, I could no
longer connect (DNS lookup failure was causing huge delay
on connect) to my jail (darkside).

My other problem was making it possible to connect to
these services from the outside world:

host (dagobah)
    allow ftp (port 21)
    allow www (port 80)
    allow ssh (port 777)

jail (darkside)
    allow ssh (port 22)

    with natd forwarding all requests dagobah received on port 22
    to the jail's sshd.

    Everything else should be blocked.

=========== question =====================================

My DNS lookup problem with IPFW running is now solved, internally
I can connect to my jail without any problem.

However, I can't connect from the outside world to my host (dagobah).
I have tried to view the web page, as well as telnet and both
don't connect. Although I do see in the IPFW SHOP output that
some stuff seems to be reaching my port 80.

I would really appreciate it if someone could look at my configs
and point out my mistake. I have pretty much just learned how to
do this stuff, and I may have missed something obvious!

--------------

# rc.conf
#
hostname="dagobah.somewhere.ca"
ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0"
defaultrouter="142.XX.XX.254"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="YES"
quota_enable="YES"
check_quotas="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
gateway_enable="YES"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-config /etc/natd_rules"
inetd_flags="-wW -a 142.XX.XX.238"
portmap_enable="NO"
syslogd_flags="-ss"

--------------

#
# natd config (/etc/natd_config)
#
redirect_port tcp 192.168.200.13:22 22

--------------

#
# my ipfw.rules (additional to rc.firewall defaults)
#
#make sure natd gets a hold of the packets prior to FIREWALL
add 00320 divert natd all from any to any via xl0
#
#
# from man 8 ipfw: allow only outbound TCP connections I've created
add 00350 check-state
add 00351 deny tcp from any to any in established
add 00352 allow tcp from any to any out setup keep-state
#
#
#allow DNS
add 00400 allow udp from 142.XX.XX.1 to any in recv xl0
add 00401 allow udp from 142.XX.XX.2 to any in recv xl0
add 00402 allow udp from 142.XX.XX.3 to any in recv xl0
add 00403 allow udp from any to any out
#
#allow some ICMP types (codes not supported)
## allow path-mtu in both directions
add 00600 allow icmp from any to any icmptypes 3
## allow source quench in and out
add 00601 allow icmp from any to any icmptypes 4
## allow me to ping out and receive response back
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
## allow me to traceroute
#
# when I traceroute, I send out UDP packets (rule 00403)
#
add 00604 allow icmp from any to any icmptypes 11 in
#
#
# enable www server on dagobah (142.XX.XX.238)
add 00700 allow tcp from any to any 80 in via xl0
add 00701 allow tcp from any to any 80 out via xl0
#
#
# enable ssh server on dagobah (142.XX.XX.238)
add 00702 allow tcp from any to any 777 in via xl0
add 00703 allow tcp from any to any 777 out via xl0
#
#
# enable ssh server on darkside (142.XX.XX.238)
add 00704 allow tcp from any to any 22 in via xl0
add 00705 allow tcp from any to any 22 out via xl0

--------------

OUTPUT OF THE IPFW SHOW command

00100 0 0 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00320 171 34652 divert 8668 ip from any to any via xl0
00350 0 0 check-state
00351 0 0 deny tcp from any to any in established
00352 78 8668 allow tcp from any to any keep-state out setup
00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
00403 2 120 allow udp from any to any out
00600 0 0 allow icmp from any to any icmptype 3
00601 0 0 allow icmp from any to any icmptype 4
00602 0 0 allow icmp from any to any out icmptype 8
00603 0 0 allow icmp from any to any in icmptype 0
00604 0 0 allow icmp from any to any in icmptype 11
00700 3 144 allow tcp from any to any 80 in recv xl0
00701 0 0 allow tcp from any to any 80 out xmit xl0
00702 0 0 allow tcp from any to any 777 in recv xl0
00703 0 0 allow tcp from any to any 777 out xmit xl0
00704 0 0 allow tcp from any to any 22 in recv xl0
00705 0 0 allow tcp from any to any 22 out xmit xl0
65535 86 25238 deny ip from any to any

