From Firewalls-Owner Mon Mar 1 16:49:24 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA18084; Mon, 1 Mar 93 16:49:24 GMT Received: from yonge.csri.toronto.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA18077; Mon, 1 Mar 93 08:49:14 PST Received: from alias by yonge.csri.toronto.edu with UUCP id <14403>; Mon, 1 Mar 1993 11:49:32 -0500 Received: from dino.alias.com by barney.alias.com with SMTP id AA01387 (5.65a/IDA-1.4.2 for firewalls@GreatCircle.COM); Mon, 1 Mar 93 11:39:18 -0500 Received: by dino.alias.com id AA18783 (5.65a/IDA-1.4.2 for firewalls@GreatCircle.COM); Mon, 1 Mar 93 16:39:17 GMT From: chk@alias.com (C. Harald Koch) Message-Id: <9303011639.AA18783@dino.alias.com> Subject: Re: Appletalk through firewalls. To: firewalls@GreatCircle.COM Date: Mon, 1 Mar 1993 11:39:16 -0500 In-Reply-To: <93Feb26.094425pst.2439@avalon.parc.xerox.com> from "Mark Verber" at Feb 26, 93 12:44:14 pm X-Mailer: ELM [version 2.4 PL8] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1320 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I find the request to permit AppleTalk through your firewall somewhat > mystifying. How are people planning to get AppleTalk to your network? > No network provider that I know of is routing AppleTalk so who would be > using this hole in your firewall, and how would they get AppleTalk packets > to your firewall? Well, in a slightly different situation, it's possible. We will have an AppleTalk Remote Access server installed. This allows people to dialup to our network from a Macintosh, and access all net services as though they were a local user. Now, I don't trust Apple's login/password stuff, since (as always) people often chose insecure passwords. So, I'd like to be able to restrict access to the network from the ARA server. The ideal solution would be an AppleTalk firewall, if such a beast is even possible. Failing that, I'll have to completely disable routing from the ARA server to the internal net, and put all the servers on a touchdown network outside our routers... Yuck. -- Main's Law: For every | C. Harald Koch Alias Research, Inc. Toronto, ON action, there is an equal | chk@alias.com (work-related mail) and opposite goverment | chk@gpu.utcs.utoronto.ca (permanent address) program. | VE3TLA@VE3OY.#SCON.ON.CA.NA (AMPRNet) From Firewalls-Owner Mon Mar 1 18:39:51 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19333; Mon, 1 Mar 93 18:39:51 GMT Received: from nbkanata.Newbridge.COM (NEWBRIDGE.COM) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19326; Mon, 1 Mar 93 10:39:43 PST Received: from Newbridge.COM ([138.120.100.14]) by nbkanata.Newbridge.COM (4.1/SMI-4.1) id AA01619; Mon, 1 Mar 93 13:40:27 EST Received: from nbntwk.newbridge by Newbridge.COM (4.0/SMI-4.0) id AA27952; Mon, 1 Mar 93 13:40:25 EST Date: Mon, 1 Mar 93 13:40:25 EST From: davidl@Newbridge.COM (David Law) Message-Id: <9303011840.AA27952@Newbridge.COM> To: firewalls@GreatCircle.COM Subject: Re: Appletalk through firewalls. Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > I find the request to permit AppleTalk through your firewall somewhat > > mystifying. How are people planning to get AppleTalk to your network? > > No network provider that I know of is routing AppleTalk so who would be > > using this hole in your firewall, and how would they get AppleTalk packets > > to your firewall? > > > Well, in a slightly different situation, it's possible. We will have an > AppleTalk Remote Access server installed. This allows people to dialup to > our network from a Macintosh, and access all net services as though they > were a local user. > > Now, I don't trust Apple's login/password stuff, since (as always) people > often chose insecure passwords. So, I'd like to be able to restrict access > to the network from the ARA server. The ideal solution would be an AppleTalk > firewall, if such a beast is even possible. > > Failing that, I'll have to completely disable routing from the ARA server to > the internal net, and put all the servers on a touchdown network outside our > routers... Yuck. > I think ARA is definitely the way to go but as metioned, Apple's passwd/login stuff is easily bi-passed. Caymen, however, does make an ARA box which can be used with Secure ID. It's probably worth looking into if you really need remote access for the Macs. David Law - Systems Administration Internet: davidl@Newbridge.COM Newbridge Networks Corp. postmaster@Newbridge.COM PO Box 13600 600 March Road, Tel: (613) 591-3600 Kanata Ontario, Canada K2K 2E6 Fax: (613) 591-3680 From Firewalls-Owner Mon Mar 1 18:56:19 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19467; Mon, 1 Mar 93 18:56:19 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19435; Mon, 1 Mar 93 10:54:25 PST Message-Id: <9303011854.AA19435@mycroft.GreatCircle.COM> To: Jonny Goldman Cc: firewalls@GreatCircle.COM Subject: Re: WAIS: an overview In-Reply-To: Your message of Thu, 25 Feb 93 20:22:19 PST Date: Mon, 01 Mar 93 10:54:24 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Jonny Goldman writes: # Server forwarding is built into every WAIS server, so if you can run a # server on your firewall host, you can tunnel to external servers using it. # Server forwarding uses the database-name field of the source description to # encode a remote server/port/database, of the form: # # db@host:port # # You can easily modify the source description, replacing the :ip-name with # the name of your firewall, the :tcp-port with the port the server is using, # and the :database-name with the encoded name. If your firewall can connect # to the remote server, you're done. This is what the automatic forwarding # client code does. I assume that the forwarding server uses a random TCP port above 1024 for its end of the conversation with the real server? In other words, the forwarding server uses port 210 to talk to the internal client, and some random TCP port above 1024 to talk to the "real" server on the outside world? -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Mon Mar 1 19:25:46 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19843; Mon, 1 Mar 93 19:25:46 GMT Received: from alpha.xerox.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19836; Mon, 1 Mar 93 11:25:40 PST Received: from avalon.parc.xerox.com ([13.1.101.241]) by alpha.xerox.com with SMTP id <11618>; Mon, 1 Mar 1993 11:25:20 PST Received: by avalon.parc.xerox.com id <2439>; Mon, 1 Mar 1993 11:25:04 -0800 From: Mark Verber To: davidl@newbridge.com Subject: Re: Appletalk through firewalls. Cc: firewalls@GreatCircle.COM Message-Id: <93Mar1.112504pst.2439@avalon.parc.xerox.com> Date: Mon, 1 Mar 1993 11:24:58 PST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk It is all well to talk about the merits of ARA and thinking about how to secure ARA, but I believe the original question was about about connecting an existing AppleTalk network trough a firewall that is sitting on the Internet to other sites on the Internet. eg tunnelling through an Internet firewall with AppleTalk, not opening a back-door (which may more may not be locked) using a dialup ARA service. --Mark From Firewalls-Owner Mon Mar 1 20:42:31 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20322; Mon, 1 Mar 93 20:42:31 GMT Received: from quake.think.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20313; Mon, 1 Mar 93 12:42:22 PST Received: from philo.quake.think.com by quake.think.com (4.1/SMI-4.0) id AA16674; Mon, 1 Mar 93 12:42:53 PST Received: by philo.quake.think.com (4.1/SMI-4.1) id AA00594; Mon, 1 Mar 93 12:44:44 PST Date: Mon, 1 Mar 93 12:44:44 PST Message-Id: <9303012044.AA00594@philo.quake.think.com> From: Jonny Goldman To: brent@GreatCircle.COM Cc: firewalls@GreatCircle.COM In-Reply-To: Brent Chapman's message of Mon, 01 Mar 93 10:54:24 -0800 <9303011854.AA19435@mycroft.GreatCircle.COM> Subject: WAIS: an overview Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Date: Mon, 01 Mar 93 10:54:24 -0800 From: Brent Chapman Jonny Goldman writes: # Server forwarding is built into every WAIS server, so if you can run a # server on your firewall host, you can tunnel to external servers using it. # Server forwarding uses the database-name field of the source description to # encode a remote server/port/database, of the form: # # db@host:port # # You can easily modify the source description, replacing the :ip-name with # the name of your firewall, the :tcp-port with the port the server is using, # and the :database-name with the encoded name. If your firewall can connect # to the remote server, you're done. This is what the automatic forwarding # client code does. I assume that the forwarding server uses a random TCP port above 1024 for its end of the conversation with the real server? In other words, the forwarding server uses port 210 to talk to the internal client, and some random TCP port above 1024 to talk to the "real" server on the outside world? Umm... If you mean some random CLIENT port, as is done by TCP, yes. If you mean some random SERVER port, no. That's defined by the source desription - whatever the :tcp-port field for the remote server. Perhaps a little example of a forwarding database would help. Let's say you're inside a site with a firewall running a WAIS forwarder on a machine named internet-gateway on port 640. If you wanted to talk to the directory-of-servers, which runs on Quake.Think.COM on port 210 database-name "directory-of-servers", then the forwarding source description would be: (:source :version 3 :ip-name "internet-gateway" :tcp-port 640 :database-name "directory-of-servers@Quake.Think.COM:210" :cost 0.00 :cost-unit :free :maintainer "wais-directory-of-servers@quake.think.com" :subjects "general guide WAIS servers" :description "Server created with WAIS-8 on Fri Mar 8 14:30:57 1991 by brewster@think.com ... " ) - Jonny G From Firewalls-Owner Tue Mar 2 14:26:48 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA25171; Tue, 2 Mar 93 14:26:48 GMT Received: from aisdb1.llnl.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA25164; Tue, 2 Mar 93 06:26:41 PST Message-Id: <9303021426.AA25164@mycroft.GreatCircle.COM> Received: by aisdb1.llnl.gov (16.8/16.2) id AA04423; Tue, 2 Mar 93 06:26:44 -0800 From: Leland K. Neely Subject: Re: Appletalk through firewalls. To: davidl@newbridge.com (David Law) (David Law) Date: Tue, 2 Mar 93 6:26:44 PST Cc: firewalls@GreatCircle.COM In-Reply-To: <9303011840.AA27952@Newbridge.COM>; from "David Law" at Mar 1, 93 1:40 pm Mailer: Elm [revision: 70.30] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk David Law writes: > > I think ARA is definitely the way to go but as metioned, Apple's passwd/login > stuff is easily bi-passed. Caymen, however, does make an ARA box which can be > used with Secure ID. It's probably worth looking into if you really need remote > access for the Macs. > Not to rain on your parade, BUT, the gatorlink box uses a kludge to make the secureid stuff work. What you do is enter your secure Id as your userid, leaving a blank passwd field. Then this is sent as clear text to the secure id server for verification. (via tcp/ip) While this works, I am less than thrilled as there is no authentication of the human typing the secure id. I would prefer a second level access verification prompt. IE, login with userid and password, THEN demand the appropriate Secure Id. BUT - Not to be outdone, Apple's Internet router now is fully capable of encapsulation of AppleTalk packets into IP (UDP/IP I think) and thereby make the protocol routeable. They have some access controll available to limit what zones (ie subnets) have access to what... I suppose if both sides of the link were using this as an access route then you would have had to both configure the proper appletalk zone number, name and ip address. (before access would work.) Just a 6:26am thought.... C' Ya Lee Neely From Firewalls-Owner Tue Mar 2 16:42:54 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA25870; Tue, 2 Mar 93 16:42:54 GMT Received: from cray.com (timbuk.cray.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA25863; Tue, 2 Mar 93 08:42:44 PST Received: from matrix.cray.com by cray.com (4.1/CRI-MX 2.13) id AA08550; Tue, 2 Mar 93 10:42:50 CST Received: by matrix.cray.com id AA21187; 4.1/CRI-5.6a; Tue, 2 Mar 93 10:42:48 CST From: btk@matrix.cray.com (Bryan Koch) Message-Id: <9303021642.AA21187@matrix.cray.com> Subject: Re: Appletalk through firewalls. To: lkn@llnl.gov (Leland K. Neely) Date: Tue, 2 Mar 93 10:42:46 CST Cc: firewalls@GreatCircle.COM In-Reply-To: <9303021426.AA25164@mycroft.GreatCircle.COM>; from "Leland K. Neely" at Mar 2, 93 6:26 am X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Not to rain on your parade, BUT, the gatorlink box uses a kludge to make the > secureid stuff work. What you do is enter your secure Id as your userid, > leaving a blank passwd field. Then this is sent as clear text to the secure id > server for verification. (via tcp/ip) While this works, I am less than > thrilled as there is no authentication of the human typing the secure id. The assurance you have that there is a human typing is that they must be able to provide current display values from the SecurID card's LCD. (We've had a couple of instances over the past three years of experience with SecurID where blind users needed to access our network. There are no good solutions to this.) > I would prefer a second level access verification prompt. IE, login with > userid and password, THEN demand the appropriate Secure Id. ARA, the Gatorlink, and Security Dynamics' ACE/Server team up to collectively prompt for and validate a login ID, a PIN (a password by another name), and the SecurID PRN (pseudo-random number). To generate the PRN in software would require knowledge of the seed value programmed into the card, the algorithm, and the time. Of these only the third is generally available. Bryan Koch Data Security Leader VOICE: +1-612-683-3129 Cray Research, Inc. FAX: +1-612-683-3099 Eagan, Minnesota, USA EMAIL: btk@cray.com From Firewalls-Owner Tue Mar 2 17:26:11 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26143; Tue, 2 Mar 93 17:26:11 GMT Received: from aisdb1.llnl.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26136; Tue, 2 Mar 93 09:26:04 PST Message-Id: <9303021726.AA26136@mycroft.GreatCircle.COM> Received: by aisdb1.llnl.gov (16.8/16.2) id AA05809; Tue, 2 Mar 93 09:25:25 -0800 From: Leland K. Neely Subject: Re: Appletalk through firewalls. To: btk@matrix.cray.com Date: Tue, 2 Mar 93 9:25:24 PST Cc: firewalls@GreatCircle.COM In-Reply-To: <9303021642.AA21187@matrix.cray.com>; from "Bryan Koch" at Mar 2, 93 10:42 am Mailer: Elm [revision: 70.30] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bryan Koch writes: > > ARA, the Gatorlink, and Security Dynamics' ACE/Server team up to collectively > prompt for and validate a login ID, a PIN (a password by another name), and > the SecurID PRN (pseudo-random number). To generate the PRN in software > would require knowledge of the seed value programmed into the card, the > algorithm, and the time. Of these only the third is generally available. > Huh? This makes sense----- BUT I am confused. When Caymon showed the secure id stuff to me, they did NOT enter a username or password, ONLY a secure id. (Hence my concern) I can take 2 of my three requirements, but not one of 3. As ARA is SO SIMPLE to configure on ANY mac, I want to be able to provide a secure centralized access point, so the users DON'T setup their OWN access points..... (a political {or people} battle at times :-) BTW, I am looking at this from network access, rather than access to services on the net. Finally - Thanks for the info. Lee From Firewalls-Owner Tue Mar 2 17:34:25 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26204; Tue, 2 Mar 93 17:34:25 GMT Received: from cray.com (timbuk.cray.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26197; Tue, 2 Mar 93 09:34:17 PST Received: from matrix.cray.com by cray.com (4.1/CRI-MX 2.13) id AA12500; Tue, 2 Mar 93 11:34:52 CST Received: by matrix.cray.com id AA24319; 4.1/CRI-5.6a; Tue, 2 Mar 93 11:34:51 CST From: btk@matrix.cray.com (Bryan Koch) Message-Id: <9303021734.AA24319@matrix.cray.com> Subject: Re: Appletalk through firewalls. To: lkn@llnl.gov (Leland K. Neely) Date: Tue, 2 Mar 93 11:34:48 CST Cc: firewalls@GreatCircle.COM In-Reply-To: <9303021726.AA11769@cray.com>; from "Leland K. Neely" at Mar 2, 93 9:25 am X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Bryan Koch writes: > > > > ARA, the Gatorlink, and Security Dynamics' ACE/Server team up to collectively > > prompt for and validate a login ID, a PIN (a password by another name), and > > the SecurID PRN (pseudo-random number). To generate the PRN in software > > would require knowledge of the seed value programmed into the card, the > > algorithm, and the time. Of these only the third is generally available. > > > Huh? This makes sense----- > > BUT I am confused. When Caymon showed the secure id stuff to me, they did NOT > enter a username or password, ONLY a secure id. (Hence my concern) > I can take 2 of my three requirements, but not one of 3. There are two versions of the SecurID card. The less expensive one simply displays numbers. PINs (passwords) are sent along with the displayed information to authenticate the user. The more expensive cards have a 10-digit "pin pad" on them. The user enters their PIN on the card, and the card then displays a numerically-integrated PIN/PRN value. The advantage of the later of these is that the user's PIN (password) is never sent on the network in clear form. It is, however, still a part of the authentication process. > As ARA is SO SIMPLE to configure on ANY mac, I want to be able to provide a > secure centralized access point, so the users DON'T setup their OWN access > points..... (a political {or people} battle at times :-) I agree. One of the shortcomings of the current ARA offerings is that they all support a small number of lines (the Gatorlink supports only three). Centralized security, via SecurID or some other query protocol, greatly simplifies security setup. Bryan From Firewalls-Owner Tue Mar 2 18:01:40 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26490; Tue, 2 Mar 93 18:01:40 GMT Received: from nbkanata.Newbridge.COM (NEWBRIDGE.COM) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26483; Tue, 2 Mar 93 10:01:29 PST Received: from Newbridge.COM ([138.120.100.14]) by nbkanata.Newbridge.COM (4.1/SMI-4.1) id AA22704; Tue, 2 Mar 93 13:02:12 EST Received: from nbntwk.newbridge by Newbridge.COM (4.0/SMI-4.0) id AA14072; Tue, 2 Mar 93 13:02:09 EST Date: Tue, 2 Mar 93 13:02:09 EST From: davidl@Newbridge.COM (David Law) Message-Id: <9303021802.AA14072@Newbridge.COM> To: lkn@llnl.gov Subject: Re: Appletalk through firewalls. Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From lkn@llnl.gov Tue Mar 2 09:27:28 1993 >David Law writes: > > > > > I think ARA is definitely the way to go but as metioned, Apple's passwd/login > > stuff is easily bi-passed. Caymen, however, does make an ARA box which can be > > used with Secure ID. It's probably worth looking into if you really need remote > > access for the Macs. > > > Not to rain on your parade, BUT, the gatorlink box uses a kludge to make the > secureid stuff work. What you do is enter your secure Id as your userid, > leaving a blank passwd field. Then this is sent as clear text to the secure id > server for verification. (via tcp/ip) While this works, I am less than > thrilled as there is no authentication of the human typing the secure id. > I would prefer a second level access verification prompt. IE, login with > userid and password, THEN demand the appropriate Secure Id. > > Hmmmmm... Somethings missing here. In order for your Secure ID key to work, you have to identify yourself to the server, otherwise there is no way to match the authentication key to the unique serial number of each card. Also, if in fact the key is passed in plain text, as you say, it's not really a big deal as its a dynamic, one-time only key (ie. once its used its no good again.) As for secondary verification, all this so far just buys you the connection through the ARA box, you still have to (or should have to) enter userid/password to access any servers or machines on your net. The whole point IS to verify that the user entering his/her username is in fact that particular user. As well, if someone is careless enough to lose their Secured ID card (and have their modem number, PIN and userinfo in the same wallet, for example) and not report it immediately, they can be held accountable (if not shot). David Law - Systems Administration Internet: davidl@Newbridge.COM Newbridge Networks Corp. postmaster@Newbridge.COM PO Box 13600 600 March Road, Tel: (613) 591-3600 Kanata Ontario, Canada K2K 2E6 Fax: (613) 591-3680 From Firewalls-Owner Tue Mar 2 20:17:24 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27728; Tue, 2 Mar 93 20:17:24 GMT Received: from aisdb1.llnl.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27721; Tue, 2 Mar 93 12:17:17 PST Message-Id: <9303022017.AA27721@mycroft.GreatCircle.COM> Received: by aisdb1.llnl.gov (16.8/16.2) id AA06914; Tue, 2 Mar 93 12:16:52 -0800 From: Leland K. Neely Subject: RE: SecurID & ARA Appletalk To: firewalls@GreatCircle.COM Date: Tue, 2 Mar 93 12:16:52 PST Mailer: Elm [revision: 70.30] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk David Law Pointed out the services within an AppleTalk network (should) would require additional username and password entries before use. While in principal I agree, I wanted to quickly remind him that guest accounts are default in the Apple shema and that the ability exists for anyone to easily make their Mac a file server, with or without passwords. While it is equally possible to make other systems avialable without passwords, there is a different mindset in place here and I personally assume the Mac users are likely to make the root disk available to guest users read-write. (OK another personnel problem, BUT - the more confident I can be about who has access to the network, then the more time I have to find and resolve these issues without incident.) Thanks For listenting--- Lee Neely From Firewalls-Owner Tue Mar 2 21:49:19 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28671; Tue, 2 Mar 93 21:49:19 GMT Received: from norman.li.cubic.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28664; Tue, 2 Mar 93 13:49:11 PST Received: by norman.li.cubic.com (5.67/1.34a) id AA03923; Tue, 2 Mar 93 16:48:24 -0500 Date: Tue, 2 Mar 93 16:48:24 -0500 From: mischler@Cubic.COM (Dave Mischler) Message-Id: <9303022148.AA03923@norman.li.cubic.com> To: FireWalls@GreatCircle.COM Subject: Should packets just be dropped... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk It seems that most (all?) existing packet filtering implementations simply drop packets when they should not be passed. Wouldn't it be better to send an ICMP Destination Unreachable type 9 "Communication with destination network administratively prohibited" (this message is defined by RFC 1122). I can see a few implementation details such as not sending this message if the denied packet is a broadcast or ICMP message. Would there be serious problems with TCP/IP implementations based on earlier RFCs? Dave Mischler mischler@cubic.com From Firewalls-Owner Wed Mar 3 00:18:23 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00277; Wed, 3 Mar 93 00:18:23 GMT Received: from tadpole.tadpole.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00270; Tue, 2 Mar 93 16:18:13 PST Received: from chiba.tadpole.com by tadpole.tadpole.com (4.1/SMI-4.1) id AA10616; Tue, 2 Mar 93 18:18:47 CST Date: Tue, 2 Mar 93 18:18:47 CST From: jim@tadpole.com (Jim Thompson) Message-Id: <9303030018.AA10616@tadpole.tadpole.com> To: FireWalls@GreatCircle.COM, mischler@Cubic.COM Subject: Re: Should packets just be dropped... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > From: mischler@Cubic.COM (Dave Mischler) > It seems that most (all?) existing packet filtering implementations > simply drop packets when they should not be passed. Wouldn't it be > better to send an ICMP Destination Unreachable type 9 "Communication > with destination network administratively prohibited" (this message is > defined by RFC 1122). Some routers allow you to send back Destination Unreachable messages, though doing so can reduce the performance of your router (quite a bit), and opens up the whole can of worms surrounding denial of service. Consider what happens if I forge my source address to be inside some network that I don't like, and I then flood you with datagrams that you bounce back to 'me', unknowingly causing router meltdown somewhere on the border of, or inside the network that I despise. To make matters worse, I add some IP option (a source route) that adds to both your router's processing burden as well as the one on the unloved network. Jim From Firewalls-Owner Wed Mar 3 00:23:46 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00338; Wed, 3 Mar 93 00:23:46 GMT Received: from mail-relay-2.mv.us.adobe.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00331; Tue, 2 Mar 93 16:23:39 PST Received: by mail-relay-2.mv.us.adobe.com; id AA13748; Tue, 2 Mar 93 16:24:13 -0800 Received: by mumble.mv.us.adobe.com; id AA00337; Tue, 2 Mar 93 16:24:06 -0800 Message-Id: <9303030024.AA00337@mumble.mv.us.adobe.com> To: mischler@cubic.com (Dave Mischler) Cc: FireWalls@GreatCircle.COM Subject: Re: Should packets just be dropped... In-Reply-To: Your message of "Tue, 02 Mar 93 16:48:24 EST." <9303022148.AA03923@norman.li.cubic.com> Date: Tue, 02 Mar 93 16:24:04 -0800 From: Tim Guarnieri X-Mts: smtp Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >> It seems that most (all?) existing packet filtering implementations >> simply drop packets when they should not be passed. Wouldn't it be >> better to send an ICMP Destination Unreachable type 9 "Communication >> with destination network administratively prohibited" (this message is >> defined by RFC 1122). If you haven't already, you should check out Jeff Mogul's screend code (its available via anonymous ftp from gatekeeper.dec.com). It also comes with Ultrix 4.2 (and above). So, if you have an Ultrix machine nearby, man screend will be helpful. It logs the packet header when packets are rejected. Also, there are switches you can give it to log packet headers on accepted connections as well, but that could get voluminous as it would log every packet header it saw during the life of the connection. The daemon (screend) compiles easily enough, but you need to make some minor kernel mods to whatever OS you are running (if not Ultrix) for things to work. It's all documented in the screend.tar.Z file on gatekeeper. ------ Tim Guarnieri timg@mv.us.adobe.com Adobe Systems Incorporated, Mountain View, CA adobe!timg From Firewalls-Owner Wed Mar 3 07:21:12 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA02571; Wed, 3 Mar 93 07:21:12 GMT Received: from gw.alantec.