Re: is iptables enough?

[Josh Carroll]

There are a couple of reasons why I use -j DROP
instead of -J REJECT. Firstly, sending responses to
packets your dropping can be bad, given a relatively
small upstream link. In theory, one could DoS you
sufficiently with an upstream equal or slightly better
than yours. That is not to say that the would-be
attacker couldn't just find a network that could
surpass your downstream as well, just pointing out
this drawback of -j REJECT.

Secondly, while DROP'ing the packet doesn't make you
invisible, it does have some degree of value when
deterring people. If an attacker gets no response from
machine 1, but a tcp reject from matchine 2, I'm
willing to bet they'd persue machine 2 first. Let's
face it, if they want to find out if you're there or
running something on a port, they probably can with a
bit more effort anyway, but it might just make them
pass you by for an easier target.

In general, I don't use -REJECT unless I'm worried
about being polite. And in most circumstances,
politeness isn't my goal ;)

Josh

--- Vineet Kumar
<[EMAIL PROTECTED]> wrote:
> * Adrian 'Dagurashibanipal' von Bidder
> <[EMAIL PROTECTED]> [20030320 06:39 PST]:
> > Set it up to block everything and then selectively
> open ports until
> > everything works as desired. Depending on the
> applications it may be a
> > good idea to REJECT auth (identd) packets instead
> of dropping them -
> > some applications have long timeouts.
> 
> IMO, it's a good idea to REJECT instead of DROPping
> most packets.  If
> you think DROPping makes you invisible, you're
> deluding yourself.  I
> generally end my INPUT chain with
> 
> -p tcp -j REJECT --reject-with tcp-reset
> -p udp -j REJECT --reject-with icmp-port-unreachable
> -j REJECT --reject-with icmp-proto-unreachable
> 
> Of course, different setups have different needs,
> but I think this is
> pretty good for most home configurations
> 
> good times,
> Vineet
> -- 
> http://www.doorstop.net/
> -- 
> http://www.digitalconsumer.org/
> 

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: looking for a good source to start learning about kerberos (thanx)

[Haim Ashkenazi]

that's a start. thanx

Bye
-- 
Haim

Re: looking for a good source to start learning about kerberos(thanx)

[Haim Ashkenazi]

that's a start. thanx

Bye
-- 
Haim


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howcome there's no DSA for the latest Linux ptrace hole?

[Guille -bisho-]

>Howcome I don't see a Debian security advisory about the recently-found
>ptrace hole in Linux?
>
>Is it not really a hole?  Or something?
>
>I think there should be an announcement even if the Debian kernels are
>not vulnerable, to explain that they're not.
>
>Are the Debian kernels vulnerable to this hole?

At least the 2.4.19 is vulnerable.

A quick patch is to put a invalid binary on /proc/sys/kernel/modprobe
instead of the real modprobe binary, and then you have time to compile
out your kernel without having to run... :)

-- 
bisho!  _-=] 21/03/2003 [=-
_ ^(   )   _
   (  (   )  ) \ \___,,,
  ()/ _ >-
( :: )   >==-
  '. |::| ,  >==-
\\:://  [ PACE, NOT WAR ]

Is this an obsolete tiger file?

[Dale Amon]

chkrootkit finds this file:

Searching for suspicious files and dirs, it may take a while... 
/usr/lib/tiger/bin/.bintype

which appears to be quite old. Is this just a leftover
from a long ago tiger? It only contains "Linux 2.2.17 2001"
and appears on several systems looking the same. It isn't
in the tiger.list file.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: howcome there's no DSA for the latest Linux ptrace hole?

[Jon]

On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote:

> Are the Debian kernels vulnerable to this hole?
> 

This post to BugTraq by Andrzej Szombierski (who found the problem)
includes a sample exploit for x86.  You can use it to see if you are
vulnerable. 

http://www.securityfocus.com/archive/1/315635

- Jon

Re: howcome there's no DSA for the latest Linux ptrace hole?

[Guille -bisho-]

>Howcome I don't see a Debian security advisory about the recently-found
>ptrace hole in Linux?
>
>Is it not really a hole?  Or something?
>
>I think there should be an announcement even if the Debian kernels are
>not vulnerable, to explain that they're not.
>
>Are the Debian kernels vulnerable to this hole?

At least the 2.4.19 is vulnerable.

A quick patch is to put a invalid binary on /proc/sys/kernel/modprobe
instead of the real modprobe binary, and then you have time to compile
out your kernel without having to run... :)

-- 
bisho!  _-=] 21/03/2003 [=-
_ ^(   )   _
   (  (   )  ) \ \___,,,
  ()/ _ >-
( :: )   >==-
  '. |::| ,  >==-
\\:://  [ PACE, NOT WAR ]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Is this an obsolete tiger file?

[Dale Amon]

chkrootkit finds this file:

Searching for suspicious files and dirs, it may take a while... 
/usr/lib/tiger/bin/.bintype

which appears to be quite old. Is this just a leftover
from a long ago tiger? It only contains "Linux 2.2.17 2001"
and appears on several systems looking the same. It isn't
in the tiger.list file.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howcome there's no DSA for the latest Linux ptrace hole?

[Jon]

On Thu, 2003-03-20 at 14:50, Tom Goulet (UID0) wrote:

> Are the Debian kernels vulnerable to this hole?
> 

This post to BugTraq by Andrzej Szombierski (who found the problem)
includes a sample exploit for x86.  You can use it to see if you are
vulnerable. 

http://www.securityfocus.com/archive/1/315635

- Jon


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

wted and deletion

[Anton Bretterklieber]

Dear list,

chkrootkit-0.39a gave the following output:
--snip--
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... 
eth0 is not promisc
ppp0 is not promisc
Checking `wted'... 1 deletion(s) between Thu Mar 20 18:56:20 2003 and
Thu Mar 20 23:24:49 2003
nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... 
nothing deleted
--snip--

is this a problem?
what's to do?

thank you

Anton Bretterklieber

howcome there's no DSA for the latest Linux ptrace hole?

[Tom Goulet (UID0)]

Hiya,

Howcome I don't see a Debian security advisory about the recently-found
ptrace hole in Linux?

Is it not really a hole?  Or something?

I think there should be an announcement even if the Debian kernels are
not vulnerable, to explain that they're not.

Are the Debian kernels vulnerable to this hole?

-- 
Tom Goulet  mail: [EMAIL PROTECTED]
UID0 Unix Consultingweb:  em.ca/uid0/

[cert@cert.org: Re: CORE-2003-03-04-02: Vulnerability in Mutt Mail User Agent [VU#104193]]

[Marco d'Itri]

-- 
ciao,
Marco
--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-

Hello,

Ivan Arce <[EMAIL PROTECTED]> writes:

> The attached file is a security advisory detailing
> a vulnerability in the Mutt Mail User Agent.
...

> We would like to obtain a CVE candidate number for
> this vulnerability to proceed with our notification process.

We coordinated with CVE, please use CAN-2003-140.  Our tracking number
is VU#104193.  Thanks for the heads up.


Regards,

  - Art


 Art Manion  --  CERT Coordination Center
   <[EMAIL PROTECTED]>   +1 412-268-7090
 E0 1E DF F5 FC 76 00 32  77 8F 25 F7 B0 2E 2C 27


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPno3OmjtSoHZUTs5AQGv8wP/Z7JJdxgFfL1b/RfZmpxDf2RJ7mUc8qwD
/NWQKmiRL2G7SxiEjeseLucbxnwHoDUr36sGhK34ZzIW71viiRJt65OowbVTsz3d
D22FgmZF6Gt4pkPmSn9IXpnX9uRBCevp+YPZI7FEpIstNuy8zh4fQekXELdRqXn2
WCpGImddd84=
=OaGk
-END PGP SIGNATURE-
--- End Message ---

Fwd: Re: is iptables enough?