__
grimm

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Crist J. Clark (crist.clarkattbi.com)
Date: Sun Jun 16 2002 - 15:59:03 CDT

On Sun, Jun 16, 2002 at 01:42:01PM -0400, grimm wrote:
[snip]

> #
> # my ipfw.rules (additional to rc.firewall defaults)
> #
> #make sure natd gets a hold of the packets prior to FIREWALL
> add 00320 divert natd all from any to any via xl0
> #
> #
> # from man 8 ipfw: allow only outbound TCP connections I've created
> add 00350 check-state
> add 00351 deny tcp from any to any in established
> add 00352 allow tcp from any to any out setup keep-state

[snip]

> # enable www server on dagobah (142.XX.XX.238)
> add 00700 allow tcp from any to any 80 in via xl0
> add 00701 allow tcp from any to any 80 out via xl0
> #
> #
> # enable ssh server on dagobah (142.XX.XX.238)
> add 00702 allow tcp from any to any 777 in via xl0
> add 00703 allow tcp from any to any 777 out via xl0
> #
> #
> # enable ssh server on darkside (142.XX.XX.238)
> add 00704 allow tcp from any to any 22 in via xl0
> add 00705 allow tcp from any to any 22 out via xl0

OK, some problems here. First, ITYM to have rules like,

  add allow tcp from any to me 80 in via xl0
  add allow tcp from me 80 to any out via xl0

No? Second, these won't work since you are blocking all TCP
connections that are not using 'keep-state' with rule 351.

But...

> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00320 171 34652 divert 8668 ip from any to any via xl0
> 00350 0 0 check-state
> 00351 0 0 deny tcp from any to any in established

I don't see this rule incrementing.

> 00352 78 8668 allow tcp from any to any keep-state out setup
> 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
> 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
> 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
> 00403 2 120 allow udp from any to any out
> 00600 0 0 allow icmp from any to any icmptype 3
> 00601 0 0 allow icmp from any to any icmptype 4
> 00602 0 0 allow icmp from any to any out icmptype 8
> 00603 0 0 allow icmp from any to any in icmptype 0
> 00604 0 0 allow icmp from any to any in icmptype 11
> 00700 3 144 allow tcp from any to any 80 in recv xl0
> 00701 0 0 allow tcp from any to any 80 out xmit xl0
> 00702 0 0 allow tcp from any to any 777 in recv xl0
> 00703 0 0 allow tcp from any to any 777 out xmit xl0
> 00704 0 0 allow tcp from any to any 22 in recv xl0
> 00705 0 0 allow tcp from any to any 22 out xmit xl0
> 65535 86 25238 deny ip from any to any

Always a good idea to add a,

  65534 deny log ip from any to any

Or something like it to help debugging.

-- 
Crist J. Clark                     |     cjclarkalum.mit.edu
                                   |     cjclarkjhu.edu
http://people.freebsd.org/~cjc/    |     cjcfreebsd.org
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Bernhard Schmidt (bernibirkenwald.de)
Date: Sun Jun 16 2002 - 16:55:39 CDT

Warning, this is quite long. I don't know whether there is a better
group for IPsec related things, if so please drop me a note.

I just tried to establish a secure connection with IPsec between my
router at home and my machine at work.

The machine at home (heimdall) is running FBSD 4.6-RELEASE, the other
one (lupus) is running FBSD 4.5-RELEASE-p4. Both have IPSEC, IPSEC_ESP
and IPSEC_DEBUG integrated in the kernel.

The structure of the network is as follows:

At home:

Windows ---+
           | +----------+
Linux ---+----------------+ heimdall +------- (some routers) ------->
           | +----------+
FreeBSD ---+ 195.143.230.217/29 195.143.230.215/32 (alias)

                 +-------+
<----------------+ lupus |
                 +-------+
     195.143.155.4/32

At the moment I'm trying to encrypt/authenticate the data, when there is
a connection between frigg (a not-ipsec aware linux box in my /29 above)
and lupus. As far as I have understood the documentation, I need the
tunnel mode in this case.