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA02564; Tue, 2 Mar 93 23:21:03 PST Received: from alantec.alantec.com by gw.alantec.com with SMTP id AA14033 (5.65b/IDA-1.4.3.7 for Christophe.Wolfhugel@grasp.insa-lyon.fr); Tue, 2 Mar 93 23:04:53 -0800 Received: by alantec.alantec.com id AA08478 (5.65b/IDA-1.4.3.7 for firewalls@greatcircle.com); Tue, 2 Mar 93 23:04:51 -0800 Date: Tue, 2 Mar 93 23:04:51 -0800 From: "G. Paul Ziemba" Message-Id: <9303030704.AA08478@alantec.alantec.com> To: tcpr-notify@alantec.com Subject: tcpr ftp bug fix release 1.1.3 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk All known bugs fixed as of 1.1.3. Fixed a sneaky bug in the ftp netstat-parsing code that resulted in failed data connections in some configurations. Tcpr is available from the following servers via anonymous ftp: ftp.alantec.com pub/tcpr ftp.cs.umb.edu pub/security ftp.psg.com pub/unix/netware grasp1.univ-lyon1.fr pub/unix/network/tcpip/security ftp.denet.dk pub/misc/tcpr From Firewalls-Owner Wed Mar 3 08:35:05 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA02786; Wed, 3 Mar 93 08:35:05 GMT Received: from weema.chi.uwa.edu.au by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA02777; Wed, 3 Mar 93 00:34:43 PST Received: by weema.chi.uwa.edu.au (5.65+/1.34) id AA27383; Wed, 3 Mar 93 16:34:22 +0800 From: johng@weema.chi.uwa.edu.au (John Gibbins) Message-Id: <9303030834.AA27383@weema.chi.uwa.edu.au> Subject: Re: Appletalk through firewalls. To: firewalls@GreatCircle.COM Date: Wed, 3 Mar 93 16:34:21 WST X-Mailer: ELM [version 2.3 PL3] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Mark Verber states: > > We currently have a firewall which does not permit logins from outside > > into our network (basically just allowing DNS, SMTP and established IP > > connections). I am under some pressure to allow Appletalk (ie ethertalk) > > through the firewall. Ideally I would like to limit it to just allowing > > us to access remote services and external access to us. > > I find the request to permit AppleTalk through your firewall somewhat > mystifying. How are people planning to get AppleTalk to your network? > No network provider that I know of is routing AppleTalk so who would be > using this hole in your firewall, and how would they get AppleTalk packets > to your firewall? We DO have network providers routing Appletalk. AARNet (Australian Academic and Research Network of which we are part) is connected together via cisco routers which can support routing of ethertalk packets. They allow filtering by network numbers and (I believe in the latest release) by zones. We also have a PC running karlbridge which can also do some appletalk filtering. The University of Western Australia (UWA) hub router currently routes Ethertalk so UWA users can see zones around campus and zones at another local university. I don't think ethertalk is being routed outside the state (ie to/from the national hub) so I am most concerned about local crackers as I doubt it would be possible for attacks to occur from outside the state (unless they broke into a UWA machine via IP first). Allowing ethertalk through our departmental cisco or karlbridge would be to allow us to access appletalk printers (and possibly servers) at UWA. How secure would limiting access to specific zones/networks via the cisco be? KarlBridge (V1.4) allows for filtering of remote apple printers. Would this be reliable. I guess I should ask Doug Karl how this is done. I would have no control over the remote sites that we would be talking to so I don't think that tunnelling would be an option (I can't make them un-encapsulate [yech - is there such a word?]). I am looking at zero cost solutions so hardware devices that provide secure IDs would not be a workable solution for us (we don't have any blind staff who wouldn't be able to read them :-). > AppleTalk doesn't have reserved ports to filter on, nor does it have > fixed addresses. Everything is dynamically bound on the fly to a name > space. The name space don't have authoritative servers so anyone can register > a name. The result is that AppleTalk is great for small scale plug and play > networks. It is a disaster for large scale secured networking. Under no > conditions would I permit an AppleTalk router into my secured network. > I am particularly interested in why you would not allow an AppleTalk router into your secured network. My gut feeling was to agree, but I'd like to be able to justify it. Is it the inability to securely identify the remote nodes for logging/packet-filtering? -- John Gibbins The Western Australian Research Institute The University of Western Australia for Child Health Ltd ,-_|\ email: johng@chi.uwa.edu.au GPO Box D184 / \ Phone: +61-9-3408547 PERTH W.A. 6001 *_,-._/ Fax: +61-9-3883414 AUSTRALIA v "Nothing is foolproof as fools are so ingenious" From Firewalls-Owner Wed Mar 3 08:50:49 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA02808; Wed, 3 Mar 93 08:50:49 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA02801; Wed, 3 Mar 93 00:50:38 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA02304 (5.65b/HUJI 4.27 for firewalls@greatcircle.com); Wed, 3 Mar 93 10:52:19 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA24299 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Wed, 3 Mar 1993 10:52:14 +0200 Message-Id: <199303030852.AA24299@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Re: Should packets just be dropped... In-Reply-To: Your message of Tue, 2 Mar 93 18:18:47 CST . <9303030018.AA10616@tadpole.tadpole.com> From: Amos Shapira Date: Wed, 03 Mar 1993 10:52:11 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9303030018.AA10616@tadpole.tadpole.com> jim@tadpole.com (Jim Thompson) write: |Consider what happens if I forge my source address to be inside some |network that I don't like, and I then flood you with datagrams that |you bounce back to 'me', unknowingly causing router meltdown somewhere |on the border of, or inside the network that I despise. Isn't it possible today with trying to connect to invalid ports on any host on the Internet? As far as I understand it will have the same effect. Also, to avoid flooding some protocols limit the number of responses they send in every time interval, like a packet a second. | |To make matters worse, I add some IP option (a source route) that adds |to both your router's processing burden as well as the one on the unloved netw |ork. Again, what prevents you from doing it today without the suggested change? | |Jim Cheers, --Amos Shapira CS System Group, Hebrew University, Jerusalem, Israel amoss@cs.huji.ac.il From Firewalls-Owner Wed Mar 3 19:23:54 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA03877; Wed, 3 Mar 93 19:23:54 GMT Received: from ucsd.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA03870; Wed, 3 Mar 93 11:23:47 PST Received: from andataco.UUCP by ucsd.edu; id AA26793 sendmail 5.67/UCSD-2.2-sun via UUCP Wed, 3 Mar 93 10:49:43 -0800 Received: from chimichanga.andataco by andataco.com (4.1/SMI-4.1) id AA27724; Wed, 3 Mar 93 10:40:04 PST Date: Wed, 3 Mar 93 10:40:04 PST From: louis@andataco.com Message-Id: <9303031840.AA27724@andataco.com> Received: by chimichanga.andataco (4.1/SMI-4.1) id AA19919; Wed, 3 Mar 93 10:37:41 PST To: FireWalls@GreatCircle.COM In-Reply-To: Dave Mischler's message of Tue, 2 Mar 93 16:48:24 -0500 <9303022148.AA03923@norman.li.cubic.com> Subject: Should packets just be dropped... Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Yes, they should be dropped. I'm new here, but: Anything else, while not necessarily a security breach, would work to deny legitimate packets, if the filtering hardware/software became over-burdened emitting the responses to the packets it was denying. Don't we usually expect our firewalls to do a *little* work, like forwarding of legitimate packets? Moderation in all things, except love. Louis M. Brune ANDATACO louis@andataco.com 9550 Waples Street 619-453-9191 x171 San Diego, CA. 92121 From Firewalls-Owner Wed Mar 3 22:10:54 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04357; Wed, 3 Mar 93 22:10:54 GMT Received: from joyce.cs.su.OZ.AU by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04350; Wed, 3 Mar 93 14:10:38 PST Message-Id: <9303032210.AA04350@mycroft.GreatCircle.COM> Received: from cheops.qld.tne.oz.au (for GreatCircle.COM) with MHSnet; Thu, 04 Mar 1993 09:10:54 +1100 Date: Thu, 04 Mar 93 08:06:10 +1000 From: logier@qld.tne.oz.au (Rob Logie,NP-IT Queensland,+61 7 837 5174) To: firewalls@GreatCircle.COM Subject: Setting up firewalls Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk This is probably a FAQ, but could someone point me in the direction of information on how to setup a firewall on 3-COM Br3000(1) brouters. Thanks in Advance Rob Logie | The opions expressed are mine alone and in Telecom Australia ACN 051 775 556 | no-way reflect the views or policies of the NP-IT Operations, Queensland | Australian and Overseas Telecommunications EMAIL: logier@cheops.qld.tne.oz.au| Corporation. "These are my opinions alone" From Firewalls-Owner Fri Mar 5 07:00:37 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA06737; Fri, 5 Mar 93 07:00:37 GMT Received: from sun2.nsfnet-relay.ac.uk by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA06730; Thu, 4 Mar 93 23:00:27 PST Via: uk.co.ggr; Thu, 4 Mar 1993 18:46:39 +0000 Received: from relay.ggr.co.uk by uk0x08.ggr.co.uk; Thu, 4 Mar 93 16:17:25 GMT Received: from UKSYSA.ggr.co.uk (uksysa) by uk0x07.ggr.co.uk (5.59/imd231092) id AA13758; Thu, 4 Mar 93 16:07:56 GMT Message-Id: <9303041607.AA13758@uk0x07.ggr.co.uk> From: Ian Dunkin Date: 04 Mar 93 16:08:00 GMT Subject: Proxy Software To: jbezek@rosedale.org Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I'm a new member to this list, and I've heard much talk about 'proxy' servers. > Could someone expand on how you set up a proxy servers and whether there are > any publicly-available proxy servers out there that run under SunOS 4.1.3. I was looking at this myself a little while ago. There are a few _commercially_ available servers. As part of `packaged' firewall solutions I understand that there is proxy software supplied as part of DEC's SEAL, ANS's InterLock, HSC's Gatekeeper, Raptor's Eagle - but I don't believe that any of these make their software available other than as part of their package. Also, SUN have a consulting special called Consult-IGateway that consists of just software for proxy servers (and modified clients to make their use easier). Publicly available proxy systems I know of are: `tcpr' - which has been described in these pages recently. It provides proxy telnet and ftp servers written in perl, and perl interludes to make their use by your standard telnet and ftp clients easier. (author G Paul Ziemba; anon ftp from ftp.alantec.com in pub/tcpr.) `socks' - not actually a proxy service, but a mechanism for building proxies. It gives you a sockd daemon to provide _generic_ proxy service, and some specimen modified clients (clients have to be linked wth the socks library to use the socks mechanism): ftp, finger, whois. A telnet client is not supplied (because the authors did not want to divert their energies into providing a telnet that would work an all architectures), but some people have built socks-compliant telnet (and other) clients. I don't think any of these have been made _publicly_ available. (socks: authors D and M R Koblas; anon ftp from s1.gov in ~/pub.) For nntp: Marcus Ranum was kind enough to post the source of an nntp tunnel daemon on this list a while back: you should find it in the archive. I've also read here of the possibility of a public lookalike of the SUN proxy software. I. From Firewalls-Owner Fri Mar 5 07:10:28 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07007; Fri, 5 Mar 93 07:10:28 GMT Received: from red1.Teradyne.COM (teradyne.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA06999; Thu, 4 Mar 93 23:10:20 PST Received: from ICD.Teradyne.COM ([131.101.176.2]) by red1.Teradyne.COM (4.1/SMI-4.1/TERX-1.2) id AA10569; Wed, 3 Mar 93 19:02:32 PST Received: by ICD.Teradyne.COM (4.1/SMI-4.1/TER-1.26/attain-1.23) id AA22705; Wed, 3 Mar 93 19:03:45 PST Date: Wed, 3 Mar 93 19:03:45 PST From: jxh@ICD.Teradyne.COM (Jim Hickstein) Message-Id: <9303040303.AA22705@ICD.Teradyne.COM> To: firewalls@GreatCircle.COM Subject: archie and UDP Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk My archie client seems to want me to let UDP packets to ports >1000 through my router to/from my firewall. Isn't this a Bad Idea? Must I tell my users that they should telnet somewhere, instead? From Firewalls-Owner Fri Mar 5 07:38:34 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07562; Fri, 5 Mar 93 07:38:34 GMT Received: from uu.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07555; Thu, 4 Mar 93 23:38:22 PST Received: by uu.psi.com (5.65b/4.1.031792-PSI/PSINet) via UUCP; id AA05090 for ; Thu, 4 Mar 93 07:47:58 -0500 Received: from silver_screen.sbcoc.com (silver_screen-gate) by il.us.swissbank.com (4.1/SMI-4.1) id AA16537; Wed, 3 Mar 93 12:08:23 CST Received: from localhost by silver_screen.sbcoc.com (4.1/SMI-4.1) id AA00601; Wed, 3 Mar 93 12:08:21 CST Message-Id: <9303031808.AA00601@silver_screen.sbcoc.com> To: Leland K. Neely Cc: firewalls@GreatCircle.COM Subject: Re: Appletalk through firewalls. In-Reply-To: Your message of "Tue, 02 Mar 93 09:25:24 PST." <9303021726.AA26136@mycroft.GreatCircle.COM> X-Organization: Capital Markets and Treasury Division, Swiss Bank Corporation Date: Wed, 03 Mar 93 12:08:20 CST From: "Gordon C. Galligher" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9303021726.AA26136@mycroft.GreatCircle.COM> Leland K. Neely writes: ` ` Huh? This makes sense----- ` ` BUT I am confused. When Caymon showed the secure id stuff to me, they did ` NOT ` enter a username or password, ONLY a secure id. (Hence my concern) ` I can take 2 of my three requirements, but not one of 3. BUT, the SecureID thing that the person entered was the random number generated by the SecureID card (the physical requirement of having the card) AND the PIN number of the PERSON owning the card (this validates that the user currently holding the card is the person that is supposed to hold the card. This is better than just login/password because with that there is no physical requirement. The problem with the SecureID card is that the last four digits of the "password" that you enter IS your PIN number! As this is in plain-text, this is not the best solution. SecureID has fixed this with a more expensive card (surprise, grr) which has a keypad on it. You enter your PIN number into the card, it cons's up a totally new number based on an internal algorithm including your PIN number and then you enter that number to your system. This protects against a "snoop" attack -- they can see the number that you enter but it does NOT contain your PIN in the clear so the number is useless to them. Does this help? -- Gordon. -- Gordon C. Galligher gorpong@swissbank.com gorpong@G-Squared.com "You can have war between races, war between cultures, war between planets; but once you have war between the sexes, you eventually run out of people." -- Kerr Avon. From Firewalls-Owner Fri Mar 5 07:51:43 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07646; Fri, 5 Mar 93 07:51:43 GMT Received: from weema.chi.uwa.edu.au by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07639; Thu, 4 Mar 93 23:51:13 PST Received: by weema.chi.uwa.edu.au (5.65+/1.34) id AA01915; Thu, 4 Mar 93 08:49:58 +0800 From: johng@weema.chi.uwa.edu.au (John Gibbins) Message-Id: <9303040049.AA01915@weema.chi.uwa.edu.au> Subject: Re: Appletalk through firewalls. To: firewalls@GreatCircle.COM Date: Thu, 4 Mar 93 8:49:57 WST In-Reply-To: <9303031422.AA29352@weema.chi.uwa.edu.au>; from "Leland K. Neely" at Mar 3, 93 6:22 am X-Mailer: ELM [version 2.3 PL3] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Leland K. Neely states: > To me, it is not so much that you can or can not guarantee the source, but rather > that there are other resources besides printers that can be accessed. There is a > growing number of remote management inits for macs that can be used to take > control of a remote machine. The concept of proxy services is harder to > do with appletalk. > > Lets invent an ugly example: > I have joe user who makes his disk available r/w to any guest user. > (so he can share files easily) > I mount his disk from my hostle location, and install a copy of Timbuktu > (or whatever) and make sure that there is a copy of an IP program there. > (IE Telnet, macX, ...) > I wait for a reboot to load my init. > > Now - I grab ahold of the mac and fire up the ip client which works and displays > on my machine. I then start hacking on remote IP based machines and the like. > > Even easier-- > Hell, I could corrupt some init (such as one for viruses) that talks to tcpip > and then reports to a file that I could pick up every once in a while. > Then I replace it with some other that does something to causse a remote session > back to me from my "real" target. > If I could ensure that the guest user was disabled on all machines (this may not be feasible as I guess any staff/student could reenable it without me knowing, buts lets assume...) then would the same problems apply? Would I just be making it slightly harder for the cracker? If I could filter on appletalk network numbers and could trust the remote network would that be safe? ie could net numbers be faked? > > OK - equal time-- you can make this better- > > A way (no claims of performance or prettiness) to be somewhat secure-- > you create an appletalk DMZ. This has a machine that has print queues for > the remote printers on either side, (maint. required) and it would also use > some sort of relay for file service mounts. (IE mount with TOPS, exported with > appleshare or something) > > IF you have other services that need to talk, then you have to put them here too > (or a relay) You have to look at this like a firewall. You don't allow DIRECT > access to your secure net. Instead, you provide external access to that which > you wish to share, and the rest is safe. As always, the bastian hosts need to > be watched. I am also not sure I like the redistribution of volumes as this > means that there is no prior review proceedure to prevent dangerous or sensitive > files from being moved. > > Please be carefull. I don't want to see you get burned. > Good luck! > Lee Whatever I do, I think the chances of getting burned are very small given that the network is limited to the state and I will limit it further somehow. I just want to make sure I do everything possible to ensure that the chances are as minute as possible as even a slight singe could be politically disasterous for us. thanks johng -- John Gibbins The Western Australian Research Institute The University of Western Australia for Child Health Ltd ,-_|\ email: johng@chi.uwa.edu.au GPO Box D184 / \ Phone: +61-9-3408547 PERTH W.A. 6001 *_,-._/ Fax: +61-9-3883414 AUSTRALIA v "Nothing is foolproof as fools are so ingenious" From Firewalls-Owner Fri Mar 5 09:04:28 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07992; Fri, 5 Mar 93 09:04:28 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA07985; Fri, 5 Mar 93 01:04:18 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA24148 (5.65b/HUJI 4.27 for firewalls@greatcircle.com); Fri, 5 Mar 93 11:06:12 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA04222 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Fri, 5 Mar 1993 11:06:18 +0200 Message-Id: <199303050906.AA04222@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Re: archie and UDP In-Reply-To: Your message of Wed, 3 Mar 93 19:03:45 PST . <9303040303.AA22705@ICD.Teradyne.COM> From: Amos Shapira Date: Fri, 05 Mar 1993 11:06:15 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9303040303.AA22705@ICD.Teradyne.COM> jxh@icd.teradyne.com (Jim Hickstein) write: |My archie client seems to want me to let UDP packets to ports >1000 |through my router to/from my firewall. Isn't this a Bad Idea? Must I |tell my users that they should telnet somewhere, instead? The Archie servers listens on port 1525, so I guess that if you just allow this port to/from certian archie servers then you are pretty covered, though this could still be a hole. Also it shouldn't be a big problem to proxy this service. Another option, which I'm not sure how practical it is, is to purchase an Archie "client server", this is a telnet client to which you connect and ask querys, the "server" connects through prospero to a "real" Archie server. You should be able to get more info from bajan@bunyip.com. Hope this helps, --Amos Shapira CS System Group, Hebrew University, Jerusalem, Israel amoss@cs.huji.ac.il From Firewalls-Owner Fri Mar 5 09:29:06 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA08081; Fri, 5 Mar 93 09:29:06 GMT Received: from mailhost.canon.co.uk by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA08074; Fri, 5 Mar 93 01:28:40 PST Received: from crash (crash.canon.co.uk) by mailhost.canon.co.uk (4.1/SMI-4.1) id AA17983; Fri, 5 Mar 93 09:28:53 GMT Received: by crash (4.1/SMI-4.1) id AA02704; Fri, 5 Mar 93 09:28:46 GMT From: tim@canon.co.uk (Tim F O'Donoghue) Subject: Re: archie and UDP To: jxh@ICD.Teradyne.COM (Jim Hickstein) Date: Fri, 5 Mar 93 9:28:46 GMT Cc: firewalls@GreatCircle.COM In-Reply-To: <9303040303.AA22705@ICD.Teradyne.COM>; from "Jim Hickstein" at Mar 3, 93 7:03 pm Message-Id: <93Mar05."09:28".2700tim@canon.co.uk> X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Jim Hickstein writes: |My archie client seems to want me to let UDP packets to ports >1000 |through my router to/from my firewall. Isn't this a Bad Idea? Must I |tell my users that they should telnet somewhere, instead? We too faced a problem with archie (well xarchie) because it used the UDP-based prospero protocol. Since we use a router to filter out all UDP (well inbound any way), we couldn't talk prospero with the outside world, ie xarchie died. As you'd expect, users weren't too happy. So the solution I implemented was to ensure that xarchie was able to bind to 901 for its prospero (basically I made it setuid and added a couple of setreuids). The only UDP I now allow in thru the router is anything which has a destination of 901 on our subnet. Does anyone see any potential (or even glaringly obvious) problems with this? Tx. -- Tim F O'Donoghue From Firewalls-Owner Fri Mar 5 16:17:22 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09018; Fri, 5 Mar 93 16:17:22 GMT Received: from uu.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09007; Fri, 5 Mar 93 08:17:13 PST Received: from commpost.UUCP by uu.psi.com (5.65b/4.1.031792-PSI/PSINet) via UUCP; id AA15260 for ; Fri, 5 Mar 93 10:49:54 -0500 Received: by ml.com (/\==/\ Smail3.1.24.1 #24.2) id ; Fri, 5 Mar 93 10:27 EST Received: by pilot.dmg.ml.com (/\==/\ Smail3.1.24.1 #24.3) id ; Fri, 5 Mar 93 10:26 EST Message-Id: Received: by thor.sysdev.dmg.ml.com (16.8/16.2) id AA27487; Fri, 5 Mar 93 10:28:56 -0500 Date: Fri, 5 Mar 93 10:28:56 -0500 From: "Jon S. Stumpf" To: firewalls@GreatCircle.COM Subject: SecureID PIN (Was Re: Appletalk through firewalls.) Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > To: Leland K. Neely > Subject: Re: Appletalk through firewalls. > Date: Wed, 03 Mar 93 12:08:20 CST > From: "Gordon C. Galligher" > The problem with the SecureID card is that the last four digits of the > "password" that you enter IS your PIN number! As this is in > plain-text, this is not the best solution. SecureID has fixed this > with a more expensive card (surprise, grr) which has a keypad on it. Now, couldn't what you know be, instead of a fixed number of some length, a simple transform such as "swap the second and fourth digits" of the random number generated? This would not involve a new card (with a keypad) since you are doing the transform (albeit, a simple one) instead of the card. Therefore, no extra cost for a new card and a simple software change on the central device. Since the transform needs to be something simple to remember without writing down (e.g., add 25 or mutate the string), this will work only if the original number is not public (i.e., the card owner makes sure noone sees the display and the transform together). - jss PS: Or am I just missing something? -------------------------------------------------------------------------- Jon S. Stumpf jon.s.stumpf@sysdev.dmg.ml.com Merrill Lynch World Financial Center (212) 449-0498 Phone North Tower (212) 449-0912 Fax New York, N.Y. 10281-1315 -------------------------------------------------------------------------- From Firewalls-Owner Fri Mar 5 18:33:45 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09638; Fri, 5 Mar 93 18:33:45 GMT Received: from ctt.ctt.bellcore.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09631; Fri, 5 Mar 93 10:33:36 PST Received: from shadow.secure.bellcore.com by ctt.ctt.bellcore.com (4.1/1.34) id AA24073; Fri, 5 Mar 93 13:34:03 EST Received: by shadow.secure.bellcore.com (4.1/SMI-4.1) id AA21213; Fri, 5 Mar 93 13:22:22 EST Date: Fri, 5 Mar 93 13:22:22 EST From: R.F. Graveman Message-Id: <9303051822.AA21213@shadow.secure.bellcore.com> To: jss@sysdev.dmg.ml.com Subject: Re: SecureID PIN (Was Re: Appletalk through firewalls.) Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Jon What yor're missing is that the pin is assigned to be unique per ogganization and used as an index into a table of seeds (i.e., keys) used to run the same algorithm and check the number on the display. Rich Graveman, Bellcore From Firewalls-Owner Fri Mar 5 19:19:10 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09878; Fri, 5 Mar 93 19:19:10 GMT Received: from cray.com (timbuk.cray.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09871; Fri, 5 Mar 93 11:18:46 PST Received: from matrix.cray.com by cray.com (4.1/CRI-MX 2.13) id AA17880; Fri, 5 Mar 93 13:19:11 CST Received: by matrix.cray.com id AA06107; 4.1/CRI-5.6a; Fri, 5 Mar 93 13:19:09 CST From: btk@matrix.cray.com (Bryan Koch) Message-Id: <9303051919.AA06107@matrix.cray.com> Subject: Re: SecureID PIN (Was Re: Appletalk through firewalls.) To: rfg@ctt.bellcore.com (R.F. Graveman) Date: Fri, 5 Mar 93 13:19:07 CST Cc: jss@sysdev.dmg.ml.com, firewalls@GreatCircle.COM In-Reply-To: <9303051822.AA21213@shadow.secure.bellcore.com>; from "R.F. Graveman" at Mar 5, 93 1:22 pm X-Mailer: ELM [version 2.3 PL0] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > What yor're missing is that the pin is assigned to be unique > per ogganization and used as an index into a table of seeds > (i.e., keys) used to run the same algorithm and check the > number on the display. At least for non-PIN-pad cards, the PIN is indeed a password. For Security Dynamics' software products (ACM-4100/7100/ACE-Server et al), each user has a PIN. The administrators can either force PINs to be set for each user, in which case they may well be globally unique (within an organization), or to allow users to select their own PINs. In the later situation, it can be the case that a single PIN is assigned to more than one user. Bryan Koch, Cray Research From Firewalls-Owner Fri Mar 5 22:06:23 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA10217; Fri, 5 Mar 93 22:06:23 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA10210; Fri, 5 Mar 93 14:05:44 PST Received: from yeager.corp.sgi.com by sgigate.sgi.com via SMTP (920330.SGI/920502.SGI) for jss@sysdev.dmg.ml.com id AA00578; Fri, 5 Mar 93 11:36:23 -0800 Received: by yeager.corp.sgi.com (921113.SGI/911001.SGI) for lear id AA06224; Fri, 5 Mar 93 10:57:39 -0800 Date: Fri, 5 Mar 93 10:57:38 PST From: Eliot Lear To: R.F. Graveman Cc: jss@sysdev.dmg.ml.com, firewalls@GreatCircle.COM Subject: Re: SecureID PIN (Was Re: Appletalk through firewalls.) In-Reply-To: Your message of Fri, 5 Mar 93 13:22:22 EST Message-Id: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > What yor're missing is that the pin is assigned to be unique > per ogganization and used as an index into a table of seeds > (i.e., keys) used to run the same algorithm and check the > number on the display. The way all these systems work is that the cards are indexed in some out of band manner. Sometimes this means that they are programmed and the serial number of the card is used as the index. Sometimes the programming occurs at the time of assignment, and thus the only index is user supplied, such as login name. Eliot Lear [lear@sgi.com] From Firewalls-Owner Mon Mar 8 23:23:38 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16835; Mon, 8 Mar 93 23:23:38 GMT Received: from saturn.wwc.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16826; Mon, 8 Mar 93 15:23:29 PST Subject: What package do I need? To: firewalls@GreatCircle.COM Date: Mon, 8 Mar 93 15:28:00 PST From: Ted Ashton X-Mailer: ELM [version 2.3 PL11] Message-Id: <9303081528.aa01463@saturn.wwc.edu> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Greetings, I am a rather new SysAdmin on a Dell SysV R4 system, and am trying to setup selective routing for our site. I would like to accomplish this in two steps, as one is an order of magnitude more important than the other. First, I would like to allow one set of addresses (specifying both a range and specific addresses) complete access to the net. Second I would like to allow another set of addresses the ability to connect outbound, but to appear disconnected from the outside (proxy type of application). The Dell machine I am on is in between the net and us (two network cards), and currently is not routing at all. So it will be the firewall. I have found socks, which seems to be a pretty good solution to part 2, but for part 1, which is what we need the most, I don't know where to look. -- Ted Ashton (ashted@wwc.edu) Campus Computer Center (509) 527-2307 Walla Walla College College Place, WA 99324 "The slide rule liveth still." From Firewalls-Owner Tue Mar 9 09:12:13 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19520; Tue, 9 Mar 93 09:12:13 GMT Received: from uu2.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19513; Tue, 9 Mar 93 01:11:52 PST Received: from race.afsc.noaa.gov by uu2.psi.com (5.65b/4.0.071791-PSI/PSINet) via SMTP; id AA16139 for Firewalls-Digest@greatcircle.com; Tue, 9 Mar 93 04:12:15 -0500 Received: from relay1.UU.NET by race.afsc.noaa.gov (4.1/3.1.090690-NOAA/NMFS) id AA02583; Tue, 9 Mar 93 01:14:43 PST Received: from mycroft.GreatCircle.COM by relay1.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA01090; Tue, 9 Mar 93 04:08:08 -0500 Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19495; Tue, 9 Mar 93 09:00:10 GMT Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19480; Tue, 9 Mar 93 01:00:05 PST Date: Tue, 9 Mar 93 01:00:05 PST Message-Id: <9303090900.AA19480@mycroft.GreatCircle.COM> From: Firewalls-Digest-Owner@GreatCircle.COM To: Firewalls-Digest@GreatCircle.COM Subject: Firewalls Digest V2 #44 Reply-To: Firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewalls Digest Tuesday, 9 March 1993 Volume 02 : Number 044 In this issue: What package do I need? See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- >From: Ted Ashton Date: Mon, 8 Mar 93 15:28:00 PST Subject: What package do I need? Greetings, I am a rather new SysAdmin on a Dell SysV R4 system, and am trying to setup selective routing for our site. I would like to accomplish this in two steps, as one is an order of magnitude more important than the other. First, I would like to allow one set of addresses (specifying both a range and specific addresses) complete access to the net. Second I would like to allow another set of addresses the ability to connect outbound, but to appear disconnected from the outside (proxy type of application). The Dell machine I am on is in between the net and us (two network cards), and currently is not routing at all. So it will be the firewall. I have found socks, which seems to be a pretty good solution to part 2, but for part 1, which is what we need the most, I don't know where to look. - -- Ted Ashton (ashted@wwc.edu) Campus Computer Center (509) 527-2307 Walla Walla College College Place, WA 99324 "The slide rule liveth still." ------------------------------ End of Firewalls Digest V2 #44 ****************************** To subscribe to Firewalls-Digest, send the command: subscribe firewalls-digest in the body of a message to "Majordomo@GreatCircle.COM". If you want to subscribe something other than the account the mail is coming from, such as a local redistribution list, then append that address to the "subscribe" command; for example, to subscribe "local-firewalls": subscribe firewalls-digest local-firewalls@your.domain.net A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from FTP.GreatCircle.COM, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). From Firewalls-Owner Tue Mar 9 17:59:48 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20622; Tue, 9 Mar 93 17:59:48 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20613; Tue, 9 Mar 93 09:59:42 PST Message-Id: <9303091759.AA20613@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Firewalls-Digest forwarded to main list by broken mailer Reply-To: Brent@GreatCircle.COM Date: Tue, 09 Mar 93 09:59:40 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk If any of you on the main Firewalls mailing list were wondering why you got an issue of Firewalls-Digest this morning... It appears that somebody's mailer looped last night's Firewalls-Digest issue back to the main Firewalls mailing list. I know which site is having the problem, and they're working to correct it. My apologies, and we'll see if we can keep it from happening again. -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Thu Mar 11 20:56:22 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04473; Thu, 11 Mar 93 20:56:22 GMT Received: from netcom.netcom.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04466; Thu, 11 Mar 93 12:56:15 PST Received: by netcom.netcom.com (5.65/SMI-4.1/Netcom) id AA26992; Thu, 11 Mar 93 12:56:19 -0800 Date: Thu, 11 Mar 93 12:56:19 -0800 From: gpsemi@netcom.com (GEC Plessey) Message-Id: <9303112056.AA26992@netcom.netcom.com> To: Firewalls@GreatCircle.COM Subject: Help! I need and example set of CISCO ACL's Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk hello. Probably a stupid question... But I loose sleep at night worrying about what are the correct/best CISCO ACL's to allow a firewall node behind a cisco access to the following internet services. Cisco havent been much help here despite repeated questions. ping DNS telnet archie traceroute ftp Having "tightened" them up recently, I now discover that ftp has stopped working! !firewall node=A.A.A.A !Packets going to Local Enthernet Cable no access-list 101 access-list 101 permit ip A.A.0.0 0.0.255.255 A.A.0.0 0.0.255.255 access-list 101 permit icmp 0.0.0.0 255.255.255.255 A.A.A.A 0.0.0.0 access-list 101 permit tcp 0.0.0.0 255.255.255.255 A.A.A.A 0.0.0.0 established access-list 101 permit tcp 0.0.0.0 255.255.255.255 A.A.A.A 0.0.0.0 eq 540 access-list 101 permit udp 0.0.0.0 255.255.255.255 A.A.A.A 0.0.0.0 lt 922 access-list 101 permit udp 0.0.0.0 255.255.255.255 A.A.A.A 0.0.0.0 gt 900 access-list 101 permit udp 0.0.0.0 255.255.255.255 A.A.A.A 0.0.0.0 gt 1023 ! ! ! !Packets going out on X25 line to kent no access-list 111 access-list 111 permit tcp A.A.0.0 0.0.255.255 0.0.0.0 255.255.255.255 established access-list 111 permit icmp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 7 access-list 111 permit udp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 7 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 20 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 21 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 23 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 53 access-list 111 permit udp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 53 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 540 access-list 111 permit tcp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 119 access-list 111 permit udp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 eq 1525 access-list 111 permit udp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 gt 33433 access-list 111 permit udp A.A.A.A 0.0.0.0 0.0.0.0 255.255.255.255 lt 33500 ================================================================= Fergus McMenemie GEC Plessey Semiconductors Email: gpsemi@netcom.com ================================================================= From Firewalls-Owner Sun Mar 14 01:32:30 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12176; Sun, 14 Mar 93 01:32:30 GMT Received: from uu.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12167; Sat, 13 Mar 93 17:32:20 PST Received: from buf.cubic.com by uu.psi.com (5.65b/4.1.031792-PSI/PSINet) via SMTP; id AA24755 for FireWalls@greatcircle.com; Sat, 13 Mar 93 20:32:38 -0500 From: Dave Mischler X-Mailer: SCO System V Mail (version 3.2) To: FireWalls@GreatCircle.COM Subject: DNS Client Ports Date: Sat, 13 Mar 93 20:34:27 EST Message-Id: <9303132034.aa00423@buf.cubic.com> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have recently added selective packet logging to my packet filter code for KA9Q (it will be ready for release soon), and I have noticed some DNS requests from non-privileged ports from various machines on the net. I am currently only allowing UDP DNS from any address with a source port of 53 to reach my externally accessible name server. Should I allow "random" client ports through? What are the security implications? Dave Mischler mischler@cubic.com From Firewalls-Owner Sun Mar 14 02:22:14 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12275; Sun, 14 Mar 93 02:22:14 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12268; Sat, 13 Mar 93 18:22:08 PST Received: by TIS.COM (4.1/SUN-5.64) id AA28805; Sat, 13 Mar 93 21:22:38 EST Date: Sat, 13 Mar 93 21:22:38 EST From: Marcus J Ranum Message-Id: <9303140222.AA28805@TIS.COM> To: FireWalls@GreatCircle.COM, mischler@cubic.com Subject: Re: DNS Client Ports Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >Should I allow "random" client ports through? What are the security >implications? One implication is that anyone with a tunnelling driver can run IP tunnelled through your firewall using NS packets as the transport layer. Yes, I have code that does this. ;) mjr. From Firewalls-Owner Sun Mar 14 04:12:16 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12451; Sun, 14 Mar 93 04:12:16 GMT Received: from Spectrum.CMC.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12444; Sat, 13 Mar 93 20:12:09 PST Received: by Spectrum.CMC.COM (4.1/SMI-4.1(Spectrum)) id AA16731; Sat, 13 Mar 93 20:10:15 PST Newsgroups: list.firewalls Path: lars From: lars@spectrum.CMC.COM (Lars Poulsen) Subject: Re: DNS Client Ports Message-Id: <1993Mar14.041004.16681@spectrum.CMC.COM> Organization: CMC Network Systems (Rockwell DCD), Santa Barbara, CA, USA References: <9303140222.AA28805@TIS.COM> Date: Sun, 14 Mar 93 04:10:04 GMT Apparently-To: firewalls@greatcircle.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Dave Mischler asks: >>Should I allow "random" client ports through? What are the security >>implications? In article <9303140222.AA28805@TIS.COM> mjr@TIS.COM (Marcus J Ranum) writes: > One implication is that anyone with a tunnelling driver can >run IP tunnelled through your firewall using NS packets as the >transport layer. > > Yes, I have code that does this. ;) You need to allow access to port 53 on your DNS server from ANYWHERE unless you want to preclude many normal maintenance and troubleshooting activities. (NSLOOKUP for example). And no, you probably should not allow access to port 53 of other machines inside to cross the firewall. The above is a good example why. -- / Lars Poulsen, SMTS Software Engineer Internet E-mail: lars@CMC.COM CMC Network Products / Rockwell Int'l Telephone: +1-805-968-4262 Santa Barbara, CA 93117-3083 TeleFAX: +1-805-968-8256 From Firewalls-Owner Sun Mar 14 07:13:29 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13069; Sun, 14 Mar 93 07:13:29 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13062; Sat, 13 Mar 93 23:13:16 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA05130 (5.65b/HUJI 4.27 for firewalls@greatcircle.com); Sun, 14 Mar 93 09:14:56 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA17905 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Sun, 14 Mar 1993 09:14:57 +0200 Message-Id: <199303140714.AA17905@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Re: DNS Client Ports In-Reply-To: Your message of Sat, 13 Mar 93 21:22:38 EST . <9303140222.AA28805@TIS.COM> From: Amos Shapira Date: Sun, 14 Mar 1993 09:14:50 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In message <9303140222.AA28805@TIS.COM> you write: |>Should I allow "random" client ports through? What are the security |>implications? | | One implication is that anyone with a tunnelling driver can |run IP tunnelled through your firewall using NS packets as the |transport layer. | | Yes, I have code that does this. ;) | |mjr. You mean that it could be used to transfer data you don't want to be transfered to/from your site, right? If I don't hold secrets at my site and just want to prevent un-authorised access from outside then I shouldn't be concerned with it (at least not too much), right? (just this friday we had to eract a firewall due to a breakin in another uni and I found that I had to let port 53 through from anywere to anywere, at least for now). Cheers, --Amos Shapira CS System Group, Hebrew University, Jerusalem, Israel amoss@cs.huji.ac.il From Firewalls-Owner Sun Mar 14 20:17:17 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14552; Sun, 14 Mar 93 20:17:17 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14545; Sun, 14 Mar 93 12:17:10 PST Received: by TIS.COM (4.1/SUN-5.64) id AA27691; Sun, 14 Mar 93 14:31:37 EST Date: Sun, 14 Mar 93 14:31:37 EST From: Marcus J Ranum Message-Id: <9303141931.AA27691@TIS.COM> To: amoss@cs.huji.ac.il, firewalls@GreatCircle.COM Subject: Re: DNS Client Ports Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >| One implication is that anyone with a tunnelling driver can >|run IP tunnelled through your firewall using NS packets as the >|transport layer. > >You mean that it could be used to transfer data you don't want to be transfered >to/from your site, right? If I don't hold secrets at my site and just want to >prevent un-authorised access from outside then I shouldn't be concerned with >it (at least not too much), right? Right. It depends on the security policy you're trying to enforce. If you don't have any concern about someone exporting data from your network, and you more or less trust all the folks on your network not to try to circumvent your security, then you're OK. Tunnelling is only a threat if you have someone who, for some reason or other, feels that they want to get around your firewall completely, or wants to let a buddy in. Since usually setting up a tunnel involves some games with routing on both ends, it's not as if it's going to leave you open to the entire internet. I guess if someone did break into a machine on the inside, setting up a tunnel would be a pretty nice way of getting in and out of your network to play around, since it lets you completely side-step the firewall. I haven't put any real thought into other fun attacks you can launch with a tunnelling driver. The version I wrote doesn't do access checks on the interface(!) so anyone can do the equivalent of an "ifconfig" on it. It detaches itself from the interface list when it's closed down, so aside from /dev/tun* it's invisible when you shut it off. (And of course the device can be named anything you like) - Depending on the local routing situation, if folks rely on .rhosts, you might be able to somehow bring up a tunnel and make it pretend to be another machine for the purposes of spoofing rlogin and whatnot, but I don't see what that buys you. I guess you could spoof a remote machine by advertising a route (if the victim's site uses RIP) and configuring a tunnel to pretend to be that machine. Might come in handy for breaking in via NFS, come to think of it. I'm not sure how much of a threat tunnelling poses. It's certainly an interesting (and amusing!) problem, though. It's less amusing if you are concerned with controlling export of information, or are dealing with an industrial spy or someone who really has it in for you and wants to let all his buddies in to dance on your net. mjr. From Firewalls-Owner Mon Mar 15 09:54:32 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16425; Mon, 15 Mar 93 09:54:32 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16418; Mon, 15 Mar 93 01:53:59 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA16690 (5.65b/HUJI 4.105); Mon, 15 Mar 93 11:55:29 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA15945 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Mon, 15 Mar 1993 11:55:31 +0200 Message-Id: <199303150955.AA15945@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Cisco access-list compiler anyone? From: Amos Shapira Date: Mon, 15 Mar 1993 11:55:29 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, I need a programme to translate a simple looking access-list into something the Cisco can groke. Prefferably it should know about host names, networks (and network names which I define for clarity?) and which rule should go to which interface (e.g. if I want to allow ftp to a certain machine then the rule should go only to the interface through which the machine is connected). Does anyone know about such a beast? I heard a rumor that there is (that's why I'm asking) but he couldn't tell me where he saw it. Thanks for any hints, --Amos Shapira (Jumper Extraordinaire) | "It is true that power corrupts, C.S. System Group, Hebrew University, | but absolute power is better!" Jerusalem 91904, ISRAEL | amoss@cs.huji.ac.il | -- the Demon to his son From Firewalls-Owner Mon Mar 15 18:27:20 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA17492; Mon, 15 Mar 93 18:27:20 GMT Received: from tadpole.tadpole.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA17484; Mon, 15 Mar 93 10:27:11 PST Received: from chiba.tadpole.com by tadpole.tadpole.com (4.1/SMI-4.1) id AA10869; Mon, 15 Mar 93 12:27:42 CST Date: Mon, 15 Mar 93 12:27:42 CST From: jim@tadpole.com (Jim Thompson) Message-Id: <9303151827.AA10869@tadpole.tadpole.com> To: firewalls@GreatCircle.COM, amoss@cs.huji.ac.il Subject: Re: Cisco access-list compiler anyone? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I need a programme to translate a simple looking access-list into something > the Cisco can groke. Prefferably it should know about host names, networks > (and network names which I define for clarity?) and which rule should go to > which interface (e.g. if I want to allow ftp to a certain machine then the > rule should go only to the interface through which the machine is connected). The closest thing I've seen (yet), which does little of what you want, is ftp.cisco.com:masks.c. From the description: masks.c C program that builds IP/DECNet/Appletalk access lists. No support; no guarantees. Jim From Firewalls-Owner Tue Mar 16 16:37:18 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20238; Tue, 16 Mar 93 16:37:18 GMT Received: from mwunix.mitre.org by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20231; Tue, 16 Mar 93 08:36:58 PST Received: from smiley.mitre.org by mwunix.mitre.org (5.61/SMI-2.2) id AA12305; Tue, 16 Mar 93 11:37:08 -0500 Received: from [128.29.140.151] (woycke-mac.mitre.org) by smiley.mitre.org.sit (4.1/SMI-4.1) id AA06634; Tue, 16 Mar 93 11:09:40 EST Message-Id: <9303161609.AA06634@smiley.mitre.org.sit> Date: Tue, 16 Mar 1993 11:15:05 -0400 To: Firewalls@GreatCircle.COM From: woycke@smiley.mitre.org (Daniel Woycke) X-Sender: woycke@128.29.140.20 Subject: Access-lists and performace question Cc: mckenney@smiley.mitre.org, mccollum@mitre.org Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Firewallers, Has anyone out there noticed or even measured the performance hit they take when they configure a large number of access-lists? The Cisco manuals say that there will be an impact, but give no numbers. Anyone out there have any info? ---------- Thank You, Daniel W. Woycke |"I went out drinking with Thomas Information Engineer (c) 1992|Paine..." -- Billy Bragg The MITRE Corporation |"But I am still thirsty..." 7525 Colshire Drive (MS Z213)|-- Arrested Development McLean, VA 22102 |These opinions are mine and are not phone: (703) 883-1362 |and will not be held by anyone else. From Firewalls-Owner Tue Mar 16 16:56:58 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20274; Tue, 16 Mar 93 16:56:58 GMT Received: from relay.pipex.net by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20267; Tue, 16 Mar 93 08:56:43 PST X400-Received: by mta relay.pipex.net in /PRMD=pipex/ADMD=cwmail/C=GB/; Relayed; Tue, 16 Mar 1993 16:56:41 +0000 X400-Received: by /PRMD=icl/ADMD=gold 400/C=GB/; Relayed; Tue, 16 Mar 1993 16:51:38 +0000 Date: Tue, 16 Mar 1993 16:51:38 +0000 X400-Originator: R.P.Handy@ste0411.wins.icl.co.uk X400-Recipients: firewalls@GreatCircle.COM X400-Mts-Identifier: [/PRMD=icl/ADMD=gold 400/C=GB/;ste0411 0000042100000905] X400-Content-Type: P2-1984 (2) Content-Identifier: 905 From: R.P.Handy@ste0411.wins.icl.co.uk Message-Id: <"905*/I=RP/S=Handy/OU=ste0411/O=icl/PRMD=icl/ADMD=gold 400/C=GB/"@MHS> To: firewalls@GreatCircle.COM Subject: Firewall Products Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hello, I am trying to find out what complete (or nearly complete!) firewall products are available in the UK; anything from full turnkey systems to shareware. Anyone selling their own products, please e-mail me directly. . Thanks, Richard Handy From Firewalls-Owner Tue Mar 16 22:29:19 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22400; Tue, 16 Mar 93 22:29:19 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22393; Tue, 16 Mar 93 14:29:13 PST Received: from TIS.COM by TIS.COM (4.1/SUN-5.64) id AA09412; Tue, 16 Mar 93 17:30:03 EST Message-Id: <9303162230.AA09412@TIS.COM> To: firewalls@GreatCircle.COM Subject: Packet filtering and FTP Date: Tue, 16 Mar 93 17:29:58 -0500 From: "David I. Dalva" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Summary: Cisco "established" keyword breaks FTP-DATA. I am having FTP trouble when I configure my Cisco to only permit established TCP connections above port 1024. When a new (random) port is created for FTP-DATA (e.g., as the result of a "dir"), the Cisco prohibits the connection since it doesn't meet the "established" criteria. Does anybody know what the port range is for randomly allocated ports, or another way to get around this problem? Dave Dalva Trusted Information Systems, Inc. Glenwood, MD 21738 +1 301 854-6889 +1 301 854-5363 FAX From Firewalls-Owner Tue Mar 16 23:02:06 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22521; Tue, 16 Mar 93 23:02:06 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22494; Tue, 16 Mar 93 14:58:18 PST Message-Id: <9303162258.AA22494@mycroft.GreatCircle.COM> To: "David I. Dalva" Cc: firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP In-Reply-To: Your message of Tue, 16 Mar 93 17:29:58 -0500 Date: Tue, 16 Mar 93 14:58:17 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk # Summary: Cisco "established" keyword breaks FTP-DATA. # # I am having FTP trouble when I configure my Cisco to only permit established # TCP connections above port 1024. When a new (random) port is created for # FTP-DATA (e.g., as the result of a "dir"), the Cisco prohibits the connection # since it doesn't meet the "established" criteria. # # Does anybody know what the port range is for randomly allocated ports, or # another way to get around this problem? This is one of the reasons the Cisco "established" keyword, all by itself and without the ability to look at source IP port numbers, isn't all that useful in the real world. The "problem" is that the "data" channel of an FTP connection is established from the server back to the client. The FTP client opens a command channel to the server. When it's ready to receive data, it grabs a random port, >1024 on a UNIX system with BSD-derived networking, and tells the server (through the command channel) the port number it's listening for data on. The server opens a connection from the FTP-DATA port on the server (port 20) to this random port on the client machine. It's this "backwards" open (the server opening a connection to the client) that makes FTP tricky to deal with in a firewall. You might be able to modify your FTP client to always pick its "random" data port from a small range, or something obnoxious like that. -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Tue Mar 16 16:02:43 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22613; Tue, 16 Mar 93 23:29:30 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22606; Tue, 16 Mar 93 15:29:24 PST Message-Id: <9303162329.AA22606@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by gryphon; Tue Mar 16 18:25:32 EST 1993 To: "David I. Dalva" Cc: firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP Date: Tue, 16 Mar 93 18:25:32 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Summary: Cisco "established" keyword breaks FTP-DATA. I am having FTP trouble when I configure my Cisco to only permit established TCP connections above port 1024. When a new (random) port is created for FTP-DATA (e.g., as the result of a "dir"), the Cisco prohibits the connection since it doesn't meet the "established" criteria. Does anybody know what the port range is for randomly allocated ports, or another way to get around this problem? There is no such range. Or rather, even though UNIX systems tend to allocate random ports somewhere above 1024, there's no ban on servers in that range -- witness X11. I know of no way to do what you want in a safe fashion. I wish I did. From Firewalls-Owner Wed Mar 17 01:25:19 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA23373; Wed, 17 Mar 93 01:25:19 GMT Received: from erenj.com (ereapp.erenj.