pf uses really OpenBSD-specific hooks. Plus BSD and Linux TCP/IP stacks are really different.
So porting pf to Linux wouldn't be a trivial work.
Actually, Netfilter is really a good packet filter, too. It's very, very, very flexible (especially if you start playing with patch-o-matic patches) . Maybe what could be done is :
A config-file parser, with a syntax similar to pf, but that outputs iptable rules. AGT is a good starting point.
Adding features to Netfilter, so that things similar to pf's scrub and modulate state are implemented.
OpenBSD 3.0 has a transparent ftp proxy called "ftp-proxy".
You have to run it through inetd (or any super server. I use it with tcpserver) . It listens to a local port, and you just have to redirect outgoing traffic for port 21 to the local ftp proxy port. It allows active and passive connections to NATed internal hosts.
If it can help, my/etc/nat.conf file is :
rdr on vr1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
nat on vr0 from 10.1.1.0/24 to any -> 195.132.209.36
*WARNING*
ftp-proxy has a nice security feature to only accept anonymous sessions (-A). But don't trust it : clients can bypass the restrictions with some buggy servers (the flaw works with proftpd and ncftpd. it doesn't work with pureftpd) .
* For firewalling (without NAT) :
You have to explicitely open some ports for active connections. For the minimum number of ports : choose at least twice the max number of simultaneous sessions you need. Open them on the firewall. Then, force your FTP server to only use these ports. On Pure-FTPd, it's with '-p:', example :
Interesting stuff in pf over ipf : the configuration file accepts a very similar syntax, but with very handy shortcuts, especially expansion. For instance you can write { pop,smtp,imap } in a rule to specify a list of ports, instead of creating multiple rules. It also accepts macro substitutions. You can easily write very clean configuration files.
Interesting stuff in pf over ipfw/ipfiler/iptables :
scrub : just give an interface name, and pf will "normalize" everything coming to this interface. Packets will get cleaned up and reconstructed : your local network will only see clean packets, nothing that could be dangerous for badly written IP stacks.
tcp state modulation : this feature dynamically remaps tcp sequence numbers, to give the excellent entropy of OpenBSD stack to all your traffic. It means that servers running Windows, badly configured Solaris or older FreeBSD versions can be protected from session hijacking, even through their stack has weak sequence randomization.
pf seems to be very stable so far. Just don't forget to apply the related errata if you're planning to use IPv6.
Another great feature of OpenBSD 3.0 regarding network filtering/routing is the integration of AltQ, that brings quality of service to your IP traffic. It basically has the same (but very flexible and efficient) algorithms and class system that Linux has. But it's very nice to see it in OpenBSD.
Can kernel security patches do something against t
on
Wu-ftpd Remote Root Hole
·
· Score: 3, Insightful
To protect against unknown exploits, there are kernel patches like LIDS . With LIDS, you can enforce any program to only access some files. For instance, you can enforce Bind to only read his configuration files, and nothing else. So even if an exploit is found, your system will be safe.
It works amazingly well, and for almost everything on your system.
But does it apply to SSH and FTP? Probably not. When you give FTP access to customers so that they can upload web pages, the FTP server needs read/write access to everything in/home. So it means that if an exploit is found, even with a properly configured LIDS barrier, the attacker can change the content of any customer file. And that's really dangerous. And LIDS can hardly avoid this.
Autoconf is just one piece of the Cygnus developpment tools. Two other tools complents it nicely :
Libtool
Automake
With Libtool, you can be sure that shared libraries can be created, even on architectures/OS you don't have access to. That's a very important point.
Automake eases a lot the building process of clean packages for end users, with all standard targets for 'make'. It also builds Makefiles that can automatically generate.tar.gz files with only the needed files in it, and build dependencies before compilation.
Also, Autoconf, Automake and Libtool are aware of operating-systems bugs that you probably don't know if you never worked on them. So they are your best friends to produce portable and reliable software.
Don't blame developpers. They are doing their best. But human people can't always be 100% right, and bug-free software doesn't exist. Sometimes you are pretty sure that your code is bug-free. 100 people have read it and found it ok. But just after releasing a new official version, a very vicious bug that nobody saw before is found.