My current approach looks like the following. I generated my spi
definitions into a file and copy&pasted them into "setkey -c" on both
sides.

add 195.143.230.215 195.143.155.4 esp 1000 -m tunnel -E rijndael-cbc
   "1234567890123456" -A hmac-sha1 "12345678901234567890" ;
add 195.143.155.4 195.143.230.215 esp 2000 -m tunnel -E rijndael-cbc
   "2345678901234567" -A hmac-sha1 "23456789012345678901" ;

then I created my SPDs by adding

spdadd 195.143.230.220/32 195.143.155.4/32 any -P out ipsec
   esp/tunnel/195.143.230.215-195.143.155.4/require ;

on heimdall and

spdadd 195.143.155.4/32 195.143.230.220/32 any -P out ipsec
   esp/tunnel/195.143.155.4-195.143.230.215/require ;

on lupus. When I ping/telnet lupus from frigg and vice versa I can see
ESP packets in tcpdump with the correct spi. But nothing more happens.
lupus does not react on anything it receives with ESP and heimdall does
not forward the (now unencrypted) packet to its second ethernet device.
net.inet.ipsec.debug is set to "1" and I'm logging *.* to my server, but
nothing shows up in the logfile (yes, syslog is set up correctly).

Any ideas what could be missing/wrong? Any help appreciated, I'm
probably just too blind to see the obvious solution.

-- 
   bye bye
     Bernhard
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Doug Barton (DougBFreeBSD.org)
Date: Sun Jun 16 2002 - 17:11:28 CDT

Bernhard Schmidt wrote:
>
> Warning, this is quite long. I don't know whether there is a better
> group for IPsec related things, if so please drop me a note.

"I can't get this to work" questions are never appropriate for
-security. If in doubt, you should first try your question on
freebsd-questions. Then someone might suggest a more appropriate group
if you don't get a useful response.

Good luck,

Doug

-- 
   "We have known freedom's price. We have shown freedom's power.
      And in this great conflict, ...  we will see freedom's victory."
	- George W. Bush, President of the United States
          State of the Union, January 28, 2002
         Do YOU Yahoo!?
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Bernhard Schmidt (bernibirkenwald.de)
Date: Sun Jun 16 2002 - 17:15:24 CDT

On Sun, Jun 16, 2002 at 03:11:28PM -0700, Doug Barton wrote:

> > Warning, this is quite long. I don't know whether there is a better
> > group for IPsec related things, if so please drop me a note.
> "I can't get this to work" questions are never appropriate for
> -security. If in doubt, you should first try your question on
> freebsd-questions. Then someone might suggest a more appropriate group
> if you don't get a useful response.

Oh thanks, overlooked the most obvious mailinglist. :-\

-- 
   bye bye
     Bernhard
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: javor.evstatievblue-c.com
Date: Sun Jun 16 2002 - 18:01:31 CDT

I will be out of the office starting 14.06.2002 and will not return until
09.09.2002.

I will respond to your message when I return.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Nielsen (nielsenmemberwebs.com)
Date: Sun Jun 16 2002 - 19:37:24 CDT

Hmmm, first of all (and maybe you've done this) you need to alias the jail's
ip on you network card. Secondly make sure that "net.inet.ip.fw.one_pass" is
set to 1 (the default). Otherwise diverted packets will continue down the
fire wall after the divert rule.

Lastly, I would check that the packets are in fact getting NAT'd in. It may
be the out that's the problem. I think in addition to the redirect_tcp you
also have to do a proper NAT thing. In my inderstanding, redirections open
holes to let stuff in, but for the packets to get back out proper Natting is
required. OTOH, most of my experience is with ipnat, so I'm not sure here.