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA23366; Tue, 16 Mar 93 17:25:11 PST Received: by erenj.com (5.65/mjr-920806); id AA11917; Tue, 16 Mar 93 20:25:40 -0500 Received: by eredns.erenj.com (5.65/bdb-mailv1.2-erenj-gw); id AA19630; Tue, 16 Mar 93 20:25:39 -0500 Received: by maverick1.erenj.com (5.57/bdb-mailv1.0); id AA04796; Tue, 16 Mar 93 20:25:38 -0500 Posted-Date: Tue, 16 Mar 1993 20:25:38 -0500 From: bdboyle@maverick1.erenj.com (Bryan D. Boyle) Message-Id: <9303162025.ZM4794@maverick1.erenj.com> Date: Tue, 16 Mar 1993 20:25:38 -0500 In-Reply-To: "David I. Dalva" "Packet filtering and FTP" (Mar 16, 5:29pm) References: <9303162230.AA09412@TIS.COM> X-Mailer: Z-Mail (2.1.0 10/1/92) To: "David I. Dalva" , firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk On Mar 16, 5:29pm, "David I. Dalva" wrote: > Subject: Packet filtering and FTP > Summary: Cisco "established" keyword breaks FTP-DATA. > > I am having FTP trouble when I configure my Cisco to only permit established > TCP connections above port 1024. When a new (random) port is created for > FTP-DATA (e.g., as the result of a "dir"), the Cisco prohibits the connection > since it doesn't meet the "established" criteria. > > Does anybody know what the port range is for randomly allocated ports, or > another way to get around this problem? > > Dave Dalva > Trusted Information Systems, Inc. > Glenwood, MD 21738 > +1 301 854-6889 > +1 301 854-5363 FAX >-- End of excerpt from "David I. Dalva" dave: talk to one of your associates, marcus ranum...I am sure he has some ideas along this line... -- Bryan D. Boyle |Physical: Exxon Research, Annandale, NJ 08801 #include |Logical: bdboyle@erenj.com < USENET: Post to exotic, distant machines. Meet exciting, > < unusual people. And flame them. > From Firewalls-Owner Wed Mar 17 15:07:58 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA25589; Wed, 17 Mar 93 15:07:58 GMT Received: from ben.uknet.ac.uk by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA25582; Wed, 17 Mar 93 07:07:31 PST Received: from eros.uknet.ac.uk by ben.uknet.ac.uk via UKIP with SMTP (PP) id ; Wed, 17 Mar 1993 15:06:49 +0000 Received: from visionware.co.uk by eros.uknet.ac.uk with UUCP id <29074-0@eros.uknet.ac.uk>; Wed, 17 Mar 1993 15:06:39 +0000 Received: by vision.visionware.co.uk (5.59/smail2.5/10-15-90) id AA06346; Wed, 17 Mar 93 15:02:32 GMT Newsgroups: vw.net.firewalls Path: chris From: chris@visionware.co.uk (Chris Davies) Subject: Firewalls and NFS Message-Id: <1993Mar17.150212.6303@visionware.co.uk> Organization: VisionWare Ltd., Leeds, UK X-Newsreader: TIN [version 1.1 PL8] Date: Wed, 17 Mar 1993 15:02:12 GMT Apparently-To: firewalls@greatcircle.com To: greatcircle.com!firewalls@visionware.co.uk Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk It appears that we're well on the way to getting a shiny new internet connection (our first, I hasten to add :-) I'd really appreciate it if some of you people who're familiar with firewalls, etc, could point out the flaws (or otherwise) in the following scenario. 1. Our external point of contact will be through a Xyplex Brouter (running MAXserver Bridge s/w). Am I correct in calling this a firewall if I put enough IP packet filters on it? 2. We'd like to block all incoming access to all machines except our gateway. Telnet, SMTP, NNTP, FTP, and DNS lookup requests should be permissible to the gateway only. To reach an internal machine it would be necessary to login to the gateway and then rlogin/telnet again from there. This is because not all of our machines may have passwords on all the accounts (we do a lot of Unix development here). 3. Any machine on our internal network should be able to initiate an outgoing session to any external service. Our US office has plans to get an internet connection too, but we don't want to have a (very expensive) leased line between here and there, since we can get a share of the (low) bandwidth available over other commercial international lines. Accordingly, 4. It would be real nice if users on our US office network could drive straight through our gateway as if it weren't there. 5. We'd really like some sort of (very lightly used) network file system to be available between one of our local hosts and a host on the specific remote network. Does Sun-NFS work over long distance internet connections (i.e. are the packets normally blocked)? Am I just talking blue sky or does this appear to be reasonable? Ta, Chris -- VISIONWARE LTD, 57 Cardigan Lane, LEEDS LS4 2LE, England Tel +44 532 788858 x238. Fax +44 532 304676. Email chris@visionware.co.uk ---------- "VisionWare: The home of DOS/SQL/UNIX/X/VMS integration" --------- From Firewalls-Owner Thu Mar 18 03:55:05 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27335; Thu, 18 Mar 93 03:55:05 GMT Received: from ames.arc.nasa.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27326; Wed, 17 Mar 93 19:54:54 PST Received: from ultra.UUCP by ames.arc.nasa.gov with UUCP id AA26543 (5.65c/IDA-1.4.4); Wed, 17 Mar 1993 19:23:11 -0800 Received: from snug.ultra.com by ultra.com id AA19160 (4.1/Ultra-1.4-10-10-91 for Rod.King@corp.sun.com); Wed, 17 Mar 93 18:56:07 PST Date: Wed, 17 Mar 93 18:56:07 PST From: shj@ultra.com (Steve Jay {Ultra Unix SW Mgr}) Message-Id: <9303180256.AA19160@ultra.com> To: firewalls@GreatCircle.COM Subject: fix for Sun's itelnet Cc: Rod.King@corp.sun.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A few weeks ago, I posted an article to this list asking about a bug in Sun's itelnet (the telnet relay program that is sold by Sun Consulting). The bug was that the itelnet-gw daemon on the gateway machine would go into an infinite loop if TCP urgent data arrived, and some systems' implementation of telnetd send a "telnet datamark" as urgent data when the user enters ^C. I managed to get Sun's attention, and got email from the developer of the product (Rod King). Rod has fixed the problem, and the fixed version seems to be working fine on our gateway. Rod says: > Consulting plans to contact all owners of CONSULT-IGATEWAY and provide them > with the updated binary. I won't be the one sending out the actual updates, > but you can put me down as a contact person. Rod is "Rod.King@corp.sun.com". So, if you have the Sun IGATEWAY product, I guess you'll be hearing from them about the update. I don't know how quickly this will occur. Steve Jay shj@ultra.com ...ames!ultra!shj Ultra Network Technologies / 101 Dagget Drive / San Jose, CA 95134 / USA (408) 922-0100 x130 "Home of the 1 Gigabit/Second network" From Firewalls-Owner Thu Mar 18 04:30:52 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27386; Thu, 18 Mar 93 04:30:52 GMT Received: from tadpole.tadpole.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27379; Wed, 17 Mar 93 20:30:44 PST Received: from chiba.tadpole.com by tadpole.tadpole.com (4.1/SMI-4.1) id AA18330; Wed, 17 Mar 93 22:30:59 CST Date: Wed, 17 Mar 93 22:30:59 CST From: jim@tadpole.com (Jim Thompson) Message-Id: <9303180430.AA18330@tadpole.tadpole.com> To: firewalls@GreatCircle.COM, shj@ultra.com Subject: Re: fix for Sun's itelnet Cc: Rod.King@corp.sun.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Rod King is the 'developer' of CONSULT-IGATEWAY? Hmm, Jim From Firewalls-Owner Thu Mar 18 06:44:16 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27568; Thu, 18 Mar 93 06:44:16 GMT Received: from ames.arc.nasa.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27561; Wed, 17 Mar 93 22:44:07 PST Received: from ultra.UUCP by ames.arc.nasa.gov with UUCP id AA01481 (5.65c/IDA-1.4.4); Wed, 17 Mar 1993 21:52:18 -0800 Received: from snug.ultra.com by ultra.com id AA22204 (4.1/Ultra-1.4-10-10-91 for Rod.King@corp.sun.com); Wed, 17 Mar 93 21:52:46 PST Date: Wed, 17 Mar 93 21:52:46 PST From: shj@ultra.com (Steve Jay {Ultra Unix SW Mgr}) Message-Id: <9303180552.AA22204@ultra.com> To: firewalls@GreatCircle.COM, shj@ultra.com, jim@tadpole.com Subject: Re: fix for Sun's itelnet Cc: Rod.King@corp.sun.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Rod King is the 'developer' of CONSULT-IGATEWAY? Well, here's what he said in his first email message to me: > Hi. I work in Sun Consulting and I am the person responsible for > CONSULT-IGATEWAY. I suppose I somewhat overstated things. How about "the person currently responsible for IGATEWAY"? -Steve P.S. I am ignorant of the history of IGATEWAY. Did you (Jim) do it? From Firewalls-Owner Thu Mar 18 10:34:05 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28348; Thu, 18 Mar 93 10:34:05 GMT Received: from tardis ([198.37.128.10]) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28341; Thu, 18 Mar 93 02:33:46 PST Received: by tardis (4.1/netserv-1.0) id AA00268; Thu, 18 Mar 93 02:35:48 PST Date: Thu, 18 Mar 93 02:35:48 PST From: Scott M. Hinnrichs Message-Id: <9303181035.AA00268@tardis> To: firewalls@GreatCircle.COM Subject: DNS/libresolv/4.1.3/dlopen ld complaints Cc: smh@netserv.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, this may not *really* be a firewall problem, but I am getting this problem building code for my firewall. I haven't lived under a DNS patched libc.so for while now. I just installed the libresolv.a objs in libc.so and now I am getting complaints from ld when making source: cc -O -DDEBUG dig.c -L`pwd` -lresolv list.o -o dig ld: Undefined symbol _dlopen _dlclose _dlsym __mbstowcs_xccs __mbtowc_xccs __wcstombs_xccs __wctomb_xccs This must be due to something obvious I am doing wrong. The patched libc.so is working fine and the binary ld creates works too! But, many makefiles won't do a build even when using make -k, and it is a real pain... anyone seen this already?? Thanks, Scott From Firewalls-Owner Thu Mar 18 12:01:50 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28460; Thu, 18 Mar 93 12:01:50 GMT Received: from noc2.dccs.upenn.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28452; Thu, 18 Mar 93 04:01:30 PST Received: from GYNKO.CIRC.UPENN.EDU by noc2.dccs.upenn.edu id AA20079; Thu, 18 Mar 93 07:02:00 -0500 Received: by gynko.circ.upenn.edu id AA09395; Thu, 18 Mar 93 06:59:32 EST From: rsk@gynko.circ.upenn.edu (Rich Kulawiec) Posted-Date: Thu, 18 Mar 1993 06:59:31 -0500 (EST) Message-Id: <9303181159.AA09395@gynko.circ.upenn.edu> Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints To: smh@netserv.com (Scott M. Hinnrichs) Date: Thu, 18 Mar 1993 06:59:31 -0500 (EST) Cc: firewalls@GreatCircle.COM, smh@netserv.com In-Reply-To: <9303181035.AA00268@tardis> from "Scott M. Hinnrichs" at Mar 18, 93 02:35:48 am Organization: Ditka Policy Insitute X-Queued-Mail: 1419 pending mail messages (2610061 characters) X-Last-River: Crum Creek X-Mailer: ELM [version 2.4 PL21] Content-Type: text Content-Length: 971 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >This must be due to something obvious I am doing wrong. The patched libc.so >is working fine and the binary ld creates works too! But, many makefiles >won't do a build even when using make -k, and it is a real pain... anyone >seen this already?? Yep, I saw this as soon as I installed 4.1.3 and the resolving libc. Since I also installed many Sun patches at the same time, I speculated that one of them may have been to blame, but I've backed out pieces of each one without being able to restore the original functionality. (For example, one of the patches replaces /usr/bin/ld, so I tried restoring the original ld.) I've been taking shots at this problem for 3 months, and I figure it's probably something dead simple, but boy howdy, I sure haven't been able to crack it. Like the original poster, I'd appreciate a hand; using the resolver sure makes using lots of the firewalling code easier, but it's making life a little difficult for the other folks. ---Rsk From Firewalls-Owner Thu Mar 18 12:36:19 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28504; Thu, 18 Mar 93 12:36:19 GMT Received: from uu5.psi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28497; Thu, 18 Mar 93 04:35:52 PST Received: from shearson.UUCP by uu5.psi.com (5.65b/4.0.071791-PSI/PSINet) via UUCP; id AA21175 for ; Thu, 18 Mar 93 06:33:31 -0500 Received: from lorax.shearson.com by shearson.com (4.1/LB-0.5) id AA29788; Thu, 18 Mar 93 06:26:26 EST Received: by lorax.shearson.com (4.1/SMI-4.1) id AA11561; Thu, 18 Mar 93 06:26:25 EST Message-Id: <9303181126.AA11561@lorax.shearson.com> To: jim@tadpole.com (Jim Thompson) Cc: firewalls@GreatCircle.COM Subject: Re: proxy software? itelnet/iftp? packet screens? X? In-Reply-To: Your message of "Wed, 10 Feb 1993 22:28:58 CST." <9302110428.AA07474@ono-sendai> Reply-To: rens@cs.columbia.edu Date: Thu, 18 Mar 1993 06:26:24 -0500 From: Rens Troost Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >>>>> On Wed, 10 Feb 93 22:28:58 CST, jim@tadpole.com (Jim Thompson) said: Jim> Since I hacked together the original iftp/itelnet (which Jim> consulting then turned into igateway), I could be Jim> persuated to pop them out for public perusal. Hi- Since you just mentioned it, I remind you of this posting. Can you make the i{ftp,telnet} software available? -Rens From Firewalls-Owner Thu Mar 18 17:08:27 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29019; Thu, 18 Mar 93 17:08:27 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28997; Thu, 18 Mar 93 09:07:58 PST Message-Id: <9303181707.AA28997@mycroft.GreatCircle.COM> To: peterg@murphy.com (Peter Gutmann) Cc: Firewalls@GreatCircle.COM Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints In-Reply-To: Your message of Thu, 18 Mar 93 10:33:36 EST From: Brent Chapman Date: Thu, 18 Mar 93 09:07:57 -0800 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk # > cc -O -DDEBUG dig.c -L`pwd` -lresolv list.o -o dig # > ld: Undefined symbol # > _dlopen # > _dlclose # > _dlsym # > __mbstowcs_xccs # > __mbtowc_xccs # > __wcstombs_xccs # > __wctomb_xccs # # You need to add the -ldl (dynamic loading libs) to the cc Doing that makes _that_ cc work, but who wants to add "-ldl" to every cc in every Makefile on their system? Adding "-ldl" to the "ld" step of building the shared library, as I described in my previous message, solves the problem without requiring you to tweak every Makefile on your system. - -Brent - -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 ------- End of Forwarded Message From Firewalls-Owner Thu Mar 18 09:31:32 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28915; Thu, 18 Mar 93 17:02:33 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28886; Thu, 18 Mar 93 09:01:47 PST Message-Id: <9303181701.AA28886@mycroft.GreatCircle.COM> To: "Scott M. Hinnrichs" Cc: firewalls@GreatCircle.COM Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints In-Reply-To: Your message of Thu, 18 Mar 93 02:35:48 PST Date: Thu, 18 Mar 93 09:01:46 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk # Well, this may not *really* be a firewall problem, but I am getting this # problem building code for my firewall. I haven't lived under a DNS # patched libc.so for while now. I just installed the libresolv.a objs # in libc.so and now I am getting complaints from ld when making source: # # cc -O -DDEBUG dig.c -L`pwd` -lresolv list.o -o dig # ld: Undefined symbol # _dlopen # _dlclose # _dlsym # __mbstowcs_xccs # __mbtowc_xccs # __wcstombs_xccs # __wctomb_xccs # # This must be due to something obvious I am doing wrong. The patched libc.so # is working fine and the binary ld creates works too! But, many makefiles # won't do a build even when using make -k, and it is a real pain... anyone # seen this already?? # # Thanks, Scott In /usr/lib/shlib.etc/Makefile, add a "-ldl" flag to the end of the "ld" command for the "libc.so" target, then rebuild the shared library. That will take care of the first problem. I'll bet the second problem is caused by not renaming "xccs.multibyte." to "xccs.multibyte.o" after using "ar" to unpack "libc_pic.a". There are three files in libc_pic.a that have long filenames, that have to be renamed before the shared library is built. If I recall correctly, the "README" file lists some but not all of them. The three files are "rpc_commondata.", "rpc_dtablesize.", and "xccs.multibyte."; all need to be renamed to end in ".o" instead of just ".". -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Thu Mar 18 17:32:13 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29100; Thu, 18 Mar 93 17:32:13 GMT Received: from mail-relay-2.mv.us.adobe.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29087; Thu, 18 Mar 93 09:31:47 PST Received: by mail-relay-2.mv.us.adobe.com; id AA06442; Thu, 18 Mar 93 09:32:08 -0800 Received: by guardi.mv.us.adobe.com; id AA20640; Thu, 18 Mar 93 09:32:05 -0800 Message-Id: <9303181732.AA20640@guardi.mv.us.adobe.com> To: "Scott M. Hinnrichs" Cc: firewalls@GreatCircle.COM Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints In-Reply-To: Your message of "Thu, 18 Mar 93 02:35:48 PST." <9303181035.AA00268@tardis> Date: Thu, 18 Mar 93 09:32:04 PST From: Tim Guarnieri Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hmm. When you rebuilt libc.so, did you put -ldl on the following line: ld -assert pure-text `${OBJSORT} lorder-sparc tmp` -ldl ^^^^ If you didn't, I can see where this error would occur. Tim BTW: Attached is a "How to modify SunOS to use DNS instead of YP" note that I pulled off the net a while ago. I found it very helpful when rebuilding libc.so. Hope it helps. ----------------- NEW BIND FOR SUNS 2/11/91 ----------------- [Partially taken from the document "Making a libc.so for DNS without NIS" that has been distributed to various SunOS users, and seen on Usenet. Original document by Paul Balyoz (pab@naucse.cse.nau.edu). Updated to include OS4.1.2 information, Hal Pomeranz, 3/3/92. ] This document tells how to install a NEW version of the BIND Name Server resolver routines into the shared C library of a Sparcstation running SunOS 4.1 or greater. The procedure is a bit different when you are trying to install a version of BIND distributed from Berkeley, compared to the (older) resolver library that comes with SunOS. A. Get BIND version 4.8.3 or later. We must fix the Makefile in the resolver directory to do what our sparcstation needs. The whole idea here is to compile the C source to .o files with the -pic option, and not do anything fancy to the .o files before putting them into the new libresolv.a library. Note that we rename your old libresolv.a file, so that it can be recovered if the new one doesn't work! cd Bind4.8.3/res vi Makefile Comment out all sets of lines that look something like: -ld -r -x file.o mv a.out file.o Add to the "CFLAGS" variable the option -pic (so that a global tags entry gets added to each .o file) Fix paths and options in Makefile as needed. make mv /usr/lib/libresolv.a /usr/lib/libresolv.a.orig make install This should have created the new /usr/lib/libresolv.a library. Please also note that the string(3) man-page which comes with SunOS is more complete than the one distributed with BIND! Therefore you should NOT replace it as instructed to by BIND's README instructions. B. Follow the steps below to make a new shared library on your Sun which includes the new resolver library routines in it. 1. Become super user by logging in as root, or first as a normal user and then typing: su 2. Move into the shared-lib area and make a temporary directory: cd /usr/lib/shlib.etc mkdir tmp 3. Move into this new directory, extract the pic (position independent code) object files from libc_pic.a and remove the SYMDEF file. The renaming (mv commands) is done because the "ar" command truncates names to 16 characters. cd tmp ar x ../libc_pic.a rm __.SYMDEF mv rpc_dtablesize. rpc_dtablesize.o mv rpc_commondata. rpc_commondata.o mv xccs.multibyte. xccs.multibyte.o 4. We now need to extract the object files from your new libresolv.a library, making sure not to overwrite two of the Sun objects already in this directory: mv mktemp.o mktemp.o2 # else it gets stomped mv strpbrk.o strpbrk.o2 # else it gets stomped ar x /usr/lib/libresolv.a mv strpbrk.o2 strpbrk.o # we gotta use Sun's. mv mktemp.o2 mktemp.o # we gotta use Sun's. (Any other object files that get overwritten are ok.) [ Alternatively you can extract Sun's original mktemp.o and strpbrk.o files again at this point by typing: ar x ../libc_pic.a mktemp.o strpbrk.o ] 5. Make sure the old host resolver is not still lying around: rm gethostent.o (ignore error "rm: gethostent.o nonexistent" if you see it.) 6. Remove the new resolver's string code because Sun's libraries already includes this, so it would be redundant: rm strcasecmp.o 7. Go back up to the shared library building directory and duplicate the list of object files to use: cd .. cp lorder-sparc lorder-sparc.orig 8. Edit this object file list and make the following modifications if they haven't already been done before to this file: remove: gethostent.o add: gethostnamadr.o sethostent.o res_query.o res_mkquery.o res_send.o res_debug.o res_comp.o res_init.o herror.o strerr.o (the last two are new, which Sun's resolver doesn't use) After deleting gethostent.o, you can use the following patch, or make the changes by hand (in this order): *************** *** 149,154 **** --- 149,164 ---- listen.o getwd.o getnetgrent.o + gethostnamadr.o + herror.o + sethostent.o + res_query.o + res_mkquery.o + res_send.o + res_debug.o + res_comp.o + res_init.o + strerror.o ypxdr.o ttyname.o setbuffer.o 9. The Makefile in shlib.etc for building shared libraries has one problem when you run it as the super user. So edit it and modify the definition of "OBJSORT" to read: OBJSORT=./objsort If you are using SunOS 4.1.2, change the lines (there are two) in the Makefile which read ld -assert pure-text `${OBJSORT} lorder-sparc tmp` to read ld -assert pure-text `${OBJSORT} lorder-sparc tmp` -ldl 10. Now we can finally build the shared library. Type: make libc.so What kind of errors might you get? Here's a couple: a. It blows up on one of the .o files in tmp, saying that the object file is in an inconsistent state. SOLUTION: start over; you did something wrong when you compiled the new libresolv.a in section A, above. Make SURE not to let Makefile "ld" the object files! b. It lists hundreds of error lines about offsets or addresses being wrong in all your resolver .o files. SOLUTION: start over; you needed to specify "-pic" to the C compiler when building the libresolv.a library. 11. If all goes well, you now have a "libc.so.x.y.z" in this directory. Test it out before installing it systemwide! You can do this by pointing your shell's library path variable to the current directory, then trying various networking commands: setenv LD_LIBRARY_PATH `pwd` ping some.host.edu ftp another.host.com telnet someone.else.ca unsetenv LD_LIBRARY_PATH If anything in the library fails, you need to start section B over again. Maybe you forgot to use Sun's versions of mktemp.o and strpbrk.o; things just won't work with BIND's new versions of these files. 