So what?
Bugs aren't that bad. Found (and immediately fixed) bugs mean two things :
- The project is active. No new bug means no new code.
- The project is getting better.
Usually, software with no known bug is dead software. Every piece of software has bugs. So if no bug is reported, it means that nobody uses the software, or that developpers don't care.
Actually, I trust projects that have bugs, but whoose bugs are immediately fixed. I don't trust projects with bugs, that are waiting 6 months to release a new version that fixes 5000 bugs at once.
You are saying that FreeBSD provides "real" bug-free releases. That's false.
For instance, all kernels
And when it comes to user tools, for instance, KDE doesn't compile from the port tree on FreeBSD 4.4-release.
And when it comes to FS reliability : I have a FreeBSD 4.3-release box that crashed at the first run (the X server crashed), I had to reboot it by pressing the 'reset' button. It created disk errors that fsck was never able to fix. Doing 'ls' in a directory causes an immediate reboot. I tried every possible fsck option, fsck itself went boo-boo and it wasn't able to fix anything, and the directory can't even be deleted. I have to format the disk and reinstall everything.
Every operating system, every software has bugs. The quality isn't relative to the number of bugs (it's almost a fixed percentage of the project's size) . It's relative to how fast they are fixed.
Actually, is writing korn or bourne shells the way to go?
We're year 2001. ZSH, Bash and Tcsh are there for years, and they work on all platforms out there, including Windows. They provide a lot of enhancements over Ksh and sh (kick-ass completion, readline, floating point arithmetic, a lot of handy shortcuts and builtins, etc) .
So, the way to go is probably to use nowaday's tools, not 20-years old ones.
Is there a similar kernel configuration GUI for OpenBSD/FreeBSD/NetBSD?
Editing BSD kernel configuration files has always been lousy and very archaical compared to Linux menuconfig and xconfig. I still can't understand why nothing was developped for BSD.
When you go to a club, you don't want to just listen to music. You want to see the DJ. You want to hear HIS playlist. You want to discover his personal scratch combos. We all need some human presence, especially when it comes to party.
Would you enjoy to watch a soccer match, with only robots, executing programmed tasks? "I bet on this team, they probably used 23248234 as a salt for their number generator, it's better than 232488, that has a bug line 8723" . Would it be great?
You go to a party to be surprised, to discover something. The DJ changes the music according to dancers feeling, that's right. But dancers feeling also depends on the DJ's work.
Why is Carl Cox a great DJ? Because he does basic beat-matching? No. Carl Cox is fantastic because he plays with the dancers. He smiles, he jokes, he has a wonderful human communication, even without speaking. Why is Qbert a great DJ? Because when you see him, it's just as if he had 10 hands, or as if your eyes were too slow to follow the movements. Can you feel this with a stupid computer playing MP3s?
I work as a house and hip-hop DJ in Paris, France. People have fun listening to my music because I'm playing with kiddy songs, sometimes to "comment" what's happening on the dancefloor with funny sentences. I'm sometimes scratching on Dragonball Z over kicking funk house, just for fun. People don't expect that (so the HP computer won't do that), but they like it a lot. Once again, a stupid computer won't do this.
Computers are handy for a lot of stuff. But please, don't bring us a robot society. Keep some human feeling, or you will kill the fun.
ICANN is changing the domain namespaces by adding new TLDs like.info, and accepting new conventions like non-ASCII characters.
The problem is that many software, libraries, and hand-made filters validate domain names based on simple rules like "only 0-9, a-z, dots, and it should end by two characters or com/net/org/edu" .
For instance, I guess that many web forms are currently refusing mail addresses like "john@johncompany.info".
These new, non backward-compatible domain names will probably belong to the "dark and murky net" too.
100 Gb hard disks are cheap nowadays, and almost all OS support > 2Gb files. So securing the DNS from the roots up is simple : have a local/etc/hosts file with all existing hosts.
Then, subscribe to a mailing list that sends daily changes, so that you can keep your/etc/hosts file up to date.
Ehm... yeah. You first have to secure mail to do this.
One of the most annoying thing in Apache 1.x is that when PHP is compiled in the server (not run through the CGI), all scripts are running as "www", "nobody", or whatever anonymous user your Apache daemon is running as.