Nate

----- Original Message -----
From: "grimm" <grimmplanetquake.com>
To: <freebsd-securityfreebsd.org>
Sent: Sunday, June 16, 2002 11:42
Subject: ipfw-ntad-jail

> Greetings,
>
> Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box,
> where I configured a jail environment. Here are some details for
> first time readers:
>
> I have a host computer called dagobah, which
> runs a virtual system in a jailed environment, called
> darkside. This system is running FreeBSD 4.5-RELEASE.
>
> host (dagobah) xl0 IP 143.XX.XX.238
> jail (darkside) IP alias to xl0 (192.168.200.13)
>
> What had happened is that once I setup IPFW, I could no
> longer connect (DNS lookup failure was causing huge delay
> on connect) to my jail (darkside).
>
> My other problem was making it possible to connect to
> these services from the outside world:
>
> host (dagobah)
> allow ftp (port 21)
> allow www (port 80)
> allow ssh (port 777)
>
> jail (darkside)
> allow ssh (port 22)
>
> with natd forwarding all requests dagobah received on port 22
> to the jail's sshd.
>
> Everything else should be blocked.
>
> =========== question =====================================
>
> My DNS lookup problem with IPFW running is now solved, internally
> I can connect to my jail without any problem.
>
> However, I can't connect from the outside world to my host (dagobah).
> I have tried to view the web page, as well as telnet and both
> don't connect. Although I do see in the IPFW SHOP output that
> some stuff seems to be reaching my port 80.
>
> I would really appreciate it if someone could look at my configs
> and point out my mistake. I have pretty much just learned how to
> do this stuff, and I may have missed something obvious!
>
> --------------
>
> # rc.conf
> #
> hostname="dagobah.somewhere.ca"
> ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0"
> defaultrouter="142.XX.XX.254"
> inetd_enable="YES"
> kern_securelevel_enable="NO"
> linux_enable="YES"
> moused_enable="YES"
> nfs_reserved_port_only="YES"
> sendmail_enable="NO"
> sshd_enable="YES"
> usbd_enable="YES"
> quota_enable="YES"
> check_quotas="YES"
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags="-config /etc/natd_rules"
> inetd_flags="-wW -a 142.XX.XX.238"
> portmap_enable="NO"
> syslogd_flags="-ss"
>
>
> --------------
>
> #
> # natd config (/etc/natd_config)
:> #
> redirect_port tcp 192.168.200.13:22 22
>
>
> --------------
>
> #
> # my ipfw.rules (additional to rc.firewall defaults)
> #
> #make sure natd gets a hold of the packets prior to FIREWALL
> add 00320 divert natd all from any to any via xl0
> #
> #
> # from man 8 ipfw: allow only outbound TCP connections I've created
> add 00350 check-state
> add 00351 deny tcp from any to any in established
> add 00352 allow tcp from any to any out setup keep-state
> #
> #
> #allow DNS
> add 00400 allow udp from 142.XX.XX.1 to any in recv xl0
> add 00401 allow udp from 142.XX.XX.2 to any in recv xl0
> add 00402 allow udp from 142.XX.XX.3 to any in recv xl0
> add 00403 allow udp from any to any out
> #
> #allow some ICMP types (codes not supported)
> ## allow path-mtu in both directions
> add 00600 allow icmp from any to any icmptypes 3
> ## allow source quench in and out
> add 00601 allow icmp from any to any icmptypes 4
> ## allow me to ping out and receive response back
> add 00602 allow icmp from any to any icmptypes 8 out
> add 00603 allow icmp from any to any icmptypes 0 in
> ## allow me to traceroute
> #
> # when I traceroute, I send out UDP packets (rule 00403)
> #
> add 00604 allow icmp from any to any icmptypes 11 in
> #
> #
> # enable www server on dagobah (142.XX.XX.238)
> add 00700 allow tcp from any to any 80 in via xl0
> add 00701 allow tcp from any to any 80 out via xl0
> #
> #
> # enable ssh server on dagobah (142.XX.XX.238)
> add 00702 allow tcp from any to any 777 in via xl0
> add 00703 allow tcp from any to any 777 out via xl0
> #
> #
> # enable ssh server on darkside (142.XX.XX.238)
> add 00704 allow tcp from any to any 22 in via xl0
> add 00705 allow tcp from any to any 22 out via xl0
>
>
> --------------
>
> OUTPUT OF THE IPFW SHOW command
>
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00320 171 34652 divert 8668 ip from any to any via xl0
> 00350 0 0 check-state
> 00351 0 0 deny tcp from any to any in established
> 00352 78 8668 allow tcp from any to any keep-state out setup
> 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
> 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
> 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
> 00403 2 120 allow udp from any to any out
> 00600 0 0 allow icmp from any to any icmptype 3
> 00601 0 0 allow icmp from any to any icmptype 4
> 00602 0 0 allow icmp from any to any out icmptype 8
> 00603 0 0 allow icmp from any to any in icmptype 0
> 00604 0 0 allow icmp from any to any in icmptype 11
> 00700 3 144 allow tcp from any to any 80 in recv xl0
> 00701 0 0 allow tcp from any to any 80 out xmit xl0
> 00702 0 0 allow tcp from any to any 777 in recv xl0
> 00703 0 0 allow tcp from any to any 777 out xmit xl0
> 00704 0 0 allow tcp from any to any 22 in recv xl0
> 00705 0 0 allow tcp from any to any 22 out xmit xl0
> 65535 86 25238 deny ip from any to any
>
> __
> grimm
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: grimm (grimmplanetquake.com)
Date: Sun Jun 16 2002 - 21:34:29 CDT