[Didier Caamano]

I will like to add, as a paranoid person that I am, that I wouldn't just 
only relay with a router. I will setup the router to be my first line of 
defense, as well to do some NAT or masqarading, and then after the router 
setup iptables as my second line of defense.


But the first posting was seeking simple solutions for a simple issue; 
therefore, iptables in my opinion will do well. Nevertheless, do not relay 
only in iptables and seek for other options that you could add to protect 
even more those servers.


Have a nice day,
Didier.




"Nothing would please me more than being able to hire ten programmers and 
deluge the hoby market with good software"...Bill Gates 1976...We're still 
waiting







From: Ian Garrison <[EMAIL PROTECTED]>
To: Keegan Quinn <[EMAIL PROTECTED]>
CC: debian-security@lists.debian.org
Subject: Re: is iptables enough?
Date: Thu, 20 Mar 2003 15:25:01 -0500 (EST)

   Definately true, and worth mentioning.  There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment).  If the
hardware is already there (cpe with filtering capabilities, routers, etc)
then I'd advise people to consider the pro's of security vs cons of
managing it.  Deciding between a spof (router/cpe and likely a couple
ethernet cables) and a firewall that is more disrespectful to unwanted
packets is a tough call for me in the workplace.  If the router/cpe can
take a beating then I might live with it and sleep a little better at
night -- though such decisions take testing and careful consideration.

   I'm too paranoid to say on this list before the masses that "iptables
is enough" in the workplace.  For others it may be enough, and that is
fine.  There is a bigger picture to be seen for those who care, and my
apologies if my response is steering this discussion further off topic
than the original poster was seeking.  I don't intend to suggest that
iptables is inferiour, or that if you use iptables as your only means of
filtering you suck.

   I'll make an effort to be more on-topic in the future.  A few things
touched a nerve and I probably should have just clammed up and rolled with
them.  Something being "good enough" just grabbed me and squeezed in the
wrong places.  :)

-ian

On Thu, 20 Mar 2003, Keegan Quinn wrote:

> On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
> >Imo iptables is a reasonably good stateful firewall and is fine in 
most
> > cases.  However, a very wise person once said that the ideal setup is 
to
> > layer more than one implementation of packet filter and firewall 
between
> > the wild and a host/network you wish to protect.  Ideally 
implementations

> > on diverse platforms.
>
> Just remember, that when you do this, you are introducing an additional 
point
> of failure for each device in the chain.  Some people like to keep these 
at a
> minimum, especially in the 'revenue-generating' environments you 
describe.

>
>  - Keegan
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]

>
>
>


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]





_
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

wted and deletion

[Anton Bretterklieber]

Dear list,

chkrootkit-0.39a gave the following output:
--snip--
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... 
eth0 is not promisc
ppp0 is not promisc
Checking `wted'... 1 deletion(s) between Thu Mar 20 18:56:20 2003 and
Thu Mar 20 23:24:49 2003
nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... 
nothing deleted
--snip--

is this a problem?
what's to do?

thank you

Anton Bretterklieber




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: is iptables enough?

[Vineet Kumar]

* Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]:
> Set it up to block everything and then selectively open ports until
> everything works as desired. Depending on the applications it may be a
> good idea to REJECT auth (identd) packets instead of dropping them -
> some applications have long timeouts.

IMO, it's a good idea to REJECT instead of DROPping most packets.  If
you think DROPping makes you invisible, you're deluding yourself.  I
generally end my INPUT chain with

-p tcp -j REJECT --reject-with tcp-reset
-p udp -j REJECT --reject-with icmp-port-unreachable
-j REJECT --reject-with icmp-proto-unreachable

Of course, different setups have different needs, but I think this is
pretty good for most home configurations

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.digitalconsumer.org/


signature.asc
Description: Digital signature

Re: iptables help to forward ports please

[Vineet Kumar]

* Hanasaki JiJi <[EMAIL PROTECTED]> [20030320 09:55 PST]:
> Lars Ellenberg wrote:
> >but to me it seems more appropriate to use a simple store and forward
> >smtp deamon on the firewall.

> what package can i research for a store/foward server?
> 
> I thought the secure way was not to run anything like that on a
> firewall?  That is why I am moving this group's exim off the firewall.

Personally, I'd do it your way:  set up a mail server indpendent of the
firewall, and use DNAT to send incoming traffic there.  It's not hard.
It's one less link in your mail chain to break, and it's more
transparent.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.digitalconsumer.org/


signature.asc
Description: Digital signature

howcome there's no DSA for the latest Linux ptrace hole?

[Tom Goulet (UID0)]

Hiya,

Howcome I don't see a Debian security advisory about the recently-found
ptrace hole in Linux?

Is it not really a hole?  Or something?

I think there should be an announcement even if the Debian kernels are
not vulnerable, to explain that they're not.

Are the Debian kernels vulnerable to this hole?

-- 
Tom Goulet  mail: [EMAIL PROTECTED]
UID0 Unix Consultingweb:  em.ca/uid0/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: is iptables enough?

[Ian Garrison]

   Definately true, and worth mentioning.  There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment).  If the
hardware is already there (cpe with filtering capabilities, routers, etc)
then I'd advise people to consider the pro's of security vs cons of
managing it.  Deciding between a spof (router/cpe and likely a couple
ethernet cables) and a firewall that is more disrespectful to unwanted
packets is a tough call for me in the workplace.  If the router/cpe can
take a beating then I might live with it and sleep a little better at
night -- though such decisions take testing and careful consideration.

   I'm too paranoid to say on this list before the masses that "iptables
is enough" in the workplace.  For others it may be enough, and that is
fine.  There is a bigger picture to be seen for those who care, and my
apologies if my response is steering this discussion further off topic
than the original poster was seeking.  I don't intend to suggest that
iptables is inferiour, or that if you use iptables as your only means of
filtering you suck.

   I'll make an effort to be more on-topic in the future.  A few things
touched a nerve and I probably should have just clammed up and rolled with
them.  Something being "good enough" just grabbed me and squeezed in the
wrong places.  :)

-ian

On Thu, 20 Mar 2003, Keegan Quinn wrote:

> On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
> >Imo iptables is a reasonably good stateful firewall and is fine in most
> > cases.  However, a very wise person once said that the ideal setup is to
> > layer more than one implementation of packet filter and firewall between
> > the wild and a host/network you wish to protect.  Ideally implementations
> > on diverse platforms.
>
> Just remember, that when you do this, you are introducing an additional point
> of failure for each device in the chain.  Some people like to keep these at a
> minimum, especially in the 'revenue-generating' environments you describe.
>
>  - Keegan
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>
>

Public Alert

[ronkor]

Title: This is a one







This is a one-time email from Ron Korkut ([EMAIL PROTECTED]) to inform you 
about the following LEGAL SCAM perpetrated under the supervision of the Attorney 
General of British Columbia. For further information please visit 
www.integriti.org and subscribe to the Integriti Newsletters (free) by emailing 
your request to [EMAIL PROTECTED]

P U B L I C   A L E R T !

ATTORNEY GENERAL - 
CORRUPTION 
- LAW SOCIETY - MEDIA

The failure of the media has been necessitated the distribution of this PUBLIC 
INFORMATION by email. The intent is to prevent harm to the public; 
therefore, obstructing the distribution of this document is tantamount to 
causing harm to the public. 