12. When you are sure it's working OK, you can install it into the system library directory: cp lib.so.x.y.z /usr/lib chmod 755 /usr/lib/lib.so.x.y.z ldconfig 13. You can prove that you're using the new library now, by watching the output of something like: trace date The lastest BIND resolver is now installed on your system. You can go ahead and compile and install the other BIND tools such as named, nslookup, etc. You do not need to specify the "-lresolv" library when compiling these tools. From Firewalls-Owner Thu Mar 18 17:53:38 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29152; Thu, 18 Mar 93 17:53:38 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29145; Thu, 18 Mar 93 09:53:32 PST Received: from TIS.COM by TIS.COM (4.1/SUN-5.64) id AA26385; Thu, 18 Mar 93 12:54:50 EST Message-Id: <9303181754.AA26385@TIS.COM> To: smb@research.att.com Cc: firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP In-Reply-To: Your message of Tue, 16 Mar 93 18:25:32 -0500. <9303162330.AA11908@TIS.COM> Date: Thu, 18 Mar 93 12:54:45 -0500 From: "David I. Dalva" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Summary: Cisco "established" keyword breaks FTP-DATA. I am having FTP trouble when I configure my Cisco to only permit established TCP connections above port 1024. When a new (random) port is created for FTP-DATA (e.g., as the result of a "dir"), the Cisco prohibits the connection since it doesn't meet the "established" criteria. I know of no way to do what you want in a safe fashion. I wish I did. Well, Marcus Ranum and I discussed it and decided to hack the ftp client to use ports between IPPORT_USERRESERVED (5000) and 10000 for ftp-data. Then I can reintroduce "established" for ports < 5000. This seems to work fine, but we'll see if there are any future problems with the BSD ftp client on SunOS. Dave Dalva Trusted Information Systems, Inc. Glenwood, MD 21738 +1 301 854-6889 +1 301 854-5363 FAX From Firewalls-Owner Thu Mar 18 18:00:11 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29177; Thu, 18 Mar 93 18:00:11 GMT Received: from tadpole.tadpole.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29168; Thu, 18 Mar 93 10:00:02 PST Received: from chiba.tadpole.com by tadpole.tadpole.com (4.1/SMI-4.1) id AA21625; Thu, 18 Mar 93 12:00:23 CST Date: Thu, 18 Mar 93 12:00:23 CST From: jim@tadpole.com (Jim Thompson) Message-Id: <9303181800.AA21625@tadpole.tadpole.com> To: smh@netserv.com, timg@mv.us.adobe.com Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Be aware that I've have some trouble with 'automount' and the libresolv+ shared library. Jim From Firewalls-Owner Thu Mar 18 18:05:16 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29196; Thu, 18 Mar 93 18:05:16 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29189; Thu, 18 Mar 93 10:05:10 PST Message-Id: <9303181805.AA29189@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by gryphon; Thu Mar 18 13:00:48 EST 1993 To: "David I. Dalva" Cc: firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP Date: Thu, 18 Mar 93 13:00:46 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, Marcus Ranum and I discussed it and decided to hack the ftp client to use ports between IPPORT_USERRESERVED (5000) and 10000 for ftp-data. Then I can reintroduce "established" for ports < 5000. This seems to work fine, but we'll see if there are any future problems with the BSD ftp client on SunOS. If you're going to hack the client side, you can do better than that: have it emit PASV commands, so that the server will do a passive open, and the client an active open. Then the data is transferred via an outgoing call. (Note: there are a few servers out there that do not grok PASV. Maybe if we all made this change, they would go away...) --Steve Bellovin From Firewalls-Owner Thu Mar 18 19:14:36 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29437; Thu, 18 Mar 93 19:14:36 GMT Received: from tardis ([198.37.128.10]) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29430; Thu, 18 Mar 93 11:14:27 PST Received: by tardis (4.1/netserv-1.0) id AA00528; Thu, 18 Mar 93 11:16:03 PST Date: Thu, 18 Mar 93 11:16:03 PST From: Scott M. Hinnrichs Message-Id: <9303181916.AA00528@tardis> To: smh@netserv.com, ckaul@cs.sandia.gov Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints Cc: firewalls@GreatCircle.COM, len@netsys.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Ok, Clint wins ;-) He answered correctly first. I *knew* it was a lame question/answer but *I* didn't know :( My SunSpots article was from '90, and I hadn't done it since then. Thank god I didn't suffer for a couple of months like some of the post'ers. Thanks all!, Scott > From ckaul@cs.sandia.gov Thu Mar 18 05:51:14 1993 > Date: Thu, 18 Mar 93 06:49:32 MST > From: ckaul@cs.sandia.gov (Clint Kaul) > To: smh@netserv.com > Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints > Content-Length: 697 > > Scott, > > You have stumbled across two common problems. You are probably running > SunOS 4.1.2 or 4.1.3. There are two mods that need to be done: > > 1. In /usr/lib/shlib.etc/Makefile under the libc.so target: > Change: ld -assert pure-text `${OBJSORT} lorder-sparc tmp` > To: ld -assert pure-text `${OBJSORT} lorder-sparc tmp` -ldl > > 2. There is now another file from libc.a which has a forshortened name: > /usr/lib/shlib.etc/tmp% mv xccs.multibyte. xccs.multibyte.o > > Hope this helps, > > Clint Kaul Work: 505-845-7557 or 505-250-5105 (mb) > Sandia National Labs Fax: 505-845-7442 > Department 1421 Home: 505-843-7159 or 505-843-6015 > Albuquerque, NM 87185-5800 Email: ckaul@cs.sandia.gov > From Firewalls-Owner Thu Mar 18 20:05:34 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29512; Thu, 18 Mar 93 20:05:34 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29505; Thu, 18 Mar 93 12:05:29 PST Message-Id: <9303182005.AA29505@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by gryphon; Thu Mar 18 15:04:32 EST 1993 To: "David I. Dalva" Cc: firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP Date: Thu, 18 Mar 93 15:04:31 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, Marcus Ranum and I discussed it and decided to hack the ftp client to use ports between IPPORT_USERRESERVED (5000) and 10000 for ftp-data. Then I can reintroduce "established" for ports < 5000. This seems to work fine, but we'll see if there are any future problems with the BSD ftp client on SunOS. I just reread this note. Please -- save yourself some grief and use something like 7000-12000. You really don't want to allow 6000..6000+n in past your firewall.... From Firewalls-Owner Thu Mar 18 20:06:54 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29528; Thu, 18 Mar 93 20:06:54 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA29521; Thu, 18 Mar 93 12:06:49 PST Received: from TIS.COM by TIS.COM (4.1/SUN-5.64) id AA06851; Thu, 18 Mar 93 15:08:10 EST Message-Id: <9303182008.AA06851@TIS.COM> To: smb@research.att.com Cc: firewalls@GreatCircle.COM Subject: Re: Packet filtering and FTP In-Reply-To: Your message of Thu, 18 Mar 93 15:04:31 -0500. <9303182006.AA06792@TIS.COM> Date: Thu, 18 Mar 93 15:08:09 -0500 From: "David I. Dalva" Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I just reread this note. Please -- save yourself some grief and use something like 7000-12000. You really don't want to allow 6000..6000+n in past your firewall.... I installed a gross hack that skips 6000 :-) Dave From Firewalls-Owner Fri Mar 19 09:43:32 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA01520; Fri, 19 Mar 93 09:43:32 GMT Received: from chsun.chuug.ch by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA01513; Fri, 19 Mar 93 01:43:11 PST Received: from igor.UUCP by chsun.chuug.ch (5.65c8/1.34) id AA09062; Fri, 19 Mar 1993 10:44:37 +0100 Received: from santana.noname by ergon.ch (4.1/SMI-4.1) id AA19751; Fri, 19 Mar 93 09:34:02 +0100 Date: Fri, 19 Mar 93 09:34:02 +0100 From: sten@ergon.ch (Sten Gunterberg) Message-Id: <9303190834.AA19751@ergon.ch> To: firewalls@GreatCircle.COM Subject: Re: DNS/libresolv/4.1.3/dlopen ld complaints Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In <9303181035.AA00268@tardis> Scott M. Hinnrichs writes: > Well, this may not *really* be a firewall problem, but I am getting this > problem building code for my firewall. I haven't lived under a DNS > patched libc.so for while now. I just installed the libresolv.a objs > in libc.so and now I am getting complaints from ld when making source: > > cc -O -DDEBUG dig.c -L`pwd` -lresolv list.o -o dig > ld: Undefined symbol > _dlopen > _dlclose > _dlsym > __mbstowcs_xccs > __mbtowc_xccs > __wcstombs_xccs > __wctomb_xccs > > This must be due to something obvious I am doing wrong. The patched libc.so > is working fine and the binary ld creates works too! But, many makefiles > won't do a build even when using make -k, and it is a real pain... anyone > seen this already?? Same problem I ran into last week. This is how I "solved" it: The README in /usr/lib/shlib.etc tells you in point 3 to rename the files rpc_dtablesize. and rpc_commondata. because they have lost their .o extension due to the *stupid* 15-character name length limit of ar (argh!). But apparently another file xccs.multibyte. -- new to 4.1.3 as far as I can see -- also needs this treatment, which README forgets to mention. That was my first try. This stops ld from complaining about the undefined symbols __mb* and __wc* when linking, but the _dl* undefs remain. Then I found out that apparently the multi-byte and wide character routines do dynamic loading (dl*), i.e. they reference the dl* routines, which are not part of libc, but in libdl.a. Because I certainly don't need the multi-byte stuff on my firewall, I removed all *.o files having to do with that: (in /usr/lib/shlib.etc/tmp) mkdir REMOVED mv mblib.o mbstowcs.o mbtowc.o wcstombs.o wctomb.o REMOVED mv xccs.multibyte. REMOVED (None of these modules are mentioned in /usr/lib/shlib.etc/lorder-sparc, so I figure you don't have to adjust it) Then I proceeded with the rest of the instructions in README (points 4-9) and everything works! What happens if you try to use one of the multi-byte handling functions? Not a clue. I don't care for the moment. Hope this helps -- I think everybody configuring DNS w/o NIS on 4.1.3 will run into this problem... --- Sten From Firewalls-Owner Mon Mar 22 14:21:25 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12113; Mon, 22 Mar 93 14:21:25 GMT Received: from mail.Germany.EU.net by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12106; Mon, 22 Mar 93 06:21:05 PST Received: by mail.Germany.EU.net(EUnetD-2.2.5.b) via EUnet id OA12055; Mon, 22 Mar 1993 15:20:35 +0100 Received: from hw1175.sap-ag.de (hw1175) by sap-ag.de (5.52.1/SAP-1.2) id AA16188; Mon, 22 Mar 93 15:08:33 +0100 for firewalls@greatcircle.com Message-Id: <9303221408.AA16188@sap-ag.de> Received: from localhost by hw1175; Mon, 22 Mar 93 15:07:29 +0100 To: firewalls-digest@sap-ag.de Organization: SAP AG Walldorf, Germany Phone: +49 6227-344131 Home: +49 6221-163255 Subject: Re: Firewalls and NFS In-Reply-To: Chris Davies's message of Wed, 17 Mar 1993 15:02:12 GMT Reply-To: Bill Wohler X-Mailer: MH [Version 6.8] Date: Mon, 22 Mar 1993 15:07:28 +0100 From: Bill Wohler Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk chris, what you're calling the gateway is the firewall--the only host that your router allows packets to reach. chris> 5. We'd really like some sort of (very lightly used) network file chris> system to be available between one of our local hosts and a host on chris> the specific remote network. Does Sun-NFS work over long distance chris> internet connections (i.e. are the packets normally blocked)? it'll work fine for you...and everyone else. don't allow folks on the internet to access nfs on your internal net. chris> 4. It would be real nice if users on our US office network could drive chris> straight through our gateway as if it weren't there. it's easy enough for someone to spoof your us office network and drive straight through your router as well. this *is* a good problem. does anyone have any good solutions? chris> To reach an internal machine chris> it would be necessary to login to the gateway and then chris> rlogin/telnet again from there. i haven't been able to decide what to do with this and hope to hear more response from the list. add users to the firewall, and you add too much noise to the logs for them to do any good, as well as adding to the vulnerability of the firewall. have all users go through a single account and you have a password distribution, and accountability problem. unfortunately, there is always a tradeoff: the better the security, the more inconvenient the firewall. is a convenient, secure firewall desirable? attainable? Bill Wohler SAP AG Heidelberg Red Barons Postmaster Ultimate Frisbee Team From Firewalls-Owner Mon Mar 22 15:47:02 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12263; Mon, 22 Mar 93 15:47:02 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12256; Mon, 22 Mar 93 07:46:55 PST Received: by TIS.COM (4.1/SUN-5.64) id AA16015; Mon, 22 Mar 93 10:47:46 EST Date: Mon, 22 Mar 93 10:47:46 EST From: Marcus J Ranum Message-Id: <9303221547.AA16015@TIS.COM> To: wohler@sap-ag.de Subject: Firewalls and NFS - Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >chris> 4. It would be real nice if users on our US office network could drive >chris> straight through our gateway as if it weren't there. > > it's easy enough for someone to spoof your us office network and > drive straight through your router as well. this *is* a good > problem. does anyone have any good solutions? I'd look into using some kind of tunnelling router or encrypting router. If you can encrypt point-to-point between your remote offices, for someone to spoof you, they'd have to inject packets into your crypto, which would be A Trick. Does KarlBridge do encrypted tunnelling? The MorningStar tunnelling driver or my tunnelling driver + crypto, would do the trick. UUNet Technologies has a box they call the LAN Guardian that does point-to-point crypto at very high speeds, with the ability to select network peers to do crypto over. You could implement exactly what you want, using that. With a little creativity in routing, you could easily implement the moral equivalent of encrypted tunnels, without interfering with normal internet traffic. >chris> To reach an internal machine >chris> it would be necessary to login to the gateway and then >chris> rlogin/telnet again from there. > > i haven't been able to decide what to do with this and hope to hear > more response from the list. add users to the firewall, and you add > too much noise to the logs for them to do any good, as well as > adding to the vulnerability of the firewall. have all users go > through a single account and you have a password distribution, and > accountability problem. I never recommend putting users on firewalls. It's not just a security problem, it's an administrative hassle. For one thing, you have to worry about them using up disk space, etc, etc, etc. I like my firewalls to be something I set up, and more or less forget about except for when the hardware breaks. If you have to, a captive login program that does a chroot to someplace and drops the user into a simple shell that lets them telnet, or rlogin to other machines, will do 95% of what you want. > unfortunately, there is always a tradeoff: the better the security, > the more inconvenient the firewall. is a convenient, secure > firewall desirable? attainable? Convenient, secure firewalls are easily obtained. Granted, there is always some byproduct of security that is visible, but I think you can do a pretty good job if you think things through. I like to think the DEC SEAL is a pretty good compromise between security and user friendliness, with security taking precedence where it has to. mjr. From Firewalls-Owner Mon Mar 22 16:03:10 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12299; Mon, 22 Mar 93 16:03:10 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12292; Mon, 22 Mar 93 08:03:02 PST Message-Id: <9303221603.AA12292@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by gryphon; Mon Mar 22 10:59:07 EST 1993 To: Marcus J Ranum Cc: wohler@sap-ag.de, firewalls@GreatCircle.COM Subject: Re: Firewalls and NFS - Date: Mon, 22 Mar 93 10:59:06 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'd look into using some kind of tunnelling router or encrypting router. If you can encrypt point-to-point between your remote offices, for someone to spoof you, they'd have to inject packets into your cryp to, which would be A Trick. Does KarlBridge do encrypted tunnelling? The MorningStar tunnelling driver or my tunnelling driver + crypto, would do the trick. UUNet Technologies has a box they call the LAN Guardian that does point-to-point crypto at very high speeds, with the ability to select network peers to do crypto over. You could implement exactly what you want, using that. With a little creativity in routing, you could easily implement the moral equivalent of encrypted tunnels, without interfering with normal internet traffic. I'm not sure if the UUNET box is available yet. Xerox Semaphore makes a similar unit; you may want to check into that as well. Naturally, there are export problems, since both boxes use DES, and the Xerox unit uses RSA for rekeying. (The UUNET unit will have that feature later.) Ironically enough, the UUNET box uses a German DES chip -- which means that they can't easily ship back defective chips, they told me... --Steve Bellovin From Firewalls-Owner Mon Mar 22 17:01:50 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12412; Mon, 22 Mar 93 17:01:50 GMT Received: from mail.Germany.EU.net by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12404; Mon, 22 Mar 93 09:01:42 PST Received: by mail.Germany.EU.net(EUnetD-2.2.5.b) via EUnet id OA19444; Mon, 22 Mar 1993 18:01:04 +0100 Received: from hw1175.sap-ag.de (hw1175) by sap-ag.de (5.52.1/SAP-1.2) id AA18513; Mon, 22 Mar 93 17:47:34 +0100 for mjr@tis.com Message-Id: <9303221647.AA18513@sap-ag.de> Received: from localhost by hw1175; Mon, 22 Mar 93 17:46:29 +0100 To: Marcus J Ranum Cc: firewalls@GreatCircle.COM Organization: SAP AG Walldorf, Germany Phone: +49 6227-344131 Home: +49 6221-163255 Subject: Re: Firewalls and NFS - In-Reply-To: Marcus J Ranum's message of Mon, 22 Mar 93 10:47:46 EST <9303221547.AA16015@TIS.COM> Reply-To: Bill Wohler X-Mailer: MH [Version 6.8] Date: Mon, 22 Mar 1993 17:46:29 +0100 From: Bill Wohler Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marcus J Ranum writes: marcus> I'd look into using some kind of tunnelling router or encrypting marcus> router. i've heard the term "tunnelling router" mentioned a couple of times on this list, but haven't seen a description. could someone describe this term briefly? the encrypting bit sounds like a good idea, but there might be law problems if one site is in the us and the other is somewhere else, esp DES. what, besides DES is covered by us export laws? is it just the algorithm, or is one not allowed to export DES encoded traffic as well? marcus> If you have to, a captive login program that does a chroot to marcus> someplace and drops the user into a simple shell that lets them telnet, marcus> or rlogin to other machines, will do 95% of what you want. this is what i was thinking. comments from others? has anyone written this? if not, i'll post it here after i do. ;-) Bill Wohler SAP AG Heidelberg Red Barons Postmaster Ultimate Frisbee Team From Firewalls-Owner Mon Mar 22 17:04:47 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12428; Mon, 22 Mar 93 17:04:47 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12421; Mon, 22 Mar 93 09:04:28 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA21540 (5.65b/HUJI 4.114); Mon, 22 Mar 93 19:06:24 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA13990 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Mon, 22 Mar 1993 19:06:26 +0200 Message-Id: <199303221706.AA13990@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Re: Firewalls and NFS In-Reply-To: Your message of Mon, 22 Mar 1993 15:07:28 +0100 . <9303221408.AA16188@sap-ag.de> From: Amos Shapira Date: Mon, 22 Mar 1993 19:06:19 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bill Wohler writes: |chris> 4. It would be real nice if users on our US office network could drive |chris> straight through our gateway as if it weren't there. | | it's easy enough for someone to spoof your us office network and | drive straight through your router as well. this *is* a good | problem. does anyone have any good solutions? What about Kerberos? Does it address such kind of a problem? How portable is it? Also what about NFS DES authentication? Is it for real or a joke? I assume the problem to be prevented is the packet authentication, not the data secrecy, but does NFS DES also encrypt the data itself? | |chris> To reach an internal machine |chris> it would be necessary to login to the gateway and then |chris> rlogin/telnet again from there. | | i haven't been able to decide what to do with this and hope to hear | more response from the list. add users to the firewall, and you add | too much noise to the logs for them to do any good, as well as | adding to the vulnerability of the firewall. have all users go | through a single account and you have a password distribution, and | accountability problem. I'm writing right now something to let users in and instead of running another programme in a restricted environment it asks them for a host they want to login to. I plan to run it *instead* of the telnet daemon. This gains two things: 1. The user is completly under your control. Only this daemon is running. 2. There is only one process for all this login-through biz. No point in having two processes for each user which just read back and forth between a couple of sockets. (3. It provides me more things to do in the no-time I don't have to do things :-) Also I envision being able to watch who's logged in and other things about him (ahmm...., I won't tell what other things), but my boss says I'm startting to show totalitarian signs so maybe I'll leave it. Any other suggestions? Bye, --Amos Shapira CS System Group, Hebrew University, Jerusalem, Israel amoss@cs.huji.ac.il From Firewalls-Owner Mon Mar 22 18:02:34 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12577; Mon, 22 Mar 93 18:02:34 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12568; Mon, 22 Mar 93 10:02:29 PST Message-Id: <9303221802.AA12568@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Re: Firewalls and NFS In-Reply-To: Your message of Mon, 22 Mar 1993 15:07:28 +0100 Date: Mon, 22 Mar 93 10:02:28 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bill Wohler writes: # chris> 5. We'd really like some sort of (very lightly used) network file # chris> system to be available between one of our local hosts and a host on # chris> the specific remote network. Does Sun-NFS work over long distance # chris> internet connections (i.e. are the packets normally blocked)? # # it'll work fine for you...and everyone else. don't allow folks on # the internet to access nfs on your internal net. I definitely concur with this. If someone can get packets to and from your NFS daemon (typically UDP port 2049 on Suns), they can probably circumvent any authentication and authorization checks that it supposedly does. # chris> 4. It would be real nice if users on our US office network could drive # chris> straight through our gateway as if it weren't there. # # it's easy enough for someone to spoof your us office network and # drive straight through your router as well. this *is* a good # problem. does anyone have any good solutions? Is it really that easy? Assuming both sites are directly connected to a network service provider, the compromise would have to occur inside one of those service provider networks. Does anyone know of any cases of that? Which leads to another question, for the service providers: what steps do you take (if any) to isolate customer traffic from your own internal systems, so that if, for instance, somebody breaks root on your anonymous FTP machine, they can't simply sit there with "etherfind" and capture all your customers' packets? -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Mon Mar 22 18:09:42 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12627; Mon, 22 Mar 93 18:09:42 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12619; Mon, 22 Mar 93 10:09:38 PST Message-Id: <9303221809.AA12619@mycroft.GreatCircle.COM> To: Firewalls@GreatCircle.COM Subject: Administrivia: bounced email returned to originator Date: Mon, 22 Mar 93 10:09:37 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk If you post something to Firewalls or Firewalls-Digest, you should NOT get any bounces back from other sites on the list; those are supposed to come to me. If they do come back to you, it means that somebody's mailer is broken; please forward such messages to me, and I'll try to deal with the problem. Thanks! -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Mon Mar 22 18:47:45 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12966; Mon, 22 Mar 93 18:47:45 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA12953; Mon, 22 Mar 93 10:47:29 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA22469 (5.65b/HUJI 4.114); Mon, 22 Mar 93 20:49:51 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA15416 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Mon, 22 Mar 1993 20:49:55 +0200 Message-Id: <199303221849.AA15416@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Re: Firewalls and NFS - In-Reply-To: Your message of Mon, 22 Mar 1993 17:46:29 +0100 . <9303221647.AA18513@sap-ag.de> From: Amos Shapira Date: Mon, 22 Mar 1993 20:49:53 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bill Wohler writes: | the encrypting bit sounds like a good idea, but there might be law | problems if one site is in the us and the other is somewhere else, | esp DES. what, besides DES is covered by us export laws? is it | just the algorithm, or is one not allowed to export DES encoded | traffic as well? As far as I know only the code generating DES is prohibited from being exported from the U.S. RSA is restricted by patent (which seems to be even more restrictive than the security nature of the DES limitation). For example of a code which uses DES I guess you can take PGP and NTP, they are carefull to use code from abroad but you can still move traffic to/from the states using DES. What I wander is whether I'm allowed to move DES code THROUGH nets in the U.S., I mean that our link to Australia is crossing the NSFnet and I found a DES code to complete my NTP package in Oz, did I break any American law? Surely sounds funny. | |marcus> If you have to, a captive login