Greetings Crist,

        What I find odd is that I read that section of
my rules from a tutorial on the o'reilly site. I read
through a bunch of tutors and help pages and never saw
the keyword "me" being used. But I will definately give
it a try.

        Like I said, I read that 351 rule directly from
a tutorial. The problem I am having is that I don't have
the machine at home, and sending messages to the list from
work wasn't working!

        I am so glad to have gotten so much feedback already!
I am new to this, but what can you suggest I do.

        Are there some rules in there you think are trouble
and I should edit or comment out and test with something else?
I mean, so far I've gotten great help, but no one has mentionned
a specific rule which is WRONG! so I am not really sure where
to begin. I'll take your advice and see where that leads.

        As for the logging, great idea! I'll also enable log_in_vain.

        cheers,

        __
        Andrew
        
"Crist J. Clark" <crist.clarkattbi.com> wrote:
> OK, some problems here. First, ITYM to have rules like,
>
> add allow tcp from any to me 80 in via xl0
> add allow tcp from me 80 to any out via xl0
>
> No? Second, these won't work since you are blocking all TCP
> connections that are not using 'keep-state' with rule 351.

>>> add 00350 check-state
>>> add 00351 deny tcp from any to any in established
>>> add 00352 allow tcp from any to any out setup keep-state

> But...
> Always a good idea to add a,
>
> 65534 deny log ip from any to any
>
> Or something like it to help debugging.

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: grimm (grimmplanetquake.com)
Date: Sun Jun 16 2002 - 21:44:40 CDT

Greetings Nielsen,

On Sun, 16 Jun 2002 17:35:53 -0700
"Nielsen" <nielsenmemberwebs.com> wrote:

> Hmmm, first of all (and maybe you've done this) you need to alias the
> jail's ip on you network card.

        Yes, I have aliased the ip to the network card
        with ipconfig.

>Secondly make sure that
> "net.inet.ip.fw.one_pass" is set to 1 (the default). Otherwise
> diverted packets will continue down the fire wall after the divert
> rule.

        It's on my list of things to do. That could definately be
a huge problem, if the diverted packets were then being chewed up
by a firewall rule.

 
> Lastly, I would check that the packets are in fact getting NAT'd in.
> It may be the out that's the problem.

        How do I check that?

>I think in addition to the
> redirect_tcp you also have to do a proper NAT thing. In my
> inderstanding, redirections open holes to let stuff in, but for the
> packets to get back out proper Natting is required. OTOH, most of my
> experience is with ipnat, so I'm not sure here.

        I am not sure if there is a proper nat thing required, cause
from within the machine, I can ssh and telnet to the jail no problem.
Do you think, given that it works from within, that it could still be
a problem?

        I am trying right now, just to figure out why my web server,
and ssh on the host (dagobah) aren't responding. It seems like there
is something fundamentally wrong with my firewall rules.