At present, a drunk driver is leading the Government of British Columbia. If 
the leader of the government has no respect for the "law", obviously, we may not 
expect any better performance from his administration. Therefore, we must be 
vigilant for their actions. Unrestrained public servants are more dangerous 
offenders than 
ordinary criminals, because we have no protection against them.
Corruption in public service is an organized crime and resisting to 
organized criminals is not a trivial undertaking for a member of the public. 
Failure to cooperate with them entails relentless systemic torture  
inflicted under the colour of law. As long as the media hide the facts from the 
public, it is a simple matter to silence the victims by provoking them into 
violence to justify their arrest or torture to induce suicide. 
Here is an example: 

I started my electrical contract business in 1994. After four years of 
successful service, Brian McHugh, Permits Officer seized and cancelled my 
contractor-ELECTRICIAN certificate without a complaint, notice and hearing. 
He claimed that I was not qualified for my LAWFULLY ISSUED ELECTRICIAN 
certificate even though I had an accredited electrical engineering degree and 
two decades of electrical work experience.
The Ministry of Attorney General defended McHugh’s action instead of settling 
the issue out of the Court. Despite, I had statutory and constitutional rights 
to a board hearing, and Brian McHugh testified that there was no board hearing,
Madam Justice Smith and Madam Justice Southin dismissed my legal 
action and appeal with costs. 
At the trial, Lisa Shendroff, who was the legal counsel for Brian McHugh, deceived 
the Court by patently stating that I had a hearing. The Executive Director of 
the Law Society, James Matkin failed to investigate her misconduct and 
compromised the honour and integrity of legal profession. In addition, as an 
employee of the Ministry of Attorney General, Lisa Shendroff jeopardized the 
credibility of the Ministry. 
Geoff Plant was comfortable with her conduct and failed to correct her wrong 
to protect his peculiar political interests. 
I launched an email publicity campaign to display the identity of the 
perpetrators of this legal scam. Therefore, the police seized my work-van and 
tools without a warrant; Geoff Plant was acquiescent to it. I was unable to work; the Ministry of Human Resources 
denied me hardship assistance (loan) even though I was qualified. VanCity sold 
my investment property without negotiating the other options of paying my 
mortgage. 
Now, Larry Koo, TD Bank's lawyer collaborating with Dale Smith of the Ministry 
of Attorney General is threatening me with the seizure and forceful sale of my 
residential property. They know that I am committed and capable of 
paying my mortgage upon the resolution of this legal scam. They are also aware of 
the fact that it is UNLAWFUL for me to consent to the unlawful seizure of my 
residential property, because it is 
an encouragement for the criminals to offend the other members of the public.
It is not necessary to have a law degree to conclude that unreasonable 
seizure of certificate of qualifications, work tools and residential property is 
UNLAWFUL and it may amount to undue torture to induce suicide. Therefore, 
the Chief Law Officer of British Columbia, Geoff Plant may not fool 
the public by playing ignorance of law, unless he spends a significant amount of 
public money to cover up his misdeeds and the media continue to support 
him.
PUBLIC ALERT: If Geoff Plant succeeds in covering up this LEGAL SCAM, you may be the next victim of the same 
public offenders who I have been torturing me since 1998. (Complete list is at
www.integriti.org)  


PLEASE CIRCULATE for your own protection.


Ron Korkut

5 – 312 Carnarvon Street 
New Westminster BC V3L 5H6

www.integriti.org, 
www.injusticebc.org
[EMAIL PROTECTED]
( 604 
520 3684
 




March, 2003

[cert@cert.org: Re: CORE-2003-03-04-02: Vulnerability in Mutt Mail User Agent [VU#104193]]

[Marco d'Itri]

-- 
ciao,
Marco
--- Begin Message ---
-BEGIN PGP SIGNED MESSAGE-

Hello,

Ivan Arce <[EMAIL PROTECTED]> writes:

> The attached file is a security advisory detailing
> a vulnerability in the Mutt Mail User Agent.
...

> We would like to obtain a CVE candidate number for
> this vulnerability to proceed with our notification process.

We coordinated with CVE, please use CAN-2003-140.  Our tracking number
is VU#104193.  Thanks for the heads up.


Regards,

  - Art


 Art Manion  --  CERT Coordination Center
   <[EMAIL PROTECTED]>   +1 412-268-7090
 E0 1E DF F5 FC 76 00 32  77 8F 25 F7 B0 2E 2C 27


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPno3OmjtSoHZUTs5AQGv8wP/Z7JJdxgFfL1b/RfZmpxDf2RJ7mUc8qwD
/NWQKmiRL2G7SxiEjeseLucbxnwHoDUr36sGhK34ZzIW71viiRJt65OowbVTsz3d
D22FgmZF6Gt4pkPmSn9IXpnX9uRBCevp+YPZI7FEpIstNuy8zh4fQekXELdRqXn2
WCpGImddd84=
=OaGk
-END PGP SIGNATURE-
--- End Message ---

Fwd: Re: is iptables enough?

[Didier Caamano]

I will like to add, as a paranoid person that I am, that I wouldn't just 
only relay with a router. I will setup the router to be my first line of 
defense, as well to do some NAT or masqarading, and then after the router 
setup iptables as my second line of defense.

But the first posting was seeking simple solutions for a simple issue; 
therefore, iptables in my opinion will do well. Nevertheless, do not relay 
only in iptables and seek for other options that you could add to protect 
even more those servers.

Have a nice day,
Didier.



"Nothing would please me more than being able to hire ten programmers and 
deluge the hoby market with good software"...Bill Gates 1976...We're still 
waiting





From: Ian Garrison <[EMAIL PROTECTED]>
To: Keegan Quinn <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: is iptables enough?
Date: Thu, 20 Mar 2003 15:25:01 -0500 (EST)
   Definately true, and worth mentioning.  There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment).  If the
hardware is already there (cpe with filtering capabilities, routers, etc)
then I'd advise people to consider the pro's of security vs cons of
managing it.  Deciding between a spof (router/cpe and likely a couple
ethernet cables) and a firewall that is more disrespectful to unwanted
packets is a tough call for me in the workplace.  If the router/cpe can
take a beating then I might live with it and sleep a little better at
night -- though such decisions take testing and careful consideration.
   I'm too paranoid to say on this list before the masses that "iptables
is enough" in the workplace.  For others it may be enough, and that is
fine.  There is a bigger picture to be seen for those who care, and my
apologies if my response is steering this discussion further off topic
than the original poster was seeking.  I don't intend to suggest that
iptables is inferiour, or that if you use iptables as your only means of
filtering you suck.
   I'll make an effort to be more on-topic in the future.  A few things
touched a nerve and I probably should have just clammed up and rolled with
them.  Something being "good enough" just grabbed me and squeezed in the
wrong places.  :)
-ian

On Thu, 20 Mar 2003, Keegan Quinn wrote:

> On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
> >Imo iptables is a reasonably good stateful firewall and is fine in 
most
> > cases.  However, a very wise person once said that the ideal setup is 
to
> > layer more than one implementation of packet filter and firewall 
between
> > the wild and a host/network you wish to protect.  Ideally 
implementations
> > on diverse platforms.
>
> Just remember, that when you do this, you are introducing an additional 
point
> of failure for each device in the chain.  Some people like to keep these 
at a
> minimum, especially in the 'revenue-generating' environments you 
describe.
>
>  - Keegan
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]
>
>
>

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact 
[EMAIL PROTECTED]



_
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: is iptables enough?

[Vineet Kumar]

* Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> [20030320 06:39 PST]:
> Set it up to block everything and then selectively open ports until
> everything works as desired. Depending on the applications it may be a
> good idea to REJECT auth (identd) packets instead of dropping them -
> some applications have long timeouts.

IMO, it's a good idea to REJECT instead of DROPping most packets.  If
you think DROPping makes you invisible, you're deluding yourself.  I
generally end my INPUT chain with

-p tcp -j REJECT --reject-with tcp-reset
-p udp -j REJECT --reject-with icmp-port-unreachable
-j REJECT --reject-with icmp-proto-unreachable

Of course, different setups have different needs, but I think this is
pretty good for most home configurations

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.digitalconsumer.org/


signature.asc
Description: Digital signature

Re: iptables help to forward ports please

[Vineet Kumar]

* Hanasaki JiJi <[EMAIL PROTECTED]> [20030320 09:55 PST]:
> Lars Ellenberg wrote:
> >but to me it seems more appropriate to use a simple store and forward
> >smtp deamon on the firewall.