There's no way to have PHP script run as different users (just like what suexec does for spawning CGI external progs) .
Sure, PHP has a so-called "safe-mode", but it's still not that secure, especially when it comes to creating files or acess shared memory pages.
I was told that Apache 2.0 had a mechanism that could make user switching for PHP scripts possible. Has anyone experimented with it?
Another important point : XFS doesn't work with -ac kernel tree.
However, productions servers are usually not updated every day (especially the kernel), so XFS with a working kernel is ok.
But for workstations, ReiserFS may be a better choice, as it's in the kernel.
XFS, ReiserFS, JFS or EXT3. Get a journaled FS. The reason is that as long as your system is up and running, having a fs like ext2 is no problem. But if you ever have crashes, long fsck (that something fail) means downtime. And for production servers, this is definitely something to avoid.
XFS and ReiserFS are the more mature fs IMHO (on Linux) . I run EXT3 on systems that were previously running EXT2, because it's easy to upgrade. But I had some troubles with EXT3 not so long ago (corrupted files during a compilation, not even after a crash) .
ReiserFS is the best if you have a lot of small files. Both for performance and space. XFS is believed to be better for large files.
Also, if you need performance, FS is one thing, but software is another thing. Apache is probably the slowest web server out there (although very powerful (altough less than Roxen and Caudium:)) .
Running Zeus, Tux or (for static content) WebFS will give you a huge performance increase, even on a slow filesystem.
There's a similar project that I'm using everywhere regardless of operating systems : GAG.
You can download it from here .
Gag has no bells and whistles like XOSL, but it does the same thing. You create a little bootable floppy with it, and it's then easy to configure and install anywhere.
Gag supports multiple languages, it can swap disk ordering, it can protect bootup with a password, and I never had a single trouble with it.
The workaround is easy : change your user-agent to MSIE. Opera, Links, and most HTTP proxies can do this.
The drawback is that the percentage of clients using IE will increase, even though they are really using Mozilla or other non-IE software.
So statistics will always show a lot of IE, even when AOL will have released AOL 6 with Gecko..
Altavista was the first powerful internet crawler and indexation engine. There were some other (Yahoo...) but most submission were manual, and AV had far more entries when it was launched.
I can remember, some times ago, when ports 80 of all my subnet were scanned by a machine from digital.com... Like many other sysadmin, I wrote to root@digital.com to complain... 2 months later, AV was born.
Sure, today, AV can't compete with Google. I'm not especially talking about the search engine itself. But AV web pages are bloated by tons of ads, and it's really lousy to use nowadays.
But maybe internet would never had a lot of powerful engine without AV. It was the seed (and it saved Digital, too... without this fantastic demo, Digital was about to go bankrupt) .
This is just like Netscape. Nowadays, everyone says that Netscape sucks, and that their browser is a crappy bugs collection. True. But with its so criticized "proprietary" HTML extensions, Netscape made web pages way better than before. Remember how ugly were Chimera and Mosaic? Remember how Netscape 3 kicked ass? And who introduced Javascript and Java first?
So, even if some companies/services have been obsoleted by their competitors, we should thank them for what the piece of technology they brang to everyone, and we should give them eternal respect.
Does this new kernel include the latest snapshot of ext3?
Ext3 is both distributed in the kernel and as a separate package, and I'm a bit lost : what ext3 code should we use for more reliability? Should the previous kernel be patched with the latest ext3? Does the new kernel include it? Does the latest ext3 cleanly applies to Linux 2.4.13?
I disagree. Minidiscs took off. It took a long time, but nowadays, many people own a minidisc.
Pre-recorded MD never took off. Ok. Probably because they were as expensive as CDs, and because record dealers didn't want to have every record on a new support.
But blank MDs are nice. Excellent quality, all features of a CD (direct access to tracks), plus song and disk titles. Plus they are small. The only bad thing about MD is that recorders are still a bit expensive.
But I only use MDs to record music I want to hear while traveling. I don't want of CDs and MP3/OGG gadgets that need a computer to be recorded.