        No one has been able to pinpoint an exact major problem that
could cause this. I think once I fix that, I could then concentrate
on the jail issue. But right now, the simplest thing isn't working!

        cheers,

        __
        Andrew

> ----- Original Message -----
> From: "grimm" <grimmplanetquake.com>
> To: <freebsd-securityfreebsd.org>
> Sent: Sunday, June 16, 2002 11:42
> Subject: ipfw-ntad-jail
>
>
> > Greetings,
> >
> > Ok, so I setup IPFW and NATd on my freeBSD 4.5-RELEASE box,
> > where I configured a jail environment. Here are some details for
> > first time readers:
> >
> > I have a host computer called dagobah, which
> > runs a virtual system in a jailed environment, called
> > darkside. This system is running FreeBSD 4.5-RELEASE.
> >
> > host (dagobah) xl0 IP 143.XX.XX.238
> > jail (darkside) IP alias to xl0 (192.168.200.13)
> >
> > What had happened is that once I setup IPFW, I could no
> > longer connect (DNS lookup failure was causing huge delay
> > on connect) to my jail (darkside).
> >
> > My other problem was making it possible to connect to
> > these services from the outside world:
> >
> > host (dagobah)
> > allow ftp (port 21)
> > allow www (port 80)
> > allow ssh (port 777)
> >
> > jail (darkside)
> > allow ssh (port 22)
> >
> > with natd forwarding all requests dagobah received on port 22
> > to the jail's sshd.
> >
> > Everything else should be blocked.
> >
> > =========== question =====================================
> >
> > My DNS lookup problem with IPFW running is now solved, internally
> > I can connect to my jail without any problem.
> >
> > However, I can't connect from the outside world to my host
> > (dagobah). I have tried to view the web page, as well as telnet and
> > both don't connect. Although I do see in the IPFW SHOP output that
> > some stuff seems to be reaching my port 80.
> >
> > I would really appreciate it if someone could look at my configs
> > and point out my mistake. I have pretty much just learned how to
> > do this stuff, and I may have missed something obvious!
> >
> > --------------
> >
> > # rc.conf
> > #
> > hostname="dagobah.somewhere.ca"
> > ifconfig_xl0="inet 142.XX.XX.238 netmask 255.255.255.0"
> > defaultrouter="142.XX.XX.254"
> > inetd_enable="YES"
> > kern_securelevel_enable="NO"
> > linux_enable="YES"
> > moused_enable="YES"
> > nfs_reserved_port_only="YES"
> > sendmail_enable="NO"
> > sshd_enable="YES"
> > usbd_enable="YES"
> > quota_enable="YES"
> > check_quotas="YES"
> > firewall_enable="YES"
> > firewall_script="/etc/rc.firewall"
> > firewall_type="/etc/ipfw.rules"
> > gateway_enable="YES"
> > natd_enable="YES"
> > natd_interface="xl0"
> > natd_flags="-config /etc/natd_rules"
> > inetd_flags="-wW -a 142.XX.XX.238"
> > portmap_enable="NO"
> > syslogd_flags="-ss"
> >
> >
> > --------------
> >
> > #
> > # natd config (/etc/natd_config)
> :> #
> > redirect_port tcp 192.168.200.13:22 22
> >
> >
> > --------------
> >
> > #
> > # my ipfw.rules (additional to rc.firewall defaults)
> > #
> > #make sure natd gets a hold of the packets prior to FIREWALL
> > add 00320 divert natd all from any to any via xl0
> > #
> > #
> > # from man 8 ipfw: allow only outbound TCP connections I've created
> > add 00350 check-state
> > add 00351 deny tcp from any to any in established
> > add 00352 allow tcp from any to any out setup keep-state
> > #
> > #
> > #allow DNS
> > add 00400 allow udp from 142.XX.XX.1 to any in recv xl0
> > add 00401 allow udp from 142.XX.XX.2 to any in recv xl0
> > add 00402 allow udp from 142.XX.XX.3 to any in recv xl0
> > add 00403 allow udp from any to any out
> > #
> > #allow some ICMP types (codes not supported)
> > ## allow path-mtu in both directions
> > add 00600 allow icmp from any to any icmptypes 3