> what package can i research for a store/foward server?
> 
> I thought the secure way was not to run anything like that on a
> firewall?  That is why I am moving this group's exim off the firewall.

Personally, I'd do it your way:  set up a mail server indpendent of the
firewall, and use DNAT to send incoming traffic there.  It's not hard.
It's one less link in your mail chain to break, and it's more
transparent.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
http://www.digitalconsumer.org/


signature.asc
Description: Digital signature

Re: is iptables enough?

[Ian Garrison]

   Definately true, and worth mentioning.  There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment).  If the
hardware is already there (cpe with filtering capabilities, routers, etc)
then I'd advise people to consider the pro's of security vs cons of
managing it.  Deciding between a spof (router/cpe and likely a couple
ethernet cables) and a firewall that is more disrespectful to unwanted
packets is a tough call for me in the workplace.  If the router/cpe can
take a beating then I might live with it and sleep a little better at
night -- though such decisions take testing and careful consideration.

   I'm too paranoid to say on this list before the masses that "iptables
is enough" in the workplace.  For others it may be enough, and that is
fine.  There is a bigger picture to be seen for those who care, and my
apologies if my response is steering this discussion further off topic
than the original poster was seeking.  I don't intend to suggest that
iptables is inferiour, or that if you use iptables as your only means of
filtering you suck.

   I'll make an effort to be more on-topic in the future.  A few things
touched a nerve and I probably should have just clammed up and rolled with
them.  Something being "good enough" just grabbed me and squeezed in the
wrong places.  :)

-ian

On Thu, 20 Mar 2003, Keegan Quinn wrote:

> On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
> >Imo iptables is a reasonably good stateful firewall and is fine in most
> > cases.  However, a very wise person once said that the ideal setup is to
> > layer more than one implementation of packet filter and firewall between
> > the wild and a host/network you wish to protect.  Ideally implementations
> > on diverse platforms.
>
> Just remember, that when you do this, you are introducing an additional point
> of failure for each device in the chain.  Some people like to keep these at a
> minimum, especially in the 'revenue-generating' environments you describe.
>
>  - Keegan
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Public Alert

[ronkor]

Title: This is a one







This is a one-time email from Ron Korkut ([EMAIL PROTECTED]) to inform you 
about the following LEGAL SCAM perpetrated under the supervision of the Attorney 
General of British Columbia. For further information please visit 
www.integriti.org and subscribe to the Integriti Newsletters (free) by emailing 
your request to [EMAIL PROTECTED]

P U B L I C   A L E R T !

ATTORNEY GENERAL - 
CORRUPTION 
- LAW SOCIETY - MEDIA

The failure of the media has been necessitated the distribution of this PUBLIC 
INFORMATION by email. The intent is to prevent harm to the public; 
therefore, obstructing the distribution of this document is tantamount to 
causing harm to the public. 

At present, a drunk driver is leading the Government of British Columbia. If 
the leader of the government has no respect for the "law", obviously, we may not 
expect any better performance from his administration. Therefore, we must be 
vigilant for their actions. Unrestrained public servants are more dangerous 
offenders than 
ordinary criminals, because we have no protection against them.
Corruption in public service is an organized crime and resisting to 
organized criminals is not a trivial undertaking for a member of the public. 
Failure to cooperate with them entails relentless systemic torture  
inflicted under the colour of law. As long as the media hide the facts from the 
public, it is a simple matter to silence the victims by provoking them into 
violence to justify their arrest or torture to induce suicide. 
Here is an example: 

I started my electrical contract business in 1994. After four years of 
successful service, Brian McHugh, Permits Officer seized and cancelled my 
contractor-ELECTRICIAN certificate without a complaint, notice and hearing. 
He claimed that I was not qualified for my LAWFULLY ISSUED ELECTRICIAN 
certificate even though I had an accredited electrical engineering degree and 
two decades of electrical work experience.
The Ministry of Attorney General defended McHugh’s action instead of settling 
the issue out of the Court. Despite, I had statutory and constitutional rights 
to a board hearing, and Brian McHugh testified that there was no board hearing,
Madam Justice Smith and Madam Justice Southin dismissed my legal 
action and appeal with costs. 
At the trial, Lisa Shendroff, who was the legal counsel for Brian McHugh, deceived 
the Court by patently stating that I had a hearing. The Executive Director of 
the Law Society, James Matkin failed to investigate her misconduct and 
compromised the honour and integrity of legal profession. In addition, as an 
employee of the Ministry of Attorney General, Lisa Shendroff jeopardized the 
credibility of the Ministry. 
Geoff Plant was comfortable with her conduct and failed to correct her wrong 
to protect his peculiar political interests. 
I launched an email publicity campaign to display the identity of the 
perpetrators of this legal scam. Therefore, the police seized my work-van and 
tools without a warrant; Geoff Plant was acquiescent to it. I was unable to work; the Ministry of Human Resources 
denied me hardship assistance (loan) even though I was qualified. VanCity sold 
my investment property without negotiating the other options of paying my 
mortgage. 
Now, Larry Koo, TD Bank's lawyer collaborating with Dale Smith of the Ministry 
of Attorney General is threatening me with the seizure and forceful sale of my 
residential property. They know that I am committed and capable of 
paying my mortgage upon the resolution of this legal scam. They are also aware of 
the fact that it is UNLAWFUL for me to consent to the unlawful seizure of my 
residential property, because it is 
an encouragement for the criminals to offend the other members of the public.
It is not necessary to have a law degree to conclude that unreasonable 
seizure of certificate of qualifications, work tools and residential property is 
UNLAWFUL and it may amount to undue torture to induce suicide. Therefore, 
the Chief Law Officer of British Columbia, Geoff Plant may not fool 
the public by playing ignorance of law, unless he spends a significant amount of 
public money to cover up his misdeeds and the media continue to support 
him.
PUBLIC ALERT: If Geoff Plant succeeds in covering up this LEGAL SCAM, you may be the next victim of the same 
public offenders who I have been torturing me since 1998. (Complete list is at
www.integriti.org)  


PLEASE CIRCULATE for your own protection.


Ron Korkut

5 – 312 Carnarvon Street 
New Westminster BC V3L 5H6

www.integriti.org, 
www.injusticebc.org
[EMAIL PROTECTED]
( 604 
520 3684
 




March, 2003






-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: is iptables enough?

[Keegan Quinn]

On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
>Imo iptables is a reasonably good stateful firewall and is fine in most
> cases.  However, a very wise person once said that the ideal setup is to
> layer more than one implementation of packet filter and firewall between
> the wild and a host/network you wish to protect.  Ideally implementations
> on diverse platforms.

Just remember, that when you do this, you are introducing an additional point 
of failure for each device in the chain.  Some people like to keep these at a 
minimum, especially in the 'revenue-generating' environments you describe.

 - Keegan

Re: iptables help to forward ports please

[Hanasaki JiJi]

what package can i research for a store/foward server?

I thought the secure way was not to run anything like that on a
firewall?  That is why I am moving this group's exim off the firewall.

Lars Ellenberg wrote:

On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote:

been trying to get the following to work for sometime input is most 
appreciated



internet <=25= firewall iptablerule =port#x=> internalSMTPhost

how can the firewall be told to:
take all incoming tcp port 25 traffic and send it to
smtp host on port X



iptables .. redirect



take all outgoing traffice from smtphost 
and send it out to the internet on port 25



.. forward [ and masq ]



Thank you.



but to me it seems more appropriate to use a simple store and forward
smtp deamon on the firewall.

Lars




--
=
= Management is doing things right; leadership is doing the =
=   right things.- Peter Drucker=
=___=
= http://www.sun.com/service/sunps/jdc/javacenter.pdf   =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
=

[qq@kuku.eu.org: linux kmod/ptrace bug - details]

[Alexander Neumann]

FYI, temprorary fix is to set /proc/sys/kernel/modprobe to something
bogus.