Slashdot Mirror
It's time to code firewalls and applicative filtering proxies for mobile phones...
So porting pf to Linux wouldn't be a trivial work.
Actually, Netfilter is really a good packet filter, too. It's very, very, very flexible (especially if you start playing with patch-o-matic patches) . Maybe what could be done is :
* For NAT:
/etc/nat.conf file is :
/usr/local/bin/tcpserver -H -R -q 127.0.0.1 8081 /usr/libexec/ftp-proxy &
:', example :
OpenBSD 3.0 has a transparent ftp proxy called "ftp-proxy". You have to run it through inetd (or any super server. I use it with tcpserver) . It listens to a local port, and you just have to redirect outgoing traffic for port 21 to the local ftp proxy port. It allows active and passive connections to NATed internal hosts.
If it can help, my
rdr on vr1 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
nat on vr0 from 10.1.1.0/24 to any -> 195.132.209.36
I start ftp-proxy like this :
*WARNING*
ftp-proxy has a nice security feature to only accept anonymous sessions (-A). But don't trust it : clients can bypass the restrictions with some buggy servers (the flaw works with proftpd and ncftpd. it doesn't work with pureftpd) .
* For firewalling (without NAT) :
You have to explicitely open some ports for active connections. For the minimum number of ports : choose at least twice the max number of simultaneous sessions you need. Open them on the firewall. Then, force your FTP server to only use these ports. On Pure-FTPd, it's with '-p
pure-ftpd -4 -p 50000:51000 &
(don't forget '-4' for OpenBSD) .
pf seems to be very stable so far. Just don't forget to apply the related errata if you're planning to use IPv6.
Another great feature of OpenBSD 3.0 regarding network filtering/routing is the integration of AltQ, that brings quality of service to your IP traffic. It basically has the same (but very flexible and efficient) algorithms and class system that Linux has. But it's very nice to see it in OpenBSD.
To protect against unknown exploits, there are kernel patches like LIDS . With LIDS, you can enforce any program to only access some files. For instance, you can enforce Bind to only read his configuration files, and nothing else. So even if an exploit is found, your system will be safe.
/home. So it means that if an exploit is found, even with a properly configured LIDS barrier, the attacker can change the content of any customer file. And that's really dangerous. And LIDS can hardly avoid this.
It works amazingly well, and for almost everything on your system.
But does it apply to SSH and FTP? Probably not. When you give FTP access to customers so that they can upload web pages, the FTP server needs read/write access to everything in
With Libtool, you can be sure that shared libraries can be created, even on architectures/OS you don't have access to. That's a very important point.
Automake eases a lot the building process of clean packages for end users, with all standard targets for 'make'. It also builds Makefiles that can automatically generate
Also, Autoconf, Automake and Libtool are aware of operating-systems bugs that you probably don't know if you never worked on them. So they are your best friends to produce portable and reliable software.
Don't blame developpers. They are doing their best. But human people can't always be 100% right, and bug-free software doesn't exist. Sometimes you are pretty sure that your code is bug-free. 100 people have read it and found it ok. But just after releasing a new official version, a very vicious bug that nobody saw before is found.
So what?
Bugs aren't that bad. Found (and immediately fixed) bugs mean two things :
- The project is active. No new bug means no new code.
- The project is getting better.
Usually, software with no known bug is dead software. Every piece of software has bugs. So if no bug is reported, it means that nobody uses the software, or that developpers don't care.
Actually, I trust projects that have bugs, but whoose bugs are immediately fixed. I don't trust projects with bugs, that are waiting 6 months to release a new version that fixes 5000 bugs at once.
You are saying that FreeBSD provides "real" bug-free releases. That's false.
For instance, all kernels And when it comes to user tools, for instance, KDE doesn't compile from the port tree on FreeBSD 4.4-release.
And when it comes to FS reliability : I have a FreeBSD 4.3-release box that crashed at the first run (the X server crashed), I had to reboot it by pressing the 'reset' button. It created disk errors that fsck was never able to fix. Doing 'ls' in a directory causes an immediate reboot. I tried every possible fsck option, fsck itself went boo-boo and it wasn't able to fix anything, and the directory can't even be deleted. I have to format the disk and reinstall everything.