> > ## allow source quench in and out
> > add 00601 allow icmp from any to any icmptypes 4
> > ## allow me to ping out and receive response back
> > add 00602 allow icmp from any to any icmptypes 8 out
> > add 00603 allow icmp from any to any icmptypes 0 in
> > ## allow me to traceroute
> > #
> > # when I traceroute, I send out UDP packets (rule 00403)
> > #
> > add 00604 allow icmp from any to any icmptypes 11 in
> > #
> > #
> > # enable www server on dagobah (142.XX.XX.238)
> > add 00700 allow tcp from any to any 80 in via xl0
> > add 00701 allow tcp from any to any 80 out via xl0
> > #
> > #
> > # enable ssh server on dagobah (142.XX.XX.238)
> > add 00702 allow tcp from any to any 777 in via xl0
> > add 00703 allow tcp from any to any 777 out via xl0
> > #
> > #
> > # enable ssh server on darkside (142.XX.XX.238)
> > add 00704 allow tcp from any to any 22 in via xl0
> > add 00705 allow tcp from any to any 22 out via xl0
> >
> >
> > --------------
> >
> > OUTPUT OF THE IPFW SHOW command
> >
> > 00100 0 0 allow ip from any to any via lo0
> > 00200 0 0 deny ip from any to 127.0.0.0/8
> > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > 00320 171 34652 divert 8668 ip from any to any via xl0
> > 00350 0 0 check-state
> > 00351 0 0 deny tcp from any to any in established
> > 00352 78 8668 allow tcp from any to any keep-state out setup
> > 00400 2 482 allow udp from 142.XX.XX.1 to any in recv xl0
> > 00401 0 0 allow udp from 142.XX.XX.2 to any in recv xl0
> > 00402 0 0 allow udp from 142.XX.XX.3 to any in recv xl0
> > 00403 2 120 allow udp from any to any out
> > 00600 0 0 allow icmp from any to any icmptype 3
> > 00601 0 0 allow icmp from any to any icmptype 4
> > 00602 0 0 allow icmp from any to any out icmptype 8
> > 00603 0 0 allow icmp from any to any in icmptype 0
> > 00604 0 0 allow icmp from any to any in icmptype 11
> > 00700 3 144 allow tcp from any to any 80 in recv xl0
> > 00701 0 0 allow tcp from any to any 80 out xmit xl0
> > 00702 0 0 allow tcp from any to any 777 in recv xl0
> > 00703 0 0 allow tcp from any to any 777 out xmit xl0
> > 00704 0 0 allow tcp from any to any 22 in recv xl0
> > 00705 0 0 allow tcp from any to any 22 out xmit xl0
> > 65535 86 25238 deny ip from any to any
> >
> > __
> > grimm
> >
> > To Unsubscribe: send mail to majordomoFreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: FreeBSD bugmaster (bugmasterfreebsd.org)
Date: Mon Jun 17 2002 - 13:04:15 CDT

Current FreeBSD problem reports
No matches to your query

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
From: Atendimento on-line (atendimento.atendimentobol.com.br)
Date: Wed Jun 12 2002 - 13:02:24 CDT

     Frente a frente com o seu cliente no atendimento on-line

      O sistema de atendimento on- line permite que o seu cliente troque informações (mensagens) instantaneamente, com alguém de sua empresa. Comunicação on-line sem a necessidade de nenhum software ou plugin adicional, direto do seu WEBSITE.

      Proporciona um atendimento rápido e eficaz para o seu cliente, não havendo a necessidade de esperar o retorno de um e-mail ou uma chamada telefônica. Isso tudo no exato momento em que o seu cliente precisa da sua ajuda, não permitindo que ele perca o interesse pelo seu produto ou serviço.

      Período de avaliação gratuito (15 dias)

      Visite o nosso site para conhecer esta ferramenta de trabalho
      www.spinadesign.com.br/atendimentoonline

      Tel.: (11) 6865-6249 5579-2815

      email: atendimentoonlinespinadesign.com.br

      Desculpe-nos se nosso contado foi inoportuno ou não lhe interessa. Click aqui para ser removido de nosso mailing.
      
       
       
       
       
       

To Unsubscribe: send mail to majordomo