-- 
"Real men don't take backups. They put their source on a public FTP-server
and let the world mirror it." -- Linus Torvalds
--- Begin Message ---

Hello

There are many discussions (on slashdot for example) on the recent linux 
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
 and
2. /proc/sys/kernel/modprobe contains the path to some valid executable
 and
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be 
attached to with ptrace(). Game over, the user can insert any code into a 
process which will be run with the superuser privileges.

Solutions/workarounds:
- patch the kernel
 or
- disable kmod/modules
 or
- install a ptrace-blocking module
 or
- set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the kernel 
thread spawning code has been rewritten so that the modprobe process is 
spawned from keventd, it never runs with non-root uid, so it can't be 
ptraced by any non-root user.

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c

-- 
: Andrzej Szombierski : [EMAIL PROTECTED] : [EMAIL PROTECTED] :
: [EMAIL PROTECTED] ::: radio bez kitu <=> http://bezkitu.com :

--- End Message ---


pgpwmCu3Degd3.pgp
Description: PGP signature

Re: looking for a good source to start learning about kerberos

[Noah L. Meyerhans]

On Thu, Mar 20, 2003 at 12:18:23PM +0200, Haim Ashkenazi wrote:
> After reading the responses for my email about NIS security, I was
> convinced that it's time to learn about ldap w/kerberos. In the
> ldap-howto's I've read there were references to kerberos by MIT and
> hemidal. looking in my aptitude list I saw a lot of packages with
> different versions of kerberos and I've got a little confused. I was
> wondering what would be a good place to start with kerberos (keeping
> in mind that my main interest is to combine it with ldap)?

Well, start with http://web.mit.edu/kerberos/www/
Then maybe procede to http://www.ofb.net/~jheiss/krbldap/

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpCuKCgnnmcH.pgp
Description: PGP signature

Re: is iptables enough?

[Keegan Quinn]

On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
>Imo iptables is a reasonably good stateful firewall and is fine in most
> cases.  However, a very wise person once said that the ideal setup is to
> layer more than one implementation of packet filter and firewall between
> the wild and a host/network you wish to protect.  Ideally implementations
> on diverse platforms.

Just remember, that when you do this, you are introducing an additional point 
of failure for each device in the chain.  Some people like to keep these at a 
minimum, especially in the 'revenue-generating' environments you describe.

 - Keegan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables help to forward ports please

[Hanasaki JiJi]

what package can i research for a store/foward server?

I thought the secure way was not to run anything like that on a
firewall?  That is why I am moving this group's exim off the firewall.
Lars Ellenberg wrote:
On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote:

been trying to get the following to work for sometime input is most 
appreciated

internet <=25= firewall iptablerule =port#x=> internalSMTPhost

how can the firewall be told to:
take all incoming tcp port 25 traffic and send it to
smtp host on port X


iptables .. redirect


take all outgoing traffice from smtphost 
and send it out to the internet on port 25


.. forward [ and masq ]


Thank you.


but to me it seems more appropriate to use a simple store and forward
smtp deamon on the firewall.
	Lars


--
=
= Management is doing things right; leadership is doing the =
=   right things.- Peter Drucker=
=___=
= http://www.sun.com/service/sunps/jdc/javacenter.pdf   =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
=


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[qq@kuku.eu.org: linux kmod/ptrace bug - details]

[Alexander Neumann]

FYI, temprorary fix is to set /proc/sys/kernel/modprobe to something
bogus.

-- 
"Real men don't take backups. They put their source on a public FTP-server
and let the world mirror it." -- Linus Torvalds
--- Begin Message ---

Hello

There are many discussions (on slashdot for example) on the recent linux 
ptrace (& kmod) bug. I'll try to clarify what is this all about.

It's a local root vulnerability. It's exploitable only if:
1. the kernel is built with modules and kernel module loader enabled
 and
2. /proc/sys/kernel/modprobe contains the path to some valid executable
 and
3. ptrace() calls are not blocked

These conditions are met on most standard linux distros.

Ok now how it works:
When a process requests a feature which is in a module, the kernel spawns
a child process, sets its euid and egid to 0 and calls execve("/sbin/modprobe")
The problem is that before the euid change the child process can be 
attached to with ptrace(). Game over, the user can insert any code into a 
process which will be run with the superuser privileges.

Solutions/workarounds:
- patch the kernel
 or
- disable kmod/modules
 or
- install a ptrace-blocking module
 or
- set /proc/sys/kernel/modprobe to /any/bogus/file

A word about 2.5. kernels - these are not vulnerable because the kernel 
thread spawning code has been rewritten so that the modprobe process is 
spawned from keventd, it never runs with non-root uid, so it can't be 
ptraced by any non-root user.

Sample exploit here (ix86-only):
http://august.v-lo.krakow.pl/~anszom/km3.c

-- 
: Andrzej Szombierski : [EMAIL PROTECTED] : [EMAIL PROTECTED] :
: [EMAIL PROTECTED] ::: radio bez kitu <=> http://bezkitu.com :

--- End Message ---


pgp0.pgp
Description: PGP signature

Re: is iptables enough?

[Adrian 'Dagurashibanipal' von Bidder]

On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote:
> What I find astonishing: Let's say you are running a webserver, maybe 
> mailserver and a DNS on a server. What rules do you want to apply to 
> the packets etc.?

I guess plain iptables should be enough for single PC or SOHO network -
you can do pretty much everything.

What I have not investigated is reporting - as iptables has no builtin
(canonical) fancy reporting software, you'd rely on add-on software, and
I don't know what's available there.

To the original poster: Do it all with iptables.

Set it up to block everything and then selectively open ports until
everything works as desired. Depending on the applications it may be a
good idea to REJECT auth (identd) packets instead of dropping them -
some applications have long timeouts.

Server hardware: a 486/25 with 36M RAM should be able to bear the load
you're describing (it did for me, for several years, and still does for
the people now living there, including also routing and squid proxy for
the 3 computers behind it. The only thing is that you'd want to avoid
compiling kernels on that machine :-)

To make your life as care-free as possible: install woody, not testing -
you don't really need the latest software, do you - and subscribe to the
security announcement list. Think about partitioning your server - log
files at least, and perhaps mail spool, too, should go into a partition
of their own, and use some softwrae to monitor disk useage (there's
software for this, but there's also the method of just calling 'df' from
a cron script). Use logcheck or some similar software - once you've
tuned it to your needs, you'll have almost no mail during regular
operation. pflogsumm or similar could be interesting if you want an
overview of what your mailserver is doing, it'll not react fast enough
if your server is ever abused, though. For the website, running webalize
or somesuch is interesting, I have made the experience (with church
authorities, as it happens) that the not so tech-savvy are mightily
impressed if you can show them that 4 or 5 actual people really look at
the web page.

cheers
-- vbi

-- 
The prablem with Manoca is thot it's difficult ta tell the difference
between o cauple af the letters.
-- Jacob W. Haller on alt.religion.kibology


signature.asc
Description: This is a digitally signed message part

Re: looking for a good source to start learning about kerberos

[Noah L. Meyerhans]

On Thu, Mar 20, 2003 at 12:18:23PM +0200, Haim Ashkenazi wrote:
> After reading the responses for my email about NIS security, I was
> convinced that it's time to learn about ldap w/kerberos. In the
> ldap-howto's I've read there were references to kerberos by MIT and
> hemidal. looking in my aptitude list I saw a lot of packages with
> different versions of kerberos and I've got a little confused. I was
> wondering what would be a good place to start with kerberos (keeping
> in mind that my main interest is to combine it with ldap)?

Well, start with http://web.mit.edu/kerberos/www/
Then maybe procede to http://www.ofb.net/~jheiss/krbldap/

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgp0.pgp
Description: PGP signature

Re: is iptables enough?