Every operating system, every software has bugs. The quality isn't relative to the number of bugs (it's almost a fixed percentage of the project's size) . It's relative to how fast they are fixed.
Actually, when I want to have a drink, have a dinner or have a party, I don't want to do it with friends from the IT work.
Some of them are really kewl dudez. But IT people often can speak about computers, and nothing else. That's not a good thing to refresh one's mind.
Actually, is writing korn or bourne shells the way to go?
We're year 2001. ZSH, Bash and Tcsh are there for years, and they work on all platforms out there, including Windows. They provide a lot of enhancements over Ksh and sh (kick-ass completion, readline, floating point arithmetic, a lot of handy shortcuts and builtins, etc) .
So, the way to go is probably to use nowaday's tools, not 20-years old ones.
Is there a similar kernel configuration GUI for OpenBSD/FreeBSD/NetBSD?
Editing BSD kernel configuration files has always been lousy and very archaical compared to Linux menuconfig and xconfig. I still can't understand why nothing was developped for BSD.
When you go to a club, you don't want to just listen to music. You want to see the DJ. You want to hear HIS playlist. You want to discover his personal scratch combos. We all need some human presence, especially when it comes to party.
Would you enjoy to watch a soccer match, with only robots, executing programmed tasks? "I bet on this team, they probably used 23248234 as a salt for their number generator, it's better than 232488, that has a bug line 8723" . Would it be great?
You go to a party to be surprised, to discover something. The DJ changes the music according to dancers feeling, that's right. But dancers feeling also depends on the DJ's work.
Why is Carl Cox a great DJ? Because he does basic beat-matching? No. Carl Cox is fantastic because he plays with the dancers. He smiles, he jokes, he has a wonderful human communication, even without speaking. Why is Qbert a great DJ? Because when you see him, it's just as if he had 10 hands, or as if your eyes were too slow to follow the movements. Can you feel this with a stupid computer playing MP3s?
I work as a house and hip-hop DJ in Paris, France. People have fun listening to my music because I'm playing with kiddy songs, sometimes to "comment" what's happening on the dancefloor with funny sentences. I'm sometimes scratching on Dragonball Z over kicking funk house, just for fun. People don't expect that (so the HP computer won't do that), but they like it a lot. Once again, a stupid computer won't do this.
Computers are handy for a lot of stuff. But please, don't bring us a robot society. Keep some human feeling, or you will kill the fun.
ICANN is changing the domain namespaces by adding new TLDs like .info, and accepting new conventions like non-ASCII characters.
The problem is that many software, libraries, and hand-made filters validate domain names based on simple rules like "only 0-9, a-z, dots, and it should end by two characters or com/net/org/edu" .
For instance, I guess that many web forms are currently refusing mail addresses like "john@johncompany.info".
These new, non backward-compatible domain names will probably belong to the "dark and murky net" too.
100 Gb hard disks are cheap nowadays, and almost all OS support > 2Gb files. So securing the DNS from the roots up is simple : have a local /etc/hosts file with all existing hosts.
/etc/hosts file up to date.
Then, subscribe to a mailing list that sends daily changes, so that you can keep your
Ehm... yeah. You first have to secure mail to do this.
One of the most annoying thing in Apache 1.x is that when PHP is compiled in the server (not run through the CGI), all scripts are running as "www", "nobody", or whatever anonymous user your Apache daemon is running as.
There's no way to have PHP script run as different users (just like what suexec does for spawning CGI external progs) .
Sure, PHP has a so-called "safe-mode", but it's still not that secure, especially when it comes to creating files or acess shared memory pages.
I was told that Apache 2.0 had a mechanism that could make user switching for PHP scripts possible. Has anyone experimented with it?
How silent is this? It's cool for overclocking, but if it's silent, it could also be very cool for music makers.
Essays are great, but are they enough to change something in the real life?
Another important point : XFS doesn't work with -ac kernel tree.
However, productions servers are usually not updated every day (especially the kernel), so XFS with a working kernel is ok.
But for workstations, ReiserFS may be a better choice, as it's in the kernel.