program that does a chroot to |marcus> someplace and drops the user into a simple shell that lets them telnet |, |marcus> or rlogin to other machines, will do 95% of what you want. | | this is what i was thinking. comments from others? has anyone | written this? if not, i'll post it here after i do. ;-) I'm working on such a thing right now (when I don't waste time reading mail). Will update you if you are interested in the outcome. Cheers, Amos --Amos Shapira (Jumper Extraordinaire) | "It is true that power corrupts, C.S. System Group, Hebrew University, | but absolute power is better!" Jerusalem 91904, ISRAEL | amoss@cs.huji.ac.il | -- the Demon to his son From Firewalls-Owner Mon Mar 22 20:59:56 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13714; Mon, 22 Mar 93 20:59:56 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13707; Mon, 22 Mar 93 12:59:49 PST Received: by TIS.COM (4.1/SUN-5.64) id AA12919; Mon, 22 Mar 93 16:00:46 EST Date: Mon, 22 Mar 93 16:00:46 EST From: Marcus J Ranum Message-Id: <9303222100.AA12919@TIS.COM> To: kent@sparky.IMD.Sterling.COM, wohler@sap-ag.de Subject: Re: Firewalls and NFS - Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >The internal >user is then free to access hosts and services on the Internet. Files >retrieved to the gateway are available to the user internally via NFS. >The user can remove files transfered into the directories created during >the acftp session startup but they cannot remove the directories. This would make me somewhat nervous in general, since it means that users are modifying data on the firewall. I like the idea of having all the application gateways operate socket-to-socket and never touch (or even know about) the file system on the firewall. The SEAL ftpxd or telnetxd can run from a chrooted filesystem with nothing in it, if need be. I'm paranoid, I guess, but most of the security holes I used to know of had something to do with exploiting some file permissions by some process that shouldn't have access to some file. Make your application gateway never open any files under user control, and you've put a bullet through the problem. mjr. From Firewalls-Owner Mon Mar 22 21:37:23 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13837; Mon, 22 Mar 93 21:37:23 GMT Received: from sparky.IMD.Sterling.COM (sparky.Sterling.COM) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13457; Mon, 22 Mar 93 11:34:54 PST Received: by sparky.IMD.Sterling.COM (5.65c/IDA-1.4.4) id AA07705; Mon, 22 Mar 1993 13:35:39 -0600 From: Kent Landfield Message-Id: <199303221935.AA07705@sparky.IMD.Sterling.COM> Subject: Re: Firewalls and NFS - To: wohler@sap-ag.de Date: Mon, 22 Mar 93 13:35:38 CST Cc: mjr@tis.com, firewalls@GreatCircle.COM In-Reply-To: <9303221647.AA18513@sap-ag.de>; from "Bill Wohler" at Mar 22, 93 5:46 pm X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Bill, > Marcus J Ranum writes: > marcus> If you have to, a captive login program that does a chroot to > marcus> someplace and drops the user into a simple shell that lets them telnet, > marcus> or rlogin to other machines, will do 95% of what you want. > > this is what i was thinking. comments from others? has anyone > written this? if not, i'll post it here after i do. ;-) I have real reservations about responding to this but what the hey... I have hacked something together that has been in use here for a while. There are some assumptions made that may not apply to all. I am putting this out as a starting point for others. I'd be happy to hear constructive ideas but please, no heavy duty flames of "how dumb can you be!" :-) I needed something cheap and this definitely fit the bill... :-) The sources are available via FTP from sparky.sterling.com as /local/gau.tar.Z. I'd be happy to roll in any enhancements others make. I was planning on adding some additional ftp commands for dealing with ftp from the firewall to internal systems but we are NFS mounting the transfer area at present. There are some stubs in place if you wish to modify it further to not need NFS. You will need to edit the file telout.c to set up the GATEWAY and DOMAIN defines. Please examine the following overview carefully and if you retrieve the sources, do the same to them as well. All the mods should be bracketed within the GATEWAY ifdefs. These tools also supports checking the load of the gateway host, /etc/nologin semantics, configurable MOTD, as well as they can be configured to log transfers to and from the gateway system. Like everything I release... ** ** Use of this software constitutes acceptance for use in an AS IS ** condition. There are NO warranties with regard to this software. ** In no event shall the author(s) be liable for any damages whatsoever ** arising out of or in connection with the use or performance of this ** software. Any use of this software is at the user's own risk. ** -Kent+ -- Kent Landfield INTERNET: kent@sterling.com Sterling Software UUCP: uunet!sparky!kent Phone: (402) 291-8300 FAX: (402) 291-4362 Please send comp.sources.misc-related mail to kent@uunet.uu.net. ============================================================================= FTP-Availability: sparky.sterling.com:/local/gau.tar.Z Tested Environment: SunOS4.1.2 This README is an overview of the GATEWAY Access Utilities and how to install them. This package currently supports access to the Internet through the use of a firewall system. All internal systems are hidden behind a firewall (or gateway) from the Internet. These utilities allow users from inside the network to get to archives and services on the Internet without requiring that they have an account on the gateway system. The general design is as follows. There are two special accounts setup to specifically allow use of a modified telnet and ftp program from the gateway host. The access programs telout and ftpout are installed on hosts which are internal to the network. There are currently two different network access utilities supported, telnet and ftp. On the gateway host, two different executables, acftp and actelnet, are installed. These are actually a version of telnet and ftp which have been modified to better support gateway usage. --------------------------------------- Internet -------------------- || || || || __________ ______________ |Internal | | Gateway Host | | Host | Internal | [Firewall] | | |---------------| | | (telout) | LAN | (actelnet) | | (ftpout) | | (acftp) | |__________| |______________| The internal user executes the ftpout or telout program which setups the user's privilege as that of the special accounts ftpout or telout. The program then rlogins into the appropriate account on the gateway system. The user is thrown into either actelnet or acftp applications as appropriate. These applications are setup as the account's login shells. The internal user is then free to access hosts and services on the Internet. Files retrieved to the gateway are available to the user internally via NFS. The user can remove files transfered into the directories created during the acftp session startup but they cannot remove the directories. Empty directories can be removed via a process run periodically from cron if they are bothersome but it is unnecessary. All access to the Internet is logged to a file, /var/log/outbound on the loghost as delivered. The time in seconds of the connection is logged as well for possible use in accounting for use of the network connections. ===================================================================== GATEWAY HOST SETUP: ===================================================================== 1. Add the following entries to /etc/passwd, ftpout:*:85:85:Internal FTP Account:/tmp/ftp:/usr/local/bin/acftp telout:*:86:86:Internal Telnet Account:/tmp/.tel:/usr/local/bin/actelnet NOTE: The accounts are setup so that there is no direct login capability allowed. The login shell is specified as the application so that the user cannot get directory to the shell. 2. Add the following entry to /etc/group, ftpout:*:85: telout:*:86: 3. Edit the /etc/syslog.conf file and add the following entries: local0.info ifdef(`LOGHOST', /var/log/outbound, @loghost) local0.err ifdef(`LOGHOST', /var/log/outbound, @loghost) NOTE: Since the syslog.conf file is actually run through m4, assure that the fields are separated by tab characters. 4. Create /var/log/outbound and assure that the ownership and modes allow it to be written by syslogd. Restart syslogd with a -HUP so that it processes your changes. 5. Create the file /etc/outbound.cfg configuration file with the following type of information; # # MOTD is the Message that you wish displayed when the user logs # into the gateway via the telout of ftpout facility. The contents # of MOTD should be the full disk path to file to be displayed. # # LOAD is the load limit at which logins to the gateway system are # disabled with a "Sorry, try again" type message. # MOTD=/etc/Outbound.motd LOAD=6 Create and edit your welcome message so that it is displayed to the user upon login. Telout: 6. Create a home directory for the telout account. 7. Create a .hushlogin file in the telout home directory. 8. Create a .rhosts file in the telout home directory. The contents of the .rhosts file should consist a host's fully qualified domain name and the account name "telout". If I have a system nomad in the DDP.Sterling.COM domain the .rhosts file entry for that system is: nomad.DDP.Sterling.COM telout Add an entry for each host that you are going to install the telout access software on. 9. Change the modes and ownership on the telout home directory and the files within to reflect the following; drwxr-sr-x 2 root wheel 512 May 21 00:19 . -r--r--r-- 1 root wheel 0 May 12 10:47 .hushlogin -r--r--r-- 1 root wheel 32 May 21 00:19 .rhosts Ftpout: 10. Create a home directory for the ftpout account. 11. Create a .hushlogin file in the ftpout home directory. 12. Create a .rhosts file in the ftpout home directory. The contents of the .rhosts file should consist a host's fully qualified domain name and the account name "ftpout". If I have a system nomad in the DDP.Sterling.COM domain the .rhosts file entry for that system is: nomad.DDP.Sterling.COM ftpout Add an entry for each host that you are going to install the ftpout access software on. 13. Change the modes and ownership on the ftpout home directory and the files within to reflect the following; drwxrwsr-t 3 ftpout ftpout 512 May 20 23:44 . -r--r--r-- 1 root wheel 0 May 20 23:01 .hushlogin -r--r--r-- 1 root wheel 32 May 20 21:18 .rhosts 14. Edit the /etc/exports files to allow those systems that are to have telout and ftpout programs installed so that the FTP transfer area can be NFS mounted from the internal system. 15. Next compile and install the acftp executable. a. Make the executable acftp. b. cp acftp /usr/local/bin c. chgrp kmem /usr/local/bin/acftp d. chown ftpout /usr/local/bin/acftp f. chmod 2755 /usr/local/bin/acftp 16. Next compile and install the actelnet executable. a. Make the executable actelnet. b. cp actelnet /usr/local/bin c. chgrp kmem /usr/local/bin/actelnet d. chown telout /usr/local/bin/actelnet f. chmod 2755 /usr/local/bin/actelnet NOTE: That the executables are installed with setgid to the group kmem so that the program can read the load average out of /dev/kmem when the programs start up. Once kmem is read actelnet and acftp reset the group id to the real group id. All files retrieved via ftp will have a group ownership of ftpout, not kmem. ===================================================================== INTERNAL HOSTS SETUP: ===================================================================== 1. Add the following entries to /etc/passwd, ftpout:NOLOGIN:85:85:Internal FTP Account:/tmp:/dev/null telout:NOLOGIN:86:85:Internal Telnet Account:/tmp:/dev/null 2. Add the following entries to /etc/group, ftpout:*:85: telout:*:86: 3. Next compile and install the telout and ftpout executables. a. Edit telout.c and assure the GATEWAY and DOMAIN defines are correct and then make the executables. b. cp ftpout telout /usr/local/bin c. chgrp ftpout /usr/local/bin/ftpout c. chgrp telout /usr/local/bin/telout d. chown ftpout /usr/local/bin/ftpout e. chown telout /usr/local/bin/telout f. chmod 6755 /usr/local/bin/ftpout /usr/local/bin/telout 4. Edit the /etc/fstab and add an entry so as to allow the ftp transfer area to be accessible from the internal systems. (automount 'em if you got'em) 5. Mount the gateway's transfer area. ===================================================================== The Internal host setup will need to be completed for each host that you wish to allow external access from. These facilities recognize the semantics of /etc/nologin and will display its contents if the file's size is greater that 0 bytes. They also use the LOAD value specified in the config file to determine when to disallow access because the gateway is too busy. The sources to telnet were originally from the BSD sources and modified to become actelnet. The sources to ftp were grabbed from gatekeeper.dec.com. Originally BSD sources, ftp was modified by Paul Vixie (vixie@pa.dec.com) and then later modified to become acftp with gateway support added. Telout.c was written by Kent Landfield (kent@sterling.com) to glue this all together. From Firewalls-Owner Mon Mar 22 23:23:29 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14239; Mon, 22 Mar 93 23:23:29 GMT Received: from tardis.netserv.com (netserv.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14232; Mon, 22 Mar 93 15:23:24 PST Received: by tardis.netserv.com (4.1/netserv-1.0) id AA06560; Mon, 22 Mar 93 15:02:14 PST Date: Mon, 22 Mar 93 15:02:14 PST From: Scott M. Hinnrichs Message-Id: <9303222302.AA06560@tardis.netserv.com> To: firewalls@GreatCircle.COM Subject: FYI - New NIC database Cc: smh@netserv.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk The nic has stopped updating the databases on nic.ddn.mil. They are now only updating on rs.internic.net. That is why my info was not changing when I did whois queries. NIC has not announced this change yet. No word on why they are being silent about this change. Scott From Firewalls-Owner Tue Mar 23 00:28:30 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14391; Tue, 23 Mar 93 00:28:30 GMT Received: from sayshell.umd.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14384; Mon, 22 Mar 93 16:28:22 PST Received: from localhost by sayshell.umd.edu (NX5.67c/NeXT-1.0) id AA14544; Mon, 22 Mar 93 19:28:44 -0500 Message-Id: <9303230028.AA14544@sayshell.umd.edu> To: Amos Shapira Cc: firewalls@GreatCircle.COM From: "Louis A. Mamakos" Subject: Re: Firewalls and NFS - In-Reply-To: Your message of "Mon, 22 Mar 1993 20:49:53 +0200." <199303221849.AA15416@shuldig.cs.huji.ac.il> Date: Mon, 22 Mar 1993 19:28:44 -0500 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > For example of a code which uses DES I guess you can take PGP and NTP, they > are carefull to use code from abroad but you can still move traffic to/from > the states using DES. Let me just this opportunity to point out that NTP does not use DES to encrypt any data in the packet; it uses it to compute a cryptographic checksum over the contents of the packet to detect tampering and to authenticate the origin of the packet. I have also written some code for xntp3 (which is now part of the standard distribution) which uses an MD5 digest over the packet contents and a shared secret to authenticate the sender and verify that the contents of the packet have not been tampered with. Because of the design of NTP, replay attacks are not a problem. > What I wander is whether I'm allowed to move DES code THROUGH nets in the > U.S., I mean that our link to Australia is crossing the NSFnet and I found a > DES code to complete my NTP package in Oz, did I break any American law? > Surely sounds funny. I've found that you cannot employ reason in the face of an unreasonable situation. This is just all too silly.. Louis A. Mamakos University of Maryland, College Park From Firewalls-Owner Tue Mar 23 01:43:52 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14707; Tue, 23 Mar 93 01:43:52 GMT Received: from rain.psg.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14700; Mon, 22 Mar 93 17:43:45 PST Received: by rain.psg.com (/\==/\ Smail3.1.25.1 #25.4) id ; Mon, 22 Mar 93 17:44 PST Message-Id: From: randy@psg.com (Randy Bush) Subject: Re: FYI - New NIC database To: smh@netserv.com (Scott M. Hinnrichs) Date: Mon, 22 Mar 1993 17:44:14 -0800 (PST) Cc: firewalls@GreatCircle.COM In-Reply-To: <9303222302.AA06560@tardis.netserv.com> from "Scott M. Hinnrichs" at Mar 22, 93 03:02:14 pm Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 307 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > They are now only updating on rs.internic.net. ... NIC has not announced > this change yet. No word on why > they are being silent about this change. One good reason for the lack of announcement is that this network is not yet announced on the NSFNET. There may be other reasons. We'll see, I guess. From Firewalls-Owner Tue Mar 23 03:03:54 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14901; Tue, 23 Mar 93 03:03:54 GMT Received: from tardis.netserv.com (netserv.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA14886; Mon, 22 Mar 93 19:03:47 PST Received: by tardis.netserv.com (4.1/netserv-1.0) id AA06665; Mon, 22 Mar 93 19:05:39 PST Date: Mon, 22 Mar 93 19:05:39 PST From: Scott M. Hinnrichs Message-Id: <9303230305.AA06665@tardis.netserv.com> To: randy@psg.com, smh@netserv.com Subject: Re: FYI - New NIC database Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A reliable source has stated that the announcement will occur on April 1. It will be part of the Internic announcement. We just have a few days advance notice. Gee, on second thought, April 1st!!, what a day to announce a major network change; who will believe it?! ;-) Scott From Firewalls-Owner Tue Mar 23 10:35:23 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16162; Tue, 23 Mar 93 10:35:23 GMT Received: from ben.uknet.ac.uk by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16146; Tue, 23 Mar 93 02:34:53 PST Received: from eros.uknet.ac.uk by ben.uknet.ac.uk via UKIP with SMTP (PP) id ; Tue, 23 Mar 1993 10:34:53 +0000 Received: from visionware.co.uk by eros.uknet.ac.uk with UUCP id <14674-0@eros.uknet.ac.uk>; Tue, 23 Mar 1993 10:34:52 +0000 Received: by vision.visionware.co.uk (5.59/smail2.5/10-15-90) id AA24021; Tue, 23 Mar 93 10:12:43 GMT Newsgroups: vw.net.firewalls Path: chris From: chris@visionware.co.uk (Chris Davies) Subject: Re: Firewalls and NFS - Message-Id: <1993Mar23.101052.23905@visionware.co.uk> Organization: VisionWare Ltd., Leeds, UK X-Newsreader: TIN [version 1.1 PL8] References: <9303221647.AA18513.vw.net.firewalls@sap-ag.de> Date: Tue, 23 Mar 1993 10:10:52 GMT Apparently-To: firewalls@greatcircle.com To: greatcircle.com!firewalls@visionware.co.uk Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bill Wohler (wohler@hw1175.sap-ag.de) wrote: > the encrypting bit sounds like a good idea, but there might be law > problems if one site is in the us and the other is somewhere else, > esp DES. Not a problem - I'm in the UK, so I can use European variants of DES code and export the result into the US :-) Chris -- VISIONWARE LTD, 57 Cardigan Lane, LEEDS LS4 2LE, England Tel +44 532 788858 x238. Fax +44 532 304676. Email chris@visionware.co.uk ---------- "VisionWare: The home of DOS/SQL/UNIX/X/VMS integration" --------- From Firewalls-Owner Tue Mar 23 14:25:35 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16411; Tue, 23 Mar 93 14:25:35 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16402; Tue, 23 Mar 93 06:25:03 PST Received: by TIS.COM (4.1/SUN-5.64) id AA17672; Tue, 23 Mar 93 09:26:08 EST Date: Tue, 23 Mar 93 09:26:08 EST From: Marcus J Ranum Message-Id: <9303231426.AA17672@TIS.COM> To: wohler@sap-ag.de Subject: Re: Firewalls and NFS - Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > i've heard the term "tunnelling router" mentioned a couple of times > on this list, but haven't seen a description. could someone > describe this term briefly? A tunnelling router is a router that accepts traffic for a network, then encapsulates it either in IP or some other protocol, and sends it to another tunnelling router that de-encapsulates it and injects it onto the network as if it got there normally. Part of the encapsulation can consist of cryptography or whatever you like. The advantages of tunnelling is that you can put a tunnel on the *inside* of your firewall, and (depending on how your firewall is set up) you can make remote networks you trust look like they are local with a one-hop route. You can also do tunnelling between trustworthy machines on remote networks, so that you can have remote points-of-presence on networks you otherwise couldn't get to, with possibly encrypted links. I put together a paper about this stuff, back when I was thinking of productizing my tunnel driver - email me if you want a copy. > the encrypting bit sounds like a good idea, but there might be law > problems if one site is in the us and the other is somewhere else, > esp DES. what, besides DES is covered by us export laws? is it > just the algorithm, or is one not allowed to export DES encoded > traffic as well? Just the algorithm, but you should make sure you can prove that if you're a US-based company, that you didn't conspire to circumvent the ITAR by whatever means you got the crypto on both ends. It's all amazingly convoluted - there's no sense to it. The encrypting bit *is* a good idea. It is a fact that some European intelligence agencies have passed intercepted industrial secrets to their own national companies. If I were a multinational that transported trade secrets over my network, I'd be concerned. For this kind of purpose, however, there are loads of encrypting CSU/DSUs or point-to-point encrypting routers that will do the trick. Just take a vacation to Europe and take a Cylink high speed encrypting CSU in your luggage. :) mjr. From Firewalls-Owner Tue Mar 23 14:35:20 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16443; Tue, 23 Mar 93 14:35:20 GMT Received: from relay2.UU.NET by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16434; Tue, 23 Mar 93 06:34:38 PST Received: from uunet.uu.net (via spool.UU.NET) by relay2.UU.NET with SMTP (5.61/UUNET-internet-primary) id AA06952; Tue, 23 Mar 93 09:35:05 -0500 Received: from rams.srg.af.mil by srg.srg.af.mil id aa16660; Tue, 23 Mar 93 8:33:25 EST From: Bob Reinhardt Reply-To: Bob Reinhardt Date: Tue Mar 23 08:29:01 1993 Subject: Re: FYI - New NIC database To: firewalls@GreatCircle.COM Message-Id: <9303230829.aa07246@rams.srg.af.mil> Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk _______ Forwarded Message ....rest of header delete Date: Tue Mar 23 08:27:10 1993 Subject: Re: FYI - New NIC database ....rest of header deleted Right, that is what the rs.internic.net address is. I believe what is happening is that, we Milnet people are OK at NIC, but NIC is farming out a non-Milnet database onto a new computer, probably for segregating workload, among other reasons ;-> --Bob >> Bob, >> >> I just checked. Our databases are being updated just fine at nic.ddn.mil. >> Had a TAC user registered just last week, as a matter of fact. I don't know >> what this guy is talking about! >> >> I did find it interesting that, effective 1 Apr, NSFNET is going to open an >> Internet NIC! Stay tuned for more details.... >> >> John >> >> >> Just in case this sort of thing matters to you. >> >> >> >> --Bob >> >> >> >> _______ Forwarded Message >> >> >> >> From: Scott M. Hinnrichs >> >> Date: Mon, 22 Mar 93 15:02:14 PST >> >> Subject: FYI - New NIC database >> >> To: firewalls@greatcircle.com >> >> Cc: smh@netserv.com >> >> >> >> The nic has stopped updating the databases on nic.ddn.mil. They are now >> only >> >> updating on rs.internic.net. That is why my info was not changing when I >> >> did whois queries. NIC has not announced this change yet. No word on why >> >> they are being silent about this change. >> >> >> >> Scott >> >> >> >> _______ End of Forwarded Message >> >> >> _______ End of Forwarded Message From Firewalls-Owner Tue Mar 23 15:29:02 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16528; Tue, 23 Mar 93 15:29:02 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16521; Tue, 23 Mar 93 07:28:40 PST Message-Id: <9303231528.AA16521@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by gryphon; Tue Mar 23 10:27:43 EST 1993 To: Marcus J Ranum Cc: wohler@sap-ag.de, firewalls@GreatCircle.COM Subject: Re: Firewalls and NFS - Date: Tue, 23 Mar 93 10:27:42 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk A tunnelling router is a router that accepts traffic for a network, then encapsulates it either in IP or some other protocol, and sends it to another tunnelling router that de-encapsulates it and injects it onto the network as if it got there normally. Part of the encapsulation can consist of cryptography or whatever you like. The advantages of tunnelling is that you can put a tunnel on the *inside* of your firewall, and (depending on how your firewall is set up) you can make remote networks you trust look like they are local with a one-hop route. Of course, that's also the *disadvantage* of tunnelling -- anyone who can set up any sort of circuit between an internal and an external point can open up IP access to the internal net. I discussed some of this, albeit without using the word ``tunnel'', in a Usenix paper a few years ago. Anyone interested can snarf it from research.att.com:dist/smb/pnet.ext.ps.Z. From Firewalls-Owner Tue Mar 23 15:35:05 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16560; Tue, 23 Mar 93 15:35:05 GMT Received: from yonge.csri.toronto.