[Adrian Phillips]

> "Jones" == Jones  <[EMAIL PROTECTED]> writes:

Jones> I am planning to replace a (dead) Windows 2000 computer
Jones> that was used as a web server and email server with a
Jones> Debian Linux solution.  This machine is connected to the
Jones> net via DSL and would run apache and exim/qpopper and sshd.
Jones> Everything else would be turned off.  It is a small church
Jones> and their current site is not very busy, but she says they
Jones> do get a lot of email.

Jones> Am I right in assuming that iptabes is enough as a firewall
Jones> solution and that I would not need to buy any additional
Jones> software.  That is what I understand from my past
Jones> experience with Debian/iptables as a server and from the
Jones> files at debian.org security howto at
Jones> 
(http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)

You could use UML (user-mode-linux.sf.net) to split up the systems
(apache in 1, email in another) as an additional layer of
protection. .deb's are available although you probably won't to grab
unstable's versions to be reasonably up to date.

Sincerely,

Adrian Phillips

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]

Re: Re: is iptables enough?

[Dale Amon]

On Thu, Mar 20, 2003 at 01:53:07PM +0100, Rolf Kutz wrote:
> How is that, since IDE and SCSI-Disks are having
> the same mechanics?

For one, the old IDE's tended to be more cheaply made.
He is right in that: for customer machines in that
era I always insisted on SCSI hard drives for speed 
and reliability.

There does not seem to be a whole lot of difference
anymore.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: Re: is iptables enough?

[Rolf Kutz]

* Quoting I.R. van Dongen ([EMAIL PROTECTED]):

> 
> On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:
> 
> > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > > This should be more than enough. I have been running a mailserver on a
> > > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> > > mail --- never had a problem.
> > 
> > Hah! Is nothing! I run a cablemodem firewall, multiple
> > VPN's, DNS, with snort, tiger, and other tools on a
> > 486 with 16MB of RAM!

> I hope that machine has scsi disks like my
> gateway (120MB & 1GB) since with that low on ram
> your machine is always swapping. That's usually
> no problem, but IDE disks tend to wear out fast
> when used 24/7. With more RAM (32-40M) your

How is that, since IDE and SCSI-Disks are having
the same mechanics?

> disks will be more standby.

More RAM is always good.

- Rolf

-- 
http://www.stop1984.com/

Re: iptables help to forward ports please

[Peter Parkkali]

On Wed, 19 Mar 2003, Victor Calzado Mayo wrote:

> > internet <=25= firewall iptablerule =port#x=> internalSMTPhost
> >
> > how can the firewall be told to:
> > take all incoming tcp port 25 traffic and send it to
> > smtp host on port X

> iptables -t nat -A PREROUTING  -p tcp --dport 25 -j DNAT --to-destination \
> $SMTP_HOST:$port
>
> Remember that if you want to apply filters in a Destination "Nated" port you
> have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if
> you have DROP as default policy in the FORWARD hook DNAT won't work untill
> you ACCEPT in FORWARD conections destinated to these DNATed ports.

It's also worth knowing that this filtering must be based on the
_real_ address of the receiving host and not the public, visible
address. After Victor's example:

iptables -A FORWARD -s $SMTP_HOST -p tcp --dport $port -j ACCEPT

Also, the firewall performing the DNAT must react to ARP requests
for the "virtual" (public, whatever) IP address. Unless this
is also the firewall's primary address, I've cared for this by
assigning it as an ip alias, ie.

ip addr add local $SMTP_HOST/$CIDR_NETMASK broadcast + dev ethXX

The ethXXX must of course be on the proper subnet where the traffic
comes from; the "outer edge" typically.

I'm not sure but I think you also need to SNAT the reply
packets that are assicoated with the connections that the
above rules allow. Maybe connection tracking does this
automatically, though. The rule would be something like this,
but I'd experiment without it first:

iptables -t nat -A POSTROUTING -s $SMTP_HOST -j SNAT \
  --to-source $PUBLIC_ADDR

-- 
pp / [EMAIL PROTECTED] / [EMAIL PROTECTED] /
040-532 95 80 / +358-40-532 95 80

Re: is iptables enough?

[Adrian 'Dagurashibanipal' von Bidder]

On Wed, 2003-03-19 at 23:01, Stefan Neufeind wrote:
> What I find astonishing: Let's say you are running a webserver, maybe 
> mailserver and a DNS on a server. What rules do you want to apply to 
> the packets etc.?

I guess plain iptables should be enough for single PC or SOHO network -
you can do pretty much everything.

What I have not investigated is reporting - as iptables has no builtin
(canonical) fancy reporting software, you'd rely on add-on software, and
I don't know what's available there.

To the original poster: Do it all with iptables.

Set it up to block everything and then selectively open ports until
everything works as desired. Depending on the applications it may be a
good idea to REJECT auth (identd) packets instead of dropping them -
some applications have long timeouts.

Server hardware: a 486/25 with 36M RAM should be able to bear the load
you're describing (it did for me, for several years, and still does for
the people now living there, including also routing and squid proxy for
the 3 computers behind it. The only thing is that you'd want to avoid
compiling kernels on that machine :-)

To make your life as care-free as possible: install woody, not testing -
you don't really need the latest software, do you - and subscribe to the
security announcement list. Think about partitioning your server - log
files at least, and perhaps mail spool, too, should go into a partition
of their own, and use some softwrae to monitor disk useage (there's
software for this, but there's also the method of just calling 'df' from
a cron script). Use logcheck or some similar software - once you've
tuned it to your needs, you'll have almost no mail during regular
operation. pflogsumm or similar could be interesting if you want an
overview of what your mailserver is doing, it'll not react fast enough
if your server is ever abused, though. For the website, running webalize
or somesuch is interesting, I have made the experience (with church
authorities, as it happens) that the not so tech-savvy are mightily
impressed if you can show them that 4 or 5 actual people really look at
the web page.

cheers
-- vbi

-- 
The prablem with Manoca is thot it's difficult ta tell the difference
between o cauple af the letters.
-- Jacob W. Haller on alt.religion.kibology


signature.asc
Description: This is a digitally signed message part

Re: is iptables enough?

[Adrian Phillips]

> "Jones" == Jones  <[EMAIL PROTECTED]> writes:

Jones> I am planning to replace a (dead) Windows 2000 computer
Jones> that was used as a web server and email server with a
Jones> Debian Linux solution.  This machine is connected to the
Jones> net via DSL and would run apache and exim/qpopper and sshd.
Jones> Everything else would be turned off.  It is a small church
Jones> and their current site is not very busy, but she says they
Jones> do get a lot of email.

Jones> Am I right in assuming that iptabes is enough as a firewall
Jones> solution and that I would not need to buy any additional
Jones> software.  That is what I understand from my past
Jones> experience with Debian/iptables as a server and from the
Jones> files at debian.org security howto at
Jones> (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html)

You could use UML (user-mode-linux.sf.net) to split up the systems
(apache in 1, email in another) as an additional layer of
protection. .deb's are available although you probably won't to grab
unstable's versions to be reasonably up to date.

Sincerely,

Adrian Phillips

-- 
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now?  [OK]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables help to forward ports please

[Lars Ellenberg]

On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote:
> been trying to get the following to work for sometime input is most 
> appreciated
> 
> 
> internet <=25= firewall iptablerule =port#x=> internalSMTPhost
> 
> how can the firewall be told to:
>   take all incoming tcp port 25 traffic and send it to
>   smtp host on port X

iptables .. redirect

> 
>   take all outgoing traffice from smtphost 
>   and send it out to the internet on port 25

.. forward [ and masq ]

> 
> Thank you.

but to me it seems more appropriate to use a simple store and forward
smtp deamon on the firewall.

Lars

Re: Re: is iptables enough?

[Dale Amon]

On Thu, Mar 20, 2003 at 01:53:07PM +0100, Rolf Kutz wrote:
> How is that, since IDE and SCSI-Disks are having
> the same mechanics?