XFS, ReiserFS, JFS or EXT3. Get a journaled FS. The reason is that as long as your system is up and running, having a fs like ext2 is no problem. But if you ever have crashes, long fsck (that something fail) means downtime. And for production servers, this is definitely something to avoid. :)) .
XFS and ReiserFS are the more mature fs IMHO (on Linux) . I run EXT3 on systems that were previously running EXT2, because it's easy to upgrade. But I had some troubles with EXT3 not so long ago (corrupted files during a compilation, not even after a crash) .
ReiserFS is the best if you have a lot of small files. Both for performance and space. XFS is believed to be better for large files.
Also, if you need performance, FS is one thing, but software is another thing. Apache is probably the slowest web server out there (although very powerful (altough less than Roxen and Caudium
Running Zeus, Tux or (for static content) WebFS will give you a huge performance increase, even on a slow filesystem.
There's a similar project that I'm using everywhere regardless of operating systems : GAG.
You can download it from here .
Gag has no bells and whistles like XOSL, but it does the same thing. You create a little bootable floppy with it, and it's then easy to configure and install anywhere.
Gag supports multiple languages, it can swap disk ordering, it can protect bootup with a password, and I never had a single trouble with it.
The workaround is easy : change your user-agent to MSIE. Opera, Links, and most HTTP proxies can do this.
The drawback is that the percentage of clients using IE will increase, even though they are really using Mozilla or other non-IE software.
So statistics will always show a lot of IE, even when AOL will have released AOL 6 with Gecko..
Altavista was the first powerful internet crawler and indexation engine. There were some other (Yahoo...) but most submission were manual, and AV had far more entries when it was launched. ... Like many other sysadmin, I wrote to root@digital.com to complain... 2 months later, AV was born.
I can remember, some times ago, when ports 80 of all my subnet were scanned by a machine from digital.com
Sure, today, AV can't compete with Google. I'm not especially talking about the search engine itself. But AV web pages are bloated by tons of ads, and it's really lousy to use nowadays.
But maybe internet would never had a lot of powerful engine without AV. It was the seed (and it saved Digital, too... without this fantastic demo, Digital was about to go bankrupt) .
This is just like Netscape. Nowadays, everyone says that Netscape sucks, and that their browser is a crappy bugs collection. True. But with its so criticized "proprietary" HTML extensions, Netscape made web pages way better than before. Remember how ugly were Chimera and Mosaic? Remember how Netscape 3 kicked ass? And who introduced Javascript and Java first?
So, even if some companies/services have been obsoleted by their competitors, we should thank them for what the piece of technology they brang to everyone, and we should give them eternal respect.
Funny. In fact I always used AC kernels for ages, and I even didn't notice that ext3 wasn't in Linus tree yet :)
Please avoid slashdoting the main server. Here is list of direct links to mirrors. Version 2.4.13, full tarball : [al] - [dz] - [as] - [ad] - [ao] - [ai] - [aq] - [ag] - [ar] - [am] - [aw] - [ac] - [au] - [at] - [az] - [av] - [bs] - [bh] - [bd] - [bb] - [by] - [be] - [bz] - [bj] - [bm] - [bt] - [bo] - [ba] - [bw] - [bv] - [br] - [io] - [bn] - [bg] - [bf] - [bi] - [kh] - [cm] - [ca] - [ic] - [cv] - [ky] - [cf] - [ea] - [td]
Does this new kernel include the latest snapshot of ext3?
Ext3 is both distributed in the kernel and as a separate package, and I'm a bit lost : what ext3 code should we use for more reliability? Should the previous kernel be patched with the latest ext3? Does the new kernel include it? Does the latest ext3 cleanly applies to Linux 2.4.13?
I'm lost...
I disagree. Minidiscs took off. It took a long time, but nowadays, many people own a minidisc. Pre-recorded MD never took off. Ok. Probably because they were as expensive as CDs, and because record dealers didn't want to have every record on a new support. But blank MDs are nice. Excellent quality, all features of a CD (direct access to tracks), plus song and disk titles. Plus they are small. The only bad thing about MD is that recorders are still a bit expensive. But I only use MDs to record music I want to hear while traveling. I don't want of CDs and MP3/OGG gadgets that need a computer to be recorded.