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA16551; Tue, 23 Mar 93 07:34:30 PST Received: from alias by yonge.csri.toronto.edu with UUCP id <14427>; Tue, 23 Mar 1993 10:34:32 -0500 Received: from dino.alias.com by barney.alias.com with SMTP id AA02097 (5.65a/IDA-1.4.2 for firewalls@greatcircle.com); Tue, 23 Mar 93 09:56:40 -0500 Received: by dino.alias.com id AA26595 (5.65a/IDA-1.4.2 for firewalls@greatcircle.com); Tue, 23 Mar 93 09:56:38 -0500 From: chk@alias.com (C. Harald Koch) Message-Id: <9303231456.AA26595@dino.alias.com> Subject: Re: Firewalls and NFS To: firewalls@GreatCircle.COM Date: Tue, 23 Mar 1993 09:56:36 -0500 X-Mailer: ELM [version 2.4 PL8] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3732 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Someone mentioned UUNET's DES box. I asked them for info, and received permission to publish it, so here it is. I apologize to any of you who think this is commercialism; *I* think it's relevant to the list. ----- Cut Here ----- UUNET Lan Guardian (TM) Secure Connectivity over Public Internets Introducing the Lan Guardian The UUNET Lan Guardian is the first in a family of network security products from UUNET Technologies, Inc., of Falls Church, VA. The Lan Guardian is a hardware security solution designed for companies that wish to benefit from the cost savings of using Commercial Internet Service providers (such as UUNET's AlterNet IP service) but are concerned about the security of their confidential data once it leaves their facility. What does it do? The Lan Guardian addresses those concerns by "splicing" into the connection between the company's Ethernet and external router and encrypting all data sent between company networks, while also (optionally) allowing connections to non-company facilities to continue without encryption. Operation of the Lan Guardian is totally transparent to network users and is simple for network administrators to manage. Full configuration support is provided. The Lan Guardian selectively encrypts or decrypts each packet based on the information in the packet header. Only the data portion of the packet is encrypted, thereby allowing the packet to be transmitted with normal routers. The Lan Guardian may also be configured to block selected or all external traffic as well as to use a different key for each network. By using fast processors and hardware encryption chips, the Lan Guardian can encrypt/decrypt while only adding less than a millisecond of delay. It is imperceptible to the network's users, while providing peace of mind to the network's managers. Using the Lan Guardian eliminates the concern that all users are running the appropriate application packages and using the appropriate level of security when sending sensitive company data outside the company facilities. The Lan Guardian ensures that company proprietary data sent to remote offices is never in the clear. This allows companies to exchange sensitive financial data or business plans with their remote offices via a Commercial Internet Service provider without fear that the data will be compromised. How does it work? Functionally, the Lan Guardian is a 50 MHz Motorola 68040, with Dual Intel 82596CA Ethernet Processors, a CEI 99C003 Super Crypt High Speed Encryption Chip and 4 - 32 Megabytes of Main Memory. Keys are exchanged out of band via either a serial port or a floppy disk. Support for Public Key based key distribution is being added. What's next? Optional "firewall" and other functionality will be available later this year. Additional models including T-1 speed serial interfaces will be available soon. How can I get a Lan Guardian? Existing AlterNet customers may purchase the Lan Guardian now for US$6,000 or optionally lease for $500/month. The Lan Guardian carries a one year hardware and software warranty. UUNET Technologies, Inc. 3110 Fairview Park Drive, Suite 570 Falls Church, Virginia 22042 USA +1 800 4UUNET3 (voice) +1 703 204 8000 (voice) +1 703 204 8001 (fax) alternet-info@uunet.uu.net 930310 -- Minda Seagroves mks@uunet.uu.net (703-204-8000) uunet!mks ----- Cut Here ----- -- Main's Law: For every | C. Harald Koch Alias Research, Inc. Toronto, ON action, there is an equal | chk@alias.com (work-related mail) and opposite goverment | chk@gpu.utcs.utoronto.ca (permanent address) program. | VE3TLA@VE3OY.#SCON.ON.CA.NA (AMPRNet) From Firewalls-Owner Tue Mar 23 21:06:42 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA17287; Tue, 23 Mar 93 21:06:42 GMT Received: from ll.mit.edu ([129.55.12.3]) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA17280; Tue, 23 Mar 93 13:06:36 PST Received: by ll.mit.edu (4.1/LL-1.3) id AA10205; Tue, 23 Mar 93 16:03:02 EST Date: Tue, 23 Mar 93 16:03:18 -0500 From: Claire Durocher Message-Id: <9303231603.AA17225@LL.MIT.EDU> To: chk@alias.com, firewalls@GreatCircle.COM Subject: Re: Firewalls and NFS Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Someone mentioned UUNET's DES box. I asked them for info, and > received permission to publish it, so here it is. I apologize to any > of you who think this is commercialism; *I* think it's relevant to > the list. I believe a company called Semaphore Communications in Santa Clara, Ca. makes a similar box that uses RSA public key cryptography and works for TCP/IP and other protocols over routed networks. From Firewalls-Owner Wed Mar 24 15:16:40 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19327; Wed, 24 Mar 93 15:16:40 GMT Received: from norman.li.cubic.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19320; Wed, 24 Mar 93 07:16:13 PST Received: by norman.li.cubic.com (5.67/1.34a) id AA00860; Wed, 24 Mar 93 10:16:38 -0500 Date: Wed, 24 Mar 93 10:16:38 -0500 From: mischler@Cubic.COM (Dave Mischler) Message-Id: <9303241516.AA00860@norman.li.cubic.com> To: FireWalls@GreatCircle.COM Subject: ICMP Redirects from ? Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I got some very strange ICMP redirect messages this morning. This is what my (KA9Q-based) router logged: Mar 24 07:15:58 hector 120 deny icmp rd 223.254.254.2 149.63.183.40 Mar 24 07:56:11 hector 121 deny icmp rd 223.254.254.2 149.63.64.64 All times are Eastern Standard Time (UTC - 5 hours). There are no such machines anywhere in my class B network (in fact the subnets represented do not exist). Anybody else see something like this? Dave Mischler mischler@cubic.com From Firewalls-Owner Wed Mar 24 15:54:22 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19437; Wed, 24 Mar 93 15:54:22 GMT Received: from news.aero.org by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19430; Wed, 24 Mar 93 07:54:03 PST Received: by news.aero.org (5.65c/AMX-1.0) id AA00989 for firewalls@greatcircle.com; Wed, 24 Mar 1993 07:44:30 -0800 Posted-Date: 24 Mar 93 07:44:29 To: firewalls@GreatCircle.COM Path: rub From: rub@aero.org (Jerzy W. Rub) Newsgroups: mail.firewalls Subject: Re: Firewalls and NFS Date: 24 Mar 93 07:44:29 Organization: The Aerospace Corporation, Los Angeles, California Lines: 13 Distribution: aero Message-Id: References: <9303231603.AA17225@LL.MIT.EDU> Nntp-Posting-Host: solarium.aero.org In-Reply-To: Claire Durocher's message of Tue, 23 Mar 93 16:03:18 -0500 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk In article <9303231603.AA17225@LL.MIT.EDU> Claire Durocher writes: > Someone mentioned UUNET's DES box. I asked them for info, and > received permission to publish it, so here it is. I apologize to any > of you who think this is commercialism; *I* think it's relevant to > the list. I believe a company called Semaphore Communications in Santa Clara, Ca. makes a similar box that uses RSA public key cryptography and works for TCP/IP and other protocols over routed networks. Network World, March 22, page 15, carries an article on the Semaphore Comms devices. It also mentions that AT&T will be making one for themselves. From Firewalls-Owner Wed Mar 24 17:03:48 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19673; Wed, 24 Mar 93 17:03:48 GMT Received: from is.rice.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19666; Wed, 24 Mar 93 09:03:24 PST Received: from sabine.is.rice.edu by is.rice.edu (AA17029); Wed, 24 Mar 93 11:03:52 CST Received: by sabine.is.rice.edu (AA06069); Wed, 24 Mar 93 11:03:51 CST From: bmanning@is.rice.edu (William Manning) Message-Id: <9303241703.AA06069@sabine.is.rice.edu> Subject: Re: ICMP Redirects from ? To: mischler@cubic.com (Dave Mischler) Date: Wed, 24 Mar 93 11:03:50 CST Cc: FireWalls@GreatCircle.COM In-Reply-To: <9303241516.AA00860@norman.li.cubic.com>; from "Dave Mischler" at Mar 24, 93 10:16 am X-Mailer: ELM [version 2.3 PL11] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk These are multicast addresses, which are being used to do audio/video over the net. Contact yourlocal regional for more info. -- Regards, Bill Manning bmanning@rice.edu PO Box 1892 713-285-5415 713-527-6099 Houston, Texas R.U. (o-kome) 77251-1892 From Firewalls-Owner Wed Mar 24 18:31:41 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19828; Wed, 24 Mar 93 18:31:41 GMT Received: from shiva1.cac.washington.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA19821; Wed, 24 Mar 93 10:31:23 PST Received: by shiva1.cac.washington.edu (5.65/UW-NDC Revision: 2.28 ) id AA01976; Wed, 24 Mar 93 10:31:27 -0800 Date: Wed, 24 Mar 1993 10:28:08 -0800 (PST) From: Bob Williams Subject: Re: ICMP Redirects from ? To: Dave Mischler Cc: FireWalls@GreatCircle.COM In-Reply-To: <9303241703.AA06069@sabine.is.rice.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Dave, You may want to look at the MBONE faq on venera.isi.edu:mbone/faq.txt. This explains the current NSFNet multicast backbone infrastructure. --Bob From Firewalls-Owner Wed Mar 24 20:04:00 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20051; Wed, 24 Mar 93 20:04:00 GMT Received: from yonge.csri.toronto.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20044; Wed, 24 Mar 93 12:03:41 PST Received: from alias by yonge.csri.toronto.edu with UUCP id <14465>; Wed, 24 Mar 1993 15:04:05 -0500 Received: from dino.alias.com by barney.alias.com with SMTP id AA10231 (5.65a/IDA-1.4.2 for firewalls@greatcircle.com); Wed, 24 Mar 93 14:54:05 -0500 Received: by dino.alias.com id AA20255 (5.65a/IDA-1.4.2 for firewalls@greatcircle.com); Wed, 24 Mar 93 14:54:03 -0500 From: chk@alias.com (C. Harald Koch) Message-Id: <9303241954.AA20255@dino.alias.com> Subject: NIS replacements To: firewalls@GreatCircle.COM Date: Wed, 24 Mar 1993 14:54:01 -0500 X-Mailer: ELM [version 2.4 PL8] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 635 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Does anyone out there know of source for NIS (or a compatible replacement)? I need to run NIS (gag) on one of our SGI boxes for an NFS client for some development Macs, and I want to severely cripple the server (i.e. only serve certain databases and only respond to specific machines). Any suggestions? Thanks, -- Main's Law: For every | C. Harald Koch Alias Research, Inc. Toronto, ON action, there is an equal | chk@alias.com (work-related mail) and opposite goverment | chk@gpu.utcs.utoronto.ca (permanent address) program. | VE3TLA@VE3OY.#SCON.ON.CA.NA (AMPRNet) From Firewalls-Owner Wed Mar 24 20:33:48 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20098; Wed, 24 Mar 93 20:33:48 GMT Received: from CCA.CAMB.COM (camb.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA20086; Wed, 24 Mar 93 12:33:22 PST Received: from gs.com by camb.com (PMDF V4.2-11 #4085) id <01GW6WHR3YIO8ZE88S@camb.com>; Wed, 24 Mar 1993 15:32:58 EST Received: from moose.gs.com (moose.wan.gs.com) by gs.com (PMDF #2348 ) id <01GW6WI60FFK90N5XD@gs.com>; Wed, 24 Mar 1993 15:32:52 EDT Received: by moose.gs.com (4.1/SMI-4.1) id AA05733; Wed, 24 Mar 93 15:31:45 EST Date: Wed, 24 Mar 1993 15:31:45 -0500 (EST) From: safdas@moose.gs.com (Shabbir J Safdar) Subject: Routers that employ encryption To: firewalls@GreatCircle.COM Message-Id: <9303242031.AA05733@moose.gs.com> Content-Transfer-Encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk As if life wasn't coincidental enough, I find I may be in the market for routers that do the "tunneling encryption" trick recently discussed. If everyone with a flyer, an address, a scrap of paper, or a business card for firms that sell such hardware would send them to me, I'll go ahead and post a summary which Brent can perhaps set aside in case this comes up again. -Shabbir J. Safdar safdas@moose.gs.com From Firewalls-Owner Thu Mar 25 06:08:41 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA21099; Thu, 25 Mar 93 06:08:41 GMT Received: from whistler.sfu.ca by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA21092; Wed, 24 Mar 93 22:08:34 PST Received: from wizard.ucs.sfu.ca by whistler.sfu.ca (5.65/SFU-2.0) id AA23734; Wed, 24 Mar 93 22:09:16 -0800 Received: by wizard.ucs.sfu.ca (NeXT-1.0 (From Sendmail 5.52)/NeXT-2.0) id AA08718; Wed, 24 Mar 93 22:09:08 PST From: richard@wizard.ucs.sfu.ca (Richard Chycoski) Message-Id: <9303250609.AA08718@wizard.ucs.sfu.ca> Subject: Re: NIS replacements To: chk@alias.com, firewalls@GreatCircle.COM Date: Wed, 24 Mar 93 22:09:08 PST In-Reply-To: <9303241954.AA20255@dino.alias.com>; from "C. Harald Koch" at Mar 24, 93 2:54 pm X-Mailer: ELM [version 2.3 PL9] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Does anyone out there know of source for NIS (or a compatible replacement)? > > I need to run NIS (gag) on one of our SGI boxes for an NFS client for some > development Macs, and I want to severely cripple the server (i.e. only serve > certain databases and only respond to specific machines). > > Any suggestions? > Which Mac NFS client are you using? If it's 'NFS/Share', you don't need NIS, you need 'pcnfsd'. (I hope that you are aware of the security holes in such a setup though, since it isn't difficult for a Mac to get access to the NFS server without authentication.) If you're using something like the a Gatorbox NFS to Appleshare gateway, NIS *is* needed. Sun has patches for their NIS server to restrict access, but only on an all-or-nothing basis for a particular range of machines. I don't know of a similar setup for the SGIs (we have a number of them here, but do all of our NIS serving on the Suns). If you can't control the NIS implementation on the SGIs, and if you have a Sun available, you might consider implementing your NIS server there, with just the necessary information available. It isn't necessary to put the NIS server on the same machine that you are serving NFS from. -- - Richard Chycoski Senior Systems Consultant Academic Computing Services Simon Fraser University richard@sfu.ca (NeXTMail OK) From Firewalls-Owner Thu Mar 25 14:40:51 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22381; Thu, 25 Mar 93 14:40:51 GMT Received: from aisdb1.llnl.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22374; Thu, 25 Mar 93 06:40:32 PST Message-Id: <9303251440.AA22374@mycroft.GreatCircle.COM> Received: by aisdb1.llnl.gov (16.8/16.2) id AA14775; Thu, 25 Mar 93 06:39:48 -0800 From: Leland K. Neely Subject: Re: NIS replacements To: richard@wizard.ucs.sfu.ca (Richard Chycoski) (Richard Chycoski) Date: Thu, 25 Mar 93 6:39:48 PST Cc: chk@alias.com, firewalls@GreatCircle.COM In-Reply-To: <9303250609.AA08718@wizard.ucs.sfu.ca>; from "Richard Chycoski" at Mar 24, 93 10:09 pm Mailer: Elm [revision: 70.30] Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > > > > Does anyone out there know of source for NIS (or a compatible replacement)? > > > > I need to run NIS (gag) on one of our SGI boxes for an NFS client for some > > development Macs, and I want to severely cripple the server (i.e. only serve > > certain databases and only respond to specific machines). > > > > Any suggestions? > > > > Which Mac NFS client are you using? If it's 'NFS/Share', you don't need NIS, > you need 'pcnfsd'. (I hope that you are aware of the security holes in > such a setup though, since it isn't difficult for a Mac to get access > to the NFS server without authentication.) > > If you're using something like the a Gatorbox NFS to Appleshare gateway, > NIS *is* needed. Sun has patches for their NIS server to restrict access, > but only on an all-or-nothing basis for a particular range of machines. > I don't know of a similar setup for the SGIs (we have a number of them here, > but do all of our NIS serving on the Suns). If you can't control the NIS > implementation on the SGIs, and if you have a Sun available, you might > consider implementing your NIS server there, with just the necessary > information available. It isn't necessary to put the NIS server on the > same machine that you are serving NFS from. > Humm- Two things: 1) In the "old" days, gatorshare would use pcnfsd tooo. 2) What happens if you change the Makefile on your nis "master" and only let it build the databases you wish. IN fact, if you get creative, you could run ypbind on a sun with the secure nets option, hard-code the domainname into the Makefile and gen the info desired. Then the full maps only get passed as desired, and the only ones are your picks. BAD News: Betcha you gotta make passwd available. Be sure to remove all root or equiv accounts before building database. (the Makefile DOESN'T have to use /etc/passwd...) Best of luck. (condolences tooo...) Lee Neely lkn@llnl.gov From Firewalls-Owner Thu Mar 25 17:32:10 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22770; Thu, 25 Mar 93 17:32:10 GMT Received: from Sun.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22751; Thu, 25 Mar 93 09:31:10 PST Received: from snail.Sun.COM (snail.Corp.Sun.COM) by Sun.COM (4.1/SMI-4.1) id AA14181; Thu, 25 Mar 93 09:31:24 PST Received: from East.Sun.COM by snail.Sun.COM (4.1/SMI-4.1) id AA25420; Thu, 25 Mar 93 09:31:09 PST Received: from sundc.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) id AA24755; Thu, 25 Mar 93 12:31:08 EST Received: from olympus.East.Sun.COM (olympus-bb) by sundc.East.Sun.COM (4.1/SMI-4.1) id AA21069; Thu, 25 Mar 93 12:31:04 EST Received: by olympus.East.Sun.COM (4.1/SMI-4.1) id AA13835; Thu, 25 Mar 93 12:31:02 EST Date: Thu, 25 Mar 93 12:31:02 EST From: fredu@sundc.East.Sun.COM (Fred Unterberger - Federal S.E. Vienna Va.) Message-Id: <9303251731.AA13835@olympus.East.Sun.COM> To: firewalls@GreatCircle.COM Subject: Sun firewall solutions Content-Length: 555 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Hi, Tony Tran with Sun said that I might want to inquire here for information regarding firewall solutions available for Sun networks. If anyone on this alias can forward me info, it would be much appreciated. (I already know about Sun's own products and consulting specials) Thanks, Fred ******************************************* *** Fred Unterberger *** *** Sun Microsystems *** *** Federal Area Systems Engineer *** *** 2650 Park Tower Drive *** *** Vienna, VA 22180 *** *** (703) 204-4829 *** ******************************************* From Firewalls-Owner Thu Mar 25 18:21:13 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22835; Thu, 25 Mar 93 18:21:13 GMT Received: from yonge.csri.toronto.edu by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA22828; Thu, 25 Mar 93 10:20:51 PST Received: from alias by yonge.csri.toronto.edu with UUCP id <14470>; Thu, 25 Mar 1993 13:21:13 -0500 Received: from dino.alias.com by barney.alias.com with SMTP id AA01611 (5.65a/IDA-1.4.2 for firewalls@greatcircle.com); Thu, 25 Mar 93 12:39:40 -0500 Received: by dino.alias.com id AA19299 (5.65a/IDA-1.4.2 for firewalls@greatcircle.com); Thu, 25 Mar 93 12:39:40 -0500 From: chk@alias.com (C. Harald Koch) Message-Id: <9303251739.AA19299@dino.alias.com> Subject: Re: NIS replacements To: firewalls@GreatCircle.COM Date: Thu, 25 Mar 1993 12:39:37 -0500 In-Reply-To: <93Mar25.094105est.14436@yonge.csri.toronto.edu> from "lkn@llnl.gov" at Mar 25, 93 09:39:48 am X-Mailer: ELM [version 2.4 PL8] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1458 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > Which Mac NFS client are you using? If it's 'NFS/Share', you don't need NIS, > you need 'pcnfsd'. (I hope that you are aware of the security holes in > such a setup though, since it isn't difficult for a Mac to get access > to the NFS server without authentication.) No, I'm not aware of specific security holes in this setup (just the general ones, i.e. a Mac user is by definition super-user on the client). Actually, as I've discovered, NFS/Share will also use a thing called BWNFSD, which is included (in source form) on the NFS/Share diskette. I'm still analyzing it for security issues that I know about; if y'all know of this package, I'd be interested in hearing experiences. > If you're using something like the a Gatorbox NFS to Appleshare gateway, > NIS *is* needed. The gatorbox will also allow you to export /, and then it'll read /etc/passwd via NFS and do authentication that way. :-) :-) I think I'm going to end up hacking the BWNFS Daemon to use a separate password file and to do client checks, and only allow access to certain users/machines that way. It might work... Thank you all for your suggestions! -- Main's Law: For every | C. Harald Koch Alias Research, Inc. Toronto, ON action, there is an equal | chk@alias.com (work-related mail) and opposite goverment | chk@gpu.utcs.utoronto.ca (permanent address) program. | VE3TLA@VE3OY.#SCON.ON.CA.NA (AMPRNet) From Firewalls-Owner Fri Mar 26 05:43:49 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26842; Fri, 26 Mar 93 05:43:49 GMT Received: from leigh.s1.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA26835; Thu, 25 Mar 93 21:43:41 PST Received: from kadima.s1.gov by leigh.s1.gov (4.1/TMD1.4) id AA07988; Thu, 25 Mar 93 21:43:42 PST Received: by kadima.s1.gov (4.1/TMD1.3) id AA18588; Thu, 25 Mar 93 21:43:05 PST From: Philip C. Cox Message-Id: <9303260543.AA18588@kadima.s1.gov> Subject: NNTP thru Firewalls To: firewalls@GreatCircle.COM Date: Thu, 25 Mar 1993 21:43:04 -0800 (PST) X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1395 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >From a very old thread: Re: wais [please elaborate on Rik's notes] (fwd) Brent Chapman writes : > > I don't find the comment about "firewall hosts tend to be heavily > burdened by SMTP, NNTP, and other relay service loads" to be true at > all, though most of my firewall hosts don't run NNTP any more (for a > variety of reasons, none having to do with the security of the NNTP > protocol, which we can go into separately if anybody cares). In fact, I would be very interested in the security problems involved in having NNTP on your firewall host vice using a proxyx. Please elaborate. Phil -- *********************************************************************** * Philip C. Cox | L.L.N.L. * * E-Mail: pcc@s1.gov | P.O. Box 808 L-542 * * VOICE: (415) 423-8316 | Livermore, CA 94550 * *=====================================================================* * Line of the Times: * * * * "It's not freedom of choice that is at issue, however, but where * * our society draws the line between those choices that enjoy legal * * protection and those that don't." -Austin Pryor * *********************************************************************** From Firewalls-Owner Fri Mar 26 06:59:01 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27059; Fri, 26 Mar 93 06:59:01 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27052; Thu, 25 Mar 93 22:58:55 PST Received: by TIS.COM (4.1/SUN-5.64) id AA16430; Fri, 26 Mar 93 01:31:23 EST Date: Fri, 26 Mar 93 01:31:23 EST From: Marcus J Ranum Message-Id: <9303260631.AA16430@TIS.COM> To: firewalls@GreatCircle.COM, pcc@s1.gov Subject: Re: NNTP thru Firewalls Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Having NNTP on your firewall itself means a couple of things. First off, it means that if there is a bug in an NNTP server that you don't know of, someone might be able to gain access to your firewall. Then it's all over, depending on the NNTP implementation (some nntpds run as root, some start as root). It also means that it's one more hassle that might jam your firewall - you need to worry about news spool or logs or queues overflowing a disk, or filling up space. I find it less of an administrative hassle to use an NNTP tunnel and have the news itself show up on an "inside" machine. That way if, for example, someone comes up with a clever way to use a broken nntpd to add a line to your password file*, they still can't get to the machine to exploit the hole. I also like the model of making it a noteworthy event when someone logs onto the firewall. If all the firewall needs to queue is mail, it's going to be almost a totally maintenance-free machine. I like that, 'cuz I am lazy. mjr. *just an example, I know of no such trick. From Firewalls-Owner Fri Mar 26 10:45:07 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27753; Fri, 26 Mar 93 10:45:07 GMT Received: from bedrock.cs.UMD.EDU by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27744; Fri, 26 Mar 93 02:44:48 PST Received: by bedrock.cs.UMD.EDU (5.64/UMIACS-0.9/04-05-88) id AA29817; Fri, 26 Mar 93 05:45:13 -0500 Date: Fri, 26 Mar 93 05:45:13 -0500 From: reh@cs.UMD.EDU (Richard Huddleston) Message-Id: <9303261045.AA29817@bedrock.cs.UMD.EDU> To: firewalls@GreatCircle.COM, fredu@sundc.East.Sun.COM Subject: Re: Sun firewall solutions Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I would appreciate it if any information on firewalls for Sun networks would be provided to me, as well -- either by including me as a cc: in mail sent to Fred, or by posting to the list. Regards, Richard * From Firewalls-Owner@GreatCircle.COM Fri Mar 26 02:05:46 1993 * Received: from zippy.cs.umd.edu * by bedrock.cs.UMD.EDU (5.64/UMIACS-0.9/04-05-88) * id AA29582; Fri, 26 Mar 93 02:05:45 -0500 * Received: from relay2.UU.NET * by zippy.cs.UMD.EDU (5.64/UMIACS-0.9/04-05-88) * id AA16602; Fri, 26 Mar 93 02:05:44 -0500 * Received: from mycroft.GreatCircle.COM by relay2.UU.NET with SMTP * (5.61/UUNET-internet-primary) id AA20918; Thu, 25 Mar 93 18:41:53 -0500 * Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) * id AA22770; Thu, 25 Mar 93 17:32:10 GMT * Received: from Sun.