For one, the old IDE's tended to be more cheaply made.
He is right in that: for customer machines in that
era I always insisted on SCSI hard drives for speed 
and reliability.

There does not seem to be a whole lot of difference
anymore.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables help to forward ports please

[Victor Calzado Mayo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 20 March 2003 06:26, Hanasaki JiJi wrote:
> been trying to get the following to work for sometime input is most
> appreciated
>
>
> internet <=25= firewall iptablerule =port#x=> internalSMTPhost
>
> how can the firewall be told to:
>   take all incoming tcp port 25 traffic and send it to
>   smtp host on port X


iptables -t nat -A PREROUTING  -p tcp --dport 25 -j DNAT --to-destination \
$SMTP_HOST:$port

Remember that if you want to apply filters in a Destination "Nated" port you 
have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if 
you have DROP as default policy in the FORWARD hook DNAT won't work untill 
you ACCEPT in FORWARD conections destinated to these DNATed ports. 


>
>   take all outgoing traffice from smtphost 
>   and send it out to the internet on port 25

iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \
- --to INTERNET

This rule is not exactly what you asked for but you have to take care not only 
of SMTP traffic, SMTP server also need to perform lookups to DNS servers ( 
yes, you can assing a local one... ).

Anyway if you need/want only SMTP conections to be "Nated" you can define the 
destination port ( 25 ) ( add --dport 25 to the nat rule ) better than source 
port ( even if you know for sure that SMTP conections are only established 
from this port ) ( Someone in the SMTP host could connect to any host at any 
port using 25 as source tcp port, if you define a destination port this kind 
of malicious conections are disallowed ) but you can also especified a source 
port ( --sport 25 )

iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \
- --to INTERNET:25 --dport 25 --sport 25


>
> Thank you.
Kind Regards 
Victor
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+eFgREzqHF8R72ekRAr0HAJsHIicvX0bh1MzNVEMgFY2ckCKwBwCfU7id
aL55zOh9Gnn0JSOmI7u4xPM=
=NXdQ
-END PGP SIGNATURE-

Re: looking for a good source to start learning about kerberos

[Rick Moen]

Quoting Haim Ashkenazi ([EMAIL PROTECTED]):

> After reading the responses for my email about NIS security, I was
> convinced that it's time to learn about ldap w/kerberos. In the
> ldap-howto's I've read there were references to kerberos by MIT and
> hemidal. looking in my aptitude list I saw a lot of packages with
> different versions of kerberos and I've got a little confused. I was
> wondering what would be a good place to start with kerberos (keeping
> in mind that my main interest is to combine it with ldap)?

My information on this subject is a little out of date, and I was never
all that well informed on it, but I'll give it a try, anyway.

Researchers at the Swedish Royal Institute of Technology (KTH = Kungliga
Tekniska Högskola), working from freely available informatin about
Kerberos, such as had reached the international community from MIT's
Project Athena, before pressure from US spook agencies caused a
clampdown on "export" of information about strong cryptography.  So, KTH
Kerberos, aka Heimdal, was an implementation of the 1987 Kerberos v4
spec, which used DES encryption.  (The earlier three versions were
development-only.)

Meanwhile, MIT researchers were proceeding through 1990-91 in creating
the Kerberos v5 spec and reference implementation, i.e., MIT Kerberos,
introducing 3DES and other newer types of authentication.  Until late in
the 1990s, this code and knowledge of it in theory could not be legally
"exported" from the USA, despite it being publicly documented in RFC
1510 and 1509.  

Of late, the KTH people have managed, either thanks to the relative
lifting of "export" paranoia, or entirely on their own efforts, to
implement Kerberos v5[1], as well.  How do they now compare, and how
interoperable are they?  Beats me.  Maybe someone else will comment.

[1] Which is a damned good thing, since researchers found a protocol
flaw in Kerberos v4 authentication, making possible successful
dictionary attacks:  S. M. Bellovin and M. Merritt, "Limitations of the
Kerberos Authentication System", Proceedings of the 1991 USENIX
Conference, Dallas, TX 1991.

-- 
Cheers,   A host is a host, from coast to coast.
Rick Moen And nobody talks to a host that's close,
[EMAIL PROTECTED]   Unless the host that isn't close is busy, hung, or dead.

Re: Re: is iptables enough?

[Dale Amon]

On Thu, Mar 20, 2003 at 10:31:12AM +0100, I.R. van Dongen wrote:
> I hope that machine has scsi disks like my gateway (120MB & 1GB) since with 
> that low on ram your machine is always swapping. That's usually no problem, 
> but IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M) 
> your disks will be more standby.

Unfortuneately no. It's what I call a "bin diver special", a junk
machine an office was going to throw away. 400MB IDE of the old
sort.

If snort is report building, you hear a lot of disk
activity; through most of the day you only hear a
click every couple seconds or so. It doesn't swap
while passing ip traffic. Might do so if I really
try to max the bandwidth, but I've not noticed it.

Hey, I got 3 of them for free, had to do something
with them. I already had a doorstop. :-)

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: Re: is iptables enough?

[Rolf Kutz]

* Quoting I.R. van Dongen ([EMAIL PROTECTED]):

> 
> On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:
> 
> > On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > > This should be more than enough. I have been running a mailserver on a
> > > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> > > mail --- never had a problem.
> > 
> > Hah! Is nothing! I run a cablemodem firewall, multiple
> > VPN's, DNS, with snort, tiger, and other tools on a
> > 486 with 16MB of RAM!

> I hope that machine has scsi disks like my
> gateway (120MB & 1GB) since with that low on ram
> your machine is always swapping. That's usually
> no problem, but IDE disks tend to wear out fast
> when used 24/7. With more RAM (32-40M) your

How is that, since IDE and SCSI-Disks are having
the same mechanics?

> disks will be more standby.

More RAM is always good.

- Rolf

-- 
http://www.stop1984.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables help to forward ports please

[Peter Parkkali]

On Wed, 19 Mar 2003, Victor Calzado Mayo wrote:

> > internet <=25= firewall iptablerule =port#x=> internalSMTPhost
> >
> > how can the firewall be told to:
> > take all incoming tcp port 25 traffic and send it to
> > smtp host on port X

> iptables -t nat -A PREROUTING  -p tcp --dport 25 -j DNAT --to-destination \
> $SMTP_HOST:$port
>
> Remember that if you want to apply filters in a Destination "Nated" port you
> have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if
> you have DROP as default policy in the FORWARD hook DNAT won't work untill
> you ACCEPT in FORWARD conections destinated to these DNATed ports.

It's also worth knowing that this filtering must be based on the
_real_ address of the receiving host and not the public, visible
address. After Victor's example:

iptables -A FORWARD -s $SMTP_HOST -p tcp --dport $port -j ACCEPT

Also, the firewall performing the DNAT must react to ARP requests
for the "virtual" (public, whatever) IP address. Unless this
is also the firewall's primary address, I've cared for this by
assigning it as an ip alias, ie.

ip addr add local $SMTP_HOST/$CIDR_NETMASK broadcast + dev ethXX

The ethXXX must of course be on the proper subnet where the traffic
comes from; the "outer edge" typically.

I'm not sure but I think you also need to SNAT the reply
packets that are assicoated with the connections that the
above rules allow. Maybe connection tracking does this
automatically, though. The rule would be something like this,
but I'd experiment without it first:

iptables -t nat -A POSTROUTING -s $SMTP_HOST -j SNAT \
  --to-source $PUBLIC_ADDR

-- 
pp / [EMAIL PROTECTED] / [EMAIL PROTECTED] /
040-532 95 80 / +358-40-532 95 80





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

looking for a good source to start learning about kerberos

[Haim Ashkenazi]

Hi

After reading the responses for my email about NIS security, I was convinced 
that it's time to learn about ldap w/kerberos. In the ldap-howto's I've read 
there were references to kerberos by MIT and hemidal. looking in my aptitude 
list I saw a lot of packages with different versions of kerberos and I've got a 
little confused. I was wondering what would be a good place to start with 
kerberos (keeping in mind that my main interest is to combine it with ldap)?