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) * id AA22751; Thu, 25 Mar 93 09:31:10 PST * Received: from snail.Sun.COM (snail.Corp.Sun.COM) by Sun.COM (4.1/SMI-4.1) * id AA14181; Thu, 25 Mar 93 09:31:24 PST * Received: from East.Sun.COM by snail.Sun.COM (4.1/SMI-4.1) * id AA25420; Thu, 25 Mar 93 09:31:09 PST * Received: from sundc.East.Sun.COM by East.Sun.COM (4.1/SMI-4.1) * id AA24755; Thu, 25 Mar 93 12:31:08 EST * Received: from olympus.East.Sun.COM (olympus-bb) by sundc.East.Sun.COM (4.1/SMI-4.1) * id AA21069; Thu, 25 Mar 93 12:31:04 EST * Received: by olympus.East.Sun.COM (4.1/SMI-4.1) * id AA13835; Thu, 25 Mar 93 12:31:02 EST * Date: Thu, 25 Mar 93 12:31:02 EST * From: fredu@sundc.East.Sun.COM (Fred Unterberger - Federal S.E. Vienna Va.) * Message-Id: <9303251731.AA13835@olympus.East.Sun.COM> * To: firewalls@GreatCircle.COM * Subject: Sun firewall solutions * Content-Length: 555 * Sender: Firewalls-Owner@GreatCircle.COM * Precedence: bulk * Status: R * * Hi, * * Tony Tran with Sun said that I might want to inquire here for information * regarding firewall solutions available for Sun networks. If anyone on this * alias can forward me info, it would be much appreciated. (I already know * about Sun's own products and consulting specials) * * Thanks, * * Fred * * ******************************************* * *** Fred Unterberger *** * *** Sun Microsystems *** * *** Federal Area Systems Engineer *** * *** 2650 Park Tower Drive *** * *** Vienna, VA 22180 *** * *** (703) 204-4829 *** * ******************************************* * From Firewalls-Owner Fri Mar 26 12:42:02 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27850; Fri, 26 Mar 93 12:42:02 GMT Received: from verdix.com (sarge.hq.Verdix.COM) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA27843; Fri, 26 Mar 93 04:41:43 PST Received: from crazy.hq.verdix.com by verdix.com (4.1/SMI-4.1/ccg.7.2.91) id AA20783; Fri, 26 Mar 93 07:42:10 EST Received: from localhost by crazy.hq.verdix.com (4.1/SMI-4.1) id AA02401; Fri, 26 Mar 93 12:42:08 GMT Message-Id: <9303261242.AA02401@crazy.hq.verdix.com> To: reh@cs.UMD.EDU (Richard Huddleston) Cc: firewalls@GreatCircle.COM, fredu@sundc.East.Sun.COM Subject: Re: Sun firewall solutions In-Reply-To: Your message of Fri, 26 Mar 93 05:45:13 -0500. <9303261045.AA29817@bedrock.cs.UMD.EDU> Date: Fri, 26 Mar 93 07:42:07 +0000 From: bsmart@verdix.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > I would appreciate it if any information on firewalls for Sun networks > would be provided to me, as well -- either by including me as a cc: in > mail sent to Fred, or by posting to the list. I sent a reply to Fred last night. I believe I have almost every message posted to Firewalls archived. It runs about 660 messages, 2 MB of mail. You are welcome to a copy. If you go to the DC Sun Users Group I could give it to you there, you could come by, or if you have a place I could FTP it to I could do that. It isn't sorted or processed in any real way. each posting is a seperate file ( I use MH) so you would have to peruse it to find the tidbits. -- Bob Smart Net - bsmart@verdix.com Verdix Corp. Fax - (703) 318-9304 205 Van Buren Phone - (703) 318-5808 Herndon, Va 22070 From Firewalls-Owner Fri Mar 26 17:39:27 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28367; Fri, 26 Mar 93 17:39:27 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28359; Fri, 26 Mar 93 09:38:46 PST Message-Id: <9303261738.AA28359@mycroft.GreatCircle.COM> To: Marcus J Ranum Cc: firewalls@GreatCircle.COM, pcc@s1.gov Subject: Re: NNTP thru Firewalls In-Reply-To: Your message of Fri, 26 Mar 93 01:31:23 EST Date: Fri, 26 Mar 93 09:38:45 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marcus J Ranum writes: # Having NNTP on your firewall itself means a couple of things. First # off, it means that if there is a bug in an NNTP server that you don't know # of, someone might be able to gain access to your firewall. Then it's all # over, depending on the NNTP implementation (some nntpds run as root, some # start as root). It also means that it's one more hassle that might jam # your firewall - you need to worry about news spool or logs or queues # overflowing a disk, or filling up space. I find it less of an administrative # hassle to use an NNTP tunnel and have the news itself show up on an # "inside" machine. That way if, for example, someone comes up with a clever # way to use a broken nntpd to add a line to your password file*, they # still can't get to the machine to exploit the hole. I also like the # model of making it a noteworthy event when someone logs onto the # firewall. If all the firewall needs to queue is mail, it's going to # be almost a totally maintenance-free machine. I like that, 'cuz I am # lazy. Another reason to run NNTP internally is that many sites have local (and often proprietary) newsgroups. You really don't want those newsgroups available on an externally accessible NNTP server. -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Fri Mar 26 10:01:55 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28442; Fri, 26 Mar 93 17:43:10 GMT Received: from localhost by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28384; Fri, 26 Mar 93 09:41:51 PST Message-Id: <9303261741.AA28384@mycroft.GreatCircle.COM> To: bsmart@verdix.com Cc: reh@cs.UMD.EDU (Richard Huddleston), firewalls@GreatCircle.COM, fredu@sundc.East.Sun.COM Subject: Re: Sun firewall solutions In-Reply-To: Your message of Fri, 26 Mar 93 07:42:07 +0000 Date: Fri, 26 Mar 93 09:41:49 -0800 From: Brent Chapman Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Bob Smart writes: # > I would appreciate it if any information on firewalls for Sun networks # > would be provided to me, as well -- either by including me as a cc: in # > mail sent to Fred, or by posting to the list. # # I sent a reply to Fred last night. I believe I have almost every message posted # to Firewalls archived. It runs about 660 messages, 2 MB of mail. You are # welcome to a copy. If you go to the DC Sun Users Group I could give it to you # there, you could come by, or if you have a place I could FTP it to I could do # that. It isn't sorted or processed in any real way. each posting is a seperate # file ( I use MH) so you would have to peruse it to find the tidbits. Just a reminder: EVERY message ever posted to Firewalls is available for anonymous FTP from FTP.GreatCircle.COM, file pub/archive/firewalls.Z. Right from the horse's mouth, so to speak. -Brent -- Brent Chapman Great Circle Associates Brent@GreatCircle.COM 1057 West Dana Street +1 415 962 0841 Mountain View, CA 94041 From Firewalls-Owner Fri Mar 26 19:24:22 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28695; Fri, 26 Mar 93 19:24:22 GMT Received: from verdix.com (sarge.hq.Verdix.COM) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA28685; Fri, 26 Mar 93 11:23:54 PST Received: from crazy.hq.verdix.com by verdix.com (4.1/SMI-4.1/ccg.7.2.91) id AA02361; Fri, 26 Mar 93 14:24:24 EST Received: from localhost by crazy.hq.verdix.com (4.1/SMI-4.1) id AA02638; Fri, 26 Mar 93 19:24:23 GMT Message-Id: <9303261924.AA02638@crazy.hq.verdix.com> To: Brent Chapman Cc: firewalls@GreatCircle.COM Subject: Re: Sun firewall solutions In-Reply-To: Your message of Fri, 26 Mar 93 09:41:49 -0800. <9303261741.AA28384@mycroft.GreatCircle.COM> Date: Fri, 26 Mar 93 14:24:22 +0000 From: bsmart@verdix.com Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > > Just a reminder: EVERY message ever posted to Firewalls is available > for anonymous FTP from FTP.GreatCircle.COM, file > pub/archive/firewalls.Z. Right from the horse's mouth, so to speak. I screwed up. That response was just supposed to be to the sender ( I forgot to delete the cc line. He is local and I was just trying to help. I figured they were archived somewhere else. Up til now I figured it was better not to send another message saying to ignore the first :-), but given the number of comments I've gotten I send this one to the list -- Bob Smart Net - bsmart@verdix.com Verdix Corp. Fax - (703) 318-9304 205 Van Buren Phone - (703) 318-5808 Herndon, Va 22070 From Firewalls-Owner Fri Mar 26 20:37:15 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00234; Fri, 26 Mar 93 20:37:15 GMT Received: from leigh.s1.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00225; Fri, 26 Mar 93 12:37:04 PST Received: from kadima.s1.gov by leigh.s1.gov (4.1/TMD1.4) id AA08403; Fri, 26 Mar 93 12:37:46 PST Received: by kadima.s1.gov (4.1/TMD1.3) id AA18848; Fri, 26 Mar 93 12:37:09 PST From: Philip C. Cox Message-Id: <9303262037.AA18848@kadima.s1.gov> Subject: Re: NNTP thru Firewalls To: brent@GreatCircle.COM (Brent Chapman) Date: Fri, 26 Mar 1993 12:37:09 -0800 (PST) Cc: mjr@tis.com, firewalls@GreatCircle.COM In-Reply-To: <9303261738.AA28359@mycroft.GreatCircle.COM> from "Brent Chapman" at Mar 26, 93 09:38:45 am X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1636 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Brent Chapman writes : > > Marcus J Ranum writes: > > # Having NNTP on your firewall itself means a couple of things. First > # off, it means that if there is a bug in an NNTP server that you don't know > # of, someone might be able to gain access to your firewall. Then it's all > # over, depending on the NNTP implementation (some nntpds run as root, some > # start as root). It also means that it's one more hassle that might jam > # your firewall - you need to worry about news spool or logs or queues > # overflowing a disk, or filling up space. I find it less of an administrative > # hassle to use an NNTP tunnel and have the news itself show up on an > # "inside" machine. That way if, for example, someone comes up with a clever > # way to use a broken nntpd to add a line to your password file*, they > # still can't get to the machine to exploit the hole. I also like the > # model of making it a noteworthy event when someone logs onto the > # firewall. If all the firewall needs to queue is mail, it's going to > # be almost a totally maintenance-free machine. I like that, 'cuz I am > # lazy. > > Another reason to run NNTP internally is that many sites have local > (and often proprietary) newsgroups. You really don't want those > newsgroups available on an externally accessible NNTP server. > > > -Brent So it seems that there are no known hole to be aware of at this time, but the NNTP proxy is to ensure security if some are found. Am I correct in this understanding? What about the different flavors of News i.e. Cnews & NNTP , or INN. Is one more inherently safe/unsafe that the other? Phil From Firewalls-Owner Fri Mar 26 20:50:39 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00289; Fri, 26 Mar 93 20:50:39 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00282; Fri, 26 Mar 93 12:50:32 PST Received: by TIS.COM (4.1/SUN-5.64) id AA24589; Fri, 26 Mar 93 15:52:00 EST Date: Fri, 26 Mar 93 15:52:00 EST From: Marcus J Ranum Message-Id: <9303262052.AA24589@TIS.COM> To: brent@GreatCircle.COM, pcc@s1.gov Subject: Re: NNTP thru Firewalls Cc: firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >So it seems that there are no known hole to be aware of at this time, >but the NNTP proxy is to ensure security if some are found. Am I correct >in this understanding? I wasn't trying to scare anyone. As far as I know, the NNTP servers are extremely solid and secure code. I also assume that by this time, Cnews, Bnews, and whatnot are also secure enough. The reason I raised tunnelling NNTP as an issue was because it's both easy to do and it probably adds some tiny additional increment of security. To me, its benefits are more from a standpoint of systems management. My eventual goal in firewall design was to have a firewall on a bootable CDROM. Most of the more interesting security holes in UNIX involve some kind of change to file permissions, and burning your filesystem into plastic is a good response. ;) That's kind of the ideal, in my opinion. That being said, I think it helps the security of your firewall if there is an absolute minimum of automated file system activity taking place. Backups, news expires, etc, and anything that runs out of cron, are primary points of attack when breaking into a machine. Tunnelling NNTP into a machine that's "safe" on your inside network means managing news is likely to be easier. >What about the different flavors of News i.e. >Cnews & NNTP , or INN. Is one more inherently safe/unsafe that the >other? I'd say they're all about equal, if installed correctly. mjr. From Firewalls-Owner Fri Mar 26 20:54:56 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00308; Fri, 26 Mar 93 20:54:56 GMT Received: from leigh.s1.gov by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00299; Fri, 26 Mar 93 12:54:42 PST Received: from kadima.s1.gov by leigh.s1.gov (4.1/TMD1.4) id AA08420; Fri, 26 Mar 93 12:55:24 PST Received: by kadima.s1.gov (4.1/TMD1.3) id AA18910; Fri, 26 Mar 93 12:54:47 PST From: Philip C. Cox Message-Id: <9303262054.AA18910@kadima.s1.gov> Subject: Re: NNTP thru Firewalls To: mjr@tis.com (Marcus J Ranum) Date: Fri, 26 Mar 1993 12:54:46 -0800 (PST) Cc: brent@GreatCircle.COM, firewalls@GreatCircle.COM In-Reply-To: <9303262052.AA24589@TIS.COM> from "Marcus J Ranum" at Mar 26, 93 03:52:00 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1609 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Marcus J Ranum writes : > > >So it seems that there are no known hole to be aware of at this time, > >but the NNTP proxy is to ensure security if some are found. Am I correct > >in this understanding? > > I wasn't trying to scare anyone. As far as I know, the NNTP > servers are extremely solid and secure code. I also assume that by > this time, Cnews, Bnews, and whatnot are also secure enough. The > reason I raised tunnelling NNTP as an issue was because it's both > easy to do and it probably adds some tiny additional increment of > security. > To me, its benefits are more from a standpoint of systems > management. My eventual goal in firewall design was to have a > firewall on a bootable CDROM. Most of the more interesting > security holes in UNIX involve some kind of change to file > permissions, and burning your filesystem into plastic is a good > response. ;) That's kind of the ideal, in my opinion. That > being said, I think it helps the security of your firewall if > there is an absolute minimum of automated file system activity > taking place. Backups, news expires, etc, and anything that > runs out of cron, are primary points of attack when breaking > into a machine. Tunnelling NNTP into a machine that's "safe" > on your inside network means managing news is likely to be > easier. > > >What about the different flavors of News i.e. > >Cnews & NNTP , or INN. Is one more inherently safe/unsafe that the > >other? > > I'd say they're all about equal, if installed correctly. > > mjr. > I appreciate your info. You have made some good points to ponder over. Thanks, Phil From Firewalls-Owner Fri Mar 26 22:46:37 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00909; Fri, 26 Mar 93 22:46:37 GMT Received: from CCA.CAMB.COM (camb.com) by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00893; Fri, 26 Mar 93 14:46:22 PST Received: from gs.com by camb.com (PMDF V4.2-11 #4085) id <01GW9TQ1C7KW8ZEDHF@camb.com>; Fri, 26 Mar 1993 17:46:33 EST Received: from moose.gs.com (moose.wan.gs.com) by gs.com (PMDF #2348 ) id <01GW9TQPHV8W90O35A@gs.com>; Fri, 26 Mar 1993 17:46:37 EDT Received: by moose.gs.com (4.1/SMI-4.1) id AA28929; Fri, 26 Mar 93 17:45:32 EST Date: Fri, 26 Mar 1993 17:45:32 -0500 (EST) From: safdas@moose.gs.com (Shabbir J Safdar) Subject: Encrypting Routers (SUMMARY) To: firewalls@GreatCircle.COM Cc: safdas@gs.com Message-Id: <9303262245.AA28929@moose.gs.com> Content-Transfer-Encoding: 7BIT Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk Well, the responses were few and far between, but here's what I have. =================== UUNET Technologies 1 703 204 8000 You might also try rick@uunet.uu.net, but the phone number is faster, believe it or not. I called them and the guy who answered volunteered to email me information including prices on their products. My email link croaked in the middle of the day, so their information didn't get here on time. When it does, I'll try and type it in. =================== Semaphore Communications Santa Clara, CA Attn. Cliff Reeser 1 408 980 7767 I received the flyers from Semaphore today via Fedex. (I suppose telling them about my summary helped. :) They have four units available: -A workgroup encryption unit for 16 nodes (offers point to point encryption to defeat network sniffers, etc) $3,495 -A workgroup encryption unit for 32 nodes (price per node is lower) $4,995 -A network encryption hub for 80 nodes (price per node half of above) $6,395 -A network encryption hub for 160 nodes (price per node almost half of above) $7,295 -A network encryption box for site-to-site encryption $6,995 To go along with these, there is a PC which acts as a "Network Security Center". You can either buy the software with the PC or without. The NSC with PC is $12,900, and $10,500 without. Please get their literature. There's a lot of it, and I'd hate to misrepresent them through my interpretation of their flyers. =================== AT&T is supposed to be making one, but I don't have a contact name. =================== Smallworks has one currently under development. Contact: Charisse Castignoli charisse@smallworks.com 1 512 338 0619 (voice and fax) =================== If you hear of any more, mention them on the list or forward them to safdas@moose.gs.com. -Shabbir From Firewalls-Owner Fri Mar 26 23:03:59 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00986; Fri, 26 Mar 93 23:03:59 GMT Received: from tadpole.tadpole.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA00979; Fri, 26 Mar 93 15:03:48 PST Received: from chiba.tadpole.com by tadpole.tadpole.com (4.1/SMI-4.1) id AA15434; Fri, 26 Mar 93 17:04:29 CST Date: Fri, 26 Mar 93 17:04:29 CST From: jim@tadpole.com (Jim Thompson) Message-Id: <9303262304.AA15434@tadpole.tadpole.com> To: brent@GreatCircle.COM, pcc@s1.gov Subject: Re: NNTP thru Firewalls Cc: mjr@tis.com, firewalls@GreatCircle.COM Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I have to believe that if someone can hack a hole in your nntp server, they can also just hack a shell onto it, even if its hidden behind a firewall with a proxy nntp on it. That is, if there is some hole that allows arbritary shell commands to be passed, wouldn't "exec /bin/sh" be a good one? :-) INN is careful to only run shell commands found in PATH_CONTROLPROGS or PATH_RNEWSPROGS, safety is designed in. I haven't looked at Cnews in the past year, but I doubt Henry or Geoff would allow anything that exploitable past their careful eyes. You should be more worried about the code your vendor ships you. You (probably) don't have the source for that, so you can't read it. Brent's comment does apply. The sun.* groups have leaked more than once. (And yes, it was my fault, though they didn't leak off the firewall, but rather via UUCP to a local site (connected via another machine.) Jim From Firewalls-Owner Fri Mar 26 23:05:19 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA01019; Fri, 26 Mar 93 23:05:19 GMT Received: from rodan.UU.NET by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA01004; Fri, 26 Mar 93 15:05:05 PST Received: by rodan.UU.NET (5.61/UUNET-mail-drop) id AA21664; Fri, 26 Mar 93 18:05:30 -0500 From: asp@uunet.uu.net (Andrew Partan) Message-Id: <9303262305.AA21664@rodan.UU.NET> Subject: Re: Encrypting Routers (SUMMARY) To: safdas@moose.gs.com (Shabbir J Safdar) Date: Fri, 26 Mar 1993 18:05:30 -0500 (EST) Cc: firewalls@GreatCircle.COM, safdas@gs.com In-Reply-To: <9303262245.AA28929@moose.gs.com> from "Shabbir J Safdar" at Mar 26, 93 05:45:32 pm X-Mailer: ELM [version 2.4 PL17] Content-Type: text Content-Length: 609 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk > =================== > UUNET Technologies > 1 703 204 8000 > You might also try rick@uunet.uu.net, but the phone number is faster, believe > it or not. I called them and the guy who answered volunteered to > email me information including prices on their products. My email link > croaked in the middle of the day, so their information didn't get here on > time. When it does, I'll try and type it in. > =================== The Lan Guardian info is avail for ftp as: ftp.uu.net:/uunet-info/lan-guardian Send email to alternet-info@uunet.uu.net for more information. --asp@uunet.uu.net (Andrew Partan) From Firewalls-Owner Sat Mar 27 15:36:41 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04751; Sat, 27 Mar 93 15:36:41 GMT Received: from cs.huji.ac.il by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04744; Sat, 27 Mar 93 07:36:18 PST Received: from shuldig.cs.huji.ac.il by cs.huji.ac.il with SMTP id AA29711 (5.65b/HUJI 4.114); Sat, 27 Mar 93 17:38:22 +0200 Received: from localhost by shuldig.cs.huji.ac.il with SMTP id AA29325 (5.65c/HUJI 4.1 for firewalls@greatcircle.com); Sat, 27 Mar 1993 17:38:34 +0200 Message-Id: <199303271538.AA29325@shuldig.cs.huji.ac.il> To: firewalls@GreatCircle.COM Subject: Re: Encrypting Routers (SUMMARY) In-Reply-To: Your message of Fri, 26 Mar 1993 17:45:32 -0500 (EST) . <9303262245.AA28929@moose.gs.com> From: Amos Shapira Date: Sat, 27 Mar 1993 17:38:32 +0200 Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk safdas@moose.gs.com (Shabbir J Safdar) writes: | |To go along with these, there is a PC which acts as a "Network Security |Center". You can either buy the software with the PC or without. The |NSC with PC is $12,900, and $10,500 without. | How difficult would it be to integrate such capebilities into existing PD/shareware software? And a more general question: are there any documents describing how such things work? Also can hosts which use such a firewall to connect to a certain remote site still use regular IP to connect to other sites (so, for instance, I use secure NFS to connect to another campus but don't care about security with other sites so I can talk FTP/telnet/whatever easely to "forgien" sites on the Internet?) (does the previous question make sense at all? :) Thanks for the summery. --Amos Shapira (Jumper Extraordinaire) | "It is true that power corrupts, C.S. System Group, Hebrew University, | but absolute power is better!" Jerusalem 91904, ISRAEL | amoss@cs.huji.ac.il | -- the Demon to his son From Firewalls-Owner Sat Mar 27 16:08:44 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04807; Sat, 27 Mar 93 16:08:44 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA04800; Sat, 27 Mar 93 08:08:29 PST Message-Id: <9303271608.AA04800@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by bigbird.zoo.att.com; Sat Mar 27 11:06:54 EST 1993 To: Amos Shapira Cc: firewalls@GreatCircle.COM Subject: Re: Encrypting Routers (SUMMARY) Date: Sat, 27 Mar 93 11:06:52 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk How difficult would it be to integrate such capebilities into existing PD/shareware software? It uses OS/2.... From Firewalls-Owner Tue Mar 30 00:37:59 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09680; Tue, 30 Mar 93 00:37:59 GMT Received: from sgigate.sgi.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09671; Mon, 29 Mar 93 16:37:51 PST Received: from yeager.corp.sgi.com by sgigate.sgi.com via SMTP (920330.SGI/920502.SGI) for brent@GreatCircle.COM id AA10581; Mon, 29 Mar 93 16:37:54 -0800 Received: by yeager.corp.sgi.com (921113.SGI/911001.SGI) for @sgigate.sgi.com:pcc@s1.gov id AA13816; Mon, 29 Mar 93 16:37:46 -0800 Date: Mon, 29 Mar 93 16:37:46 PST From: Eliot Lear To: Brent Chapman Cc: Marcus J Ranum , firewalls@GreatCircle.COM, pcc@s1.gov Subject: Re: NNTP thru Firewalls In-Reply-To: Your message of Fri, 26 Mar 93 09:38:45 -0800 Message-Id: Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I think that having NNTP on your firewall is emininantly preferable to just allowing it through some sort of filter list, or otherwise tunnelling it, especially if you are not already doing packet filtering. The plain fact of the matter is that unless you get your news from dialup services, you will have to deal with some level of exposure from NNTP. Experience has shown NNTP *not* to be a security hazard, but this doesn't mean that each NNTP implementation is 100% bullet proof. Experience *has* shown that IP filtering mechanisms are infinitely more likely to be misconfigured. Eliot Lear [lear@sgi.com] From Firewalls-Owner Tue Mar 30 00:46:14 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09700; Tue, 30 Mar 93 00:46:14 GMT Received: from TIS.COM by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA09693; Mon, 29 Mar 93 16:46:07 PST Received: by TIS.COM (4.1/SUN-5.64) id AA25981; Mon, 29 Mar 93 19:47:11 EST Date: Mon, 29 Mar 93 19:47:11 EST From: Marcus J Ranum Message-Id: <9303300047.AA25981@TIS.COM> To: brent@GreatCircle.COM, lear@yeager.corp.sgi.com Subject: Re: NNTP thru Firewalls Cc: firewalls@GreatCircle.COM, pcc@s1.gov Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk >I think that having NNTP on your firewall is emininantly preferable to >just allowing it through some sort of filter list, or otherwise >tunnelling it, especially if you are not already doing packet >filtering. I'm not a fan of filter lists, screening routers, and whatnot to begin with. The approach I like is to tunnel NNTP through a dual-homed host with IPforwarding disabled, and even to wrap log_tcp or something like that around the NNTP tunnel, since you don't have to worry about "normal" readership in such a case. I was *not* recommending tunneling NNTP through a screening router - indeed, there'd be little point to that. mjr. From Firewalls-Owner Wed Mar 31 13:57:04 1993 Return-Path: Received: by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13958; Wed, 31 Mar 93 13:57:04 GMT Received: from research.att.com by mycroft.GreatCircle.COM (4.1/SMI-4.1/Brent-921015) id AA13951; Wed, 31 Mar 93 05:56:59 PST Message-Id: <9303311356.AA13951@mycroft.GreatCircle.COM> From: smb@research.att.com Received: by gryphon; Wed Mar 31 08:55:32 EST 1993 To: firewalls@GreatCircle.COM Subject: filtering routers Date: Wed, 31 Mar 93 08:55:31 EST Sender: Firewalls-Owner@GreatCircle.COM Precedence: bulk I'm curious what types of filtering routers folks are using, and what the filtering language and capabilities are (i.e., what fields can you filter on, can it detect TCP ACK/RST bits, can routes be filtered, etc.) Reply to me, and I'll summarize if there's interest.