Thanx
-- 
Haim

Re: iptables help to forward ports please

[Lars Ellenberg]

On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote:
> been trying to get the following to work for sometime input is most 
> appreciated
> 
> 
> internet <=25= firewall iptablerule =port#x=> internalSMTPhost
> 
> how can the firewall be told to:
>   take all incoming tcp port 25 traffic and send it to
>   smtp host on port X

iptables .. redirect

> 
>   take all outgoing traffice from smtphost 
>   and send it out to the internet on port 25

.. forward [ and masq ]

> 
> Thank you.

but to me it seems more appropriate to use a simple store and forward
smtp deamon on the firewall.

Lars


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables help to forward ports please

[Victor Calzado Mayo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 20 March 2003 06:26, Hanasaki JiJi wrote:
> been trying to get the following to work for sometime input is most
> appreciated
>
>
> internet <=25= firewall iptablerule =port#x=> internalSMTPhost
>
> how can the firewall be told to:
>   take all incoming tcp port 25 traffic and send it to
>   smtp host on port X


iptables -t nat -A PREROUTING  -p tcp --dport 25 -j DNAT --to-destination \
$SMTP_HOST:$port

Remember that if you want to apply filters in a Destination "Nated" port you 
have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if 
you have DROP as default policy in the FORWARD hook DNAT won't work untill 
you ACCEPT in FORWARD conections destinated to these DNATed ports. 


>
>   take all outgoing traffice from smtphost 
>   and send it out to the internet on port 25

iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \
- --to INTERNET

This rule is not exactly what you asked for but you have to take care not only 
of SMTP traffic, SMTP server also need to perform lookups to DNS servers ( 
yes, you can assing a local one... ).

Anyway if you need/want only SMTP conections to be "Nated" you can define the 
destination port ( 25 ) ( add --dport 25 to the nat rule ) better than source 
port ( even if you know for sure that SMTP conections are only established 
from this port ) ( Someone in the SMTP host could connect to any host at any 
port using 25 as source tcp port, if you define a destination port this kind 
of malicious conections are disallowed ) but you can also especified a source 
port ( --sport 25 )

iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \
- --to INTERNET:25 --dport 25 --sport 25


>
> Thank you.
Kind Regards 
Victor
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+eFgREzqHF8R72ekRAr0HAJsHIicvX0bh1MzNVEMgFY2ckCKwBwCfU7id
aL55zOh9Gnn0JSOmI7u4xPM=
=NXdQ
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: is iptables enough?

[I.R. van Dongen]

On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:

> On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > This should be more than enough. I have been running a mailserver on a
> > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> > mail --- never had a problem.
> 
> Hah! Is nothing! I run a cablemodem firewall, multiple
> VPN's, DNS, with snort, tiger, and other tools on a
> 486 with 16MB of RAM!
I hope that machine has scsi disks like my gateway (120MB & 1GB) since with 
that low on ram your machine is always swapping. That's usually no problem, but 
IDE disks tend to wear out fast when used 24/7. With more RAM (32-40M) your 
disks will be more standby.

Gr,

Ivo van Dongen

Re: OT: Is it so easy to break into an NIS?

[Haim Ashkenazi]

Thanx for the input everybody, I think that from now on I will at least 
recommend to my clients about using ldap instead.

Bye
-- 
Haim

Re: looking for a good source to start learning about kerberos

[Rick Moen]

Quoting Haim Ashkenazi ([EMAIL PROTECTED]):

> After reading the responses for my email about NIS security, I was
> convinced that it's time to learn about ldap w/kerberos. In the
> ldap-howto's I've read there were references to kerberos by MIT and
> hemidal. looking in my aptitude list I saw a lot of packages with
> different versions of kerberos and I've got a little confused. I was
> wondering what would be a good place to start with kerberos (keeping
> in mind that my main interest is to combine it with ldap)?

My information on this subject is a little out of date, and I was never
all that well informed on it, but I'll give it a try, anyway.

Researchers at the Swedish Royal Institute of Technology (KTH = Kungliga
Tekniska Högskola), working from freely available informatin about
Kerberos, such as had reached the international community from MIT's
Project Athena, before pressure from US spook agencies caused a
clampdown on "export" of information about strong cryptography.  So, KTH
Kerberos, aka Heimdal, was an implementation of the 1987 Kerberos v4
spec, which used DES encryption.  (The earlier three versions were
development-only.)

Meanwhile, MIT researchers were proceeding through 1990-91 in creating
the Kerberos v5 spec and reference implementation, i.e., MIT Kerberos,
introducing 3DES and other newer types of authentication.  Until late in
the 1990s, this code and knowledge of it in theory could not be legally
"exported" from the USA, despite it being publicly documented in RFC
1510 and 1509.  

Of late, the KTH people have managed, either thanks to the relative
lifting of "export" paranoia, or entirely on their own efforts, to
implement Kerberos v5[1], as well.  How do they now compare, and how
interoperable are they?  Beats me.  Maybe someone else will comment.

[1] Which is a damned good thing, since researchers found a protocol
flaw in Kerberos v4 authentication, making possible successful
dictionary attacks:  S. M. Bellovin and M. Merritt, "Limitations of the
Kerberos Authentication System", Proceedings of the 1991 USENIX
Conference, Dallas, TX 1991.

-- 
Cheers,   A host is a host, from coast to coast.
Rick Moen And nobody talks to a host that's close,
[EMAIL PROTECTED]   Unless the host that isn't close is busy, hung, or dead.



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: is iptables enough?

[Dale Amon]

On Thu, Mar 20, 2003 at 10:31:12AM +0100, I.R. van Dongen wrote:
> I hope that machine has scsi disks like my gateway (120MB & 1GB) since with that low 
> on ram your machine is always swapping. That's usually no problem, but IDE disks 
> tend to wear out fast when used 24/7. With more RAM (32-40M) your disks will be more 
> standby.

Unfortuneately no. It's what I call a "bin diver special", a junk
machine an office was going to throw away. 400MB IDE of the old
sort.

If snort is report building, you hear a lot of disk
activity; through most of the day you only hear a
click every couple seconds or so. It doesn't swap
while passing ip traffic. Might do so if I really
try to max the bandwidth, but I've not noticed it.

Hey, I got 3 of them for free, had to do something
with them. I already had a doorstop. :-)

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

looking for a good source to start learning about kerberos

[Haim Ashkenazi]

Hi

After reading the responses for my email about NIS security, I was convinced that it's 
time to learn about ldap w/kerberos. In the ldap-howto's I've read there were 
references to kerberos by MIT and hemidal. looking in my aptitude list I saw a lot of 
packages with different versions of kerberos and I've got a little confused. I was 
wondering what would be a good place to start with kerberos (keeping in mind that my 
main interest is to combine it with ldap)?

Thanx
-- 
Haim


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: is iptables enough?

[I.R. van Dongen]

On Wed, 19 Mar 2003 21:21:42 +, [EMAIL PROTECTED] wrote:

> On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote:
> > This should be more than enough. I have been running a mailserver on a
> > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot
> > mail --- never had a problem.
> 
> Hah! Is nothing! I run a cablemodem firewall, multiple
> VPN's, DNS, with snort, tiger, and other tools on a
> 486 with 16MB of RAM!
I hope that machine has scsi disks like my gateway (120MB & 1GB) since with that low 
on ram your machine is always swapping. That's usually no problem, but IDE disks tend 
to wear out fast when used 24/7. With more RAM (32-40M) your disks will be more 
standby.

Gr,

Ivo van Dongen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OT: Is it so easy to break into an NIS?

[Haim Ashkenazi]

Thanx for the input everybody, I think that from now on I will at least recommend to 
my clients about using ldap instead.

Bye
-- 
Haim


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]