To go along with the other network info tools that I mentioned earlier comes word of lsof, which is a standard Linux tool for doing an ls on all open files. I do lots of work on RedHat and my boss told me about this one. Just another in the set of things you can run that will tell you what your system is up to.
Port description for sysutils/lsof
Here is a nice online man page for lsof:
lsof(8): list open files - Linux man page
Update: Here's a cool little quickstart guide for lsof. If you saw the man page, you would see it has almost as many options as ls itselt! This article has a bunch of questions seaching for answers using lsof: lsof quickstart
Friday, August 20, 2004
Tuesday, August 17, 2004
Source code control ports
I've been using Perforce as a source code control system now for quite some time. It is a really easy to learn, easy to use, and well supported commercial, client/server SCCS. The main drawback is that it is quite expensive. Not a problem usually with my employer, as it pays back in no time, but too much for my personal projects.
So I'm always on the lookout for good a good SCCS, as even for the smallest project I need to use it these days. Once you get used to using a good SCCS (and no, I consider Microsoft's Visual Source Safe to be pretty bad), you're hooked and you wonder how you got along without it.
Anyway, here's a note on good looking open source contender to the CVS crown, Subversion.
Port description for devel/subversion
And here's another one I've seen mentioned, Gnu-Arch. It seems to be more along the lines of Perforce, in that it use a more general client/server approach:
Port description for devel/arch
So I'm always on the lookout for good a good SCCS, as even for the smallest project I need to use it these days. Once you get used to using a good SCCS (and no, I consider Microsoft's Visual Source Safe to be pretty bad), you're hooked and you wonder how you got along without it.
Anyway, here's a note on good looking open source contender to the CVS crown, Subversion.
Port description for devel/subversion
And here's another one I've seen mentioned, Gnu-Arch. It seems to be more along the lines of Perforce, in that it use a more general client/server approach:
Port description for devel/arch
Friday, August 13, 2004
More "sniffing" tools
The TaoSecurity post also led me to a few other programs having to do with network hacking and sniffing.
Port description for net-mgmt/driftnet : this one will poll for traffic and put together any images and movies that are sent along.- Port description for net-mgmt/bsd-airtools : this one includes wireless sniffing tools, esp. dstumbler, which tells you all about wireless networks around you.
- Port description for security/nmap : this is I've seen talk about on some Windows blogs, as WinXP SP2 breaks it, due to some draconian socket "security" limits it implements. It is a "network exploration" tool, that helps with security auditing.
iftop
So I'm reading TaoSecurity blog, and he's got a cool little entry about hooking into a hotel's wireless network. In the entry, he talks about iftop, which is a simple application that does for network traffic that top does for CPU usage.
So I install the port and run it, and of course now I'm freaking out. Probably a case of too much information, with too little knowledge, but there's all kinds of ports (446, 2460, 2490) that have some (a very little) traffic on them that I just don't know what they are doing. Perhaps just pings to see if there is anything interesting on my machine, but still, worrisome.
My weekend project - install a firewall!
Port description for net-mgmt/iftop
So I install the port and run it, and of course now I'm freaking out. Probably a case of too much information, with too little knowledge, but there's all kinds of ports (446, 2460, 2490) that have some (a very little) traffic on them that I just don't know what they are doing. Perhaps just pings to see if there is anything interesting on my machine, but still, worrisome.
My weekend project - install a firewall!
Port description for net-mgmt/iftop
Thursday, August 12, 2004
Comparing the BSDen
Long article talking about the 4 main branches of BSD : NetBSD, OpenBSD, Mac OS X and, of course, FreeBSD. It gives a quick history and talks a little about the plusses and minusses of each.
Differentiating Among BSD Distros
Differentiating Among BSD Distros
Friday, August 6, 2004
ipfilter sample config
'fbsd_user' posted the following ipfilter configuration guide to the freebsd-questions mailing list, so I thought I would save it here. Looks very complete and well commented.
Well lets start with the kernel. Both ipfw and ipfilter are
delivered in the sysinstall process as boot time loadable modules,
which means it is not necessary to put any kernel options statements
into the kernel and recompile to get it to function.
As part of ipfilter setup also configurating ipmon syslog logging.
The ipfilter rule set will allow lan and gateway pc's to do both
active and passive ftp out to the public internet.
***********************************************
In rc.conf add these statements.
gateway_enable="YES"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES" # Start ip monitor log
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"
***********************************************
In syslog.conf
*.notice;authpriv.none;local0.none;mail.crit /var/log/messages
local0.* /var/log/security
Note1: local0 is where ipfilter flags option s
(ie log to syslog) writes to.
Note2: added local0.none to messages so ipfilter log records
will not go to messages file also.
***********************************************
In newsyslog.conf
/var/log/security 600 10 100 * B
says auto rotate log when file fills 100 k disk space.
***********************************************
/etc/ipf.rules
#### Note1: ed0 is the interface name of the Nic card connected to the
public internet. Replace it with your interface name. ####
#### Note2: this rule set may allow functions out and in which you may
not have or want, just comment out those statements or delete them
from the file. ####
#### Note3. If you want to run an FTP server on your system that is
accessible from the public internet, you must add the following rules.
Only active mode remote FTP is allowed as passive mode needs all the
high value port numbers open and this is an major security risk.
# Allow out active FTP data channel
pass out quick on ed0 proto tcp from any to any port = 20 flags S keep state
# Allow in active FTP control channel
pass in quick on ed0 proto tcp from any to any port = 21 flags S keep state
############# End of note3 #################
#################################################################
# For testing only, Bypasses the rest of the rules or just in or out
#pass in log quick on ed0 all
#pass out log quick on ed0 all
#log out quick on ed0 all
#################################################################
#################################################################
# No restrictions on Inside Lan Interface for private network
# Replace dc0 with the nic interface name of your Lan
#################################################################
pass out quick on dc0 all
pass in quick on dc0 all
#################################################################
# No restrictions on Loopback Interface
#################################################################
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Interface facing Public internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
#pass out quick on ed0 proto tcp from any to x.x.x.x port = 53 flags S keep state
#pass out quick on ed0 proto udp from any to x.x.x.x port = 53 keep state
pass out log quick on ed0 proto udp from any to any port = 53 keep state
# Allow out access to my ISP's DHCP server for cable or DSL networks.
# This rule is not needed for 'user ppp' type connection to the
# public internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out quick on ed0 proto udp from any to any port = 67 keep state
#pass out quick on ed0 proto udp from any to x.x.x.x port = 67 keep state
# Allow out non-secure standard www function
pass out quick on ed0 proto tcp from any to any port = 80 flags S keep state
# Allow out secure www function https over TLS SSL
pass out quick on ed0 proto tcp from any to any port = 443 flags S keep state
# Allow out send & get email function
pass out quick on ed0 proto tcp from any to any port = 25 flags S keep state
pass out quick on ed0 proto tcp from any to any port = 110 flags S keep state
# Allow out Time
pass out quick on ed0 proto tcp from any to any port = 37 flags S keep state
# Allow out nntp news
pass out quick on ed0 proto tcp from any to any port = 119 flags S keep state
# Allow out gateway & LAN users non-secure passive & active modes FTP
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on ed0 proto tcp from any to any port = 21 flags S keep state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on ed0 proto tcp from any to any port = 22 flags S keep state
# Allow out non-secure Telnet
pass out quick on ed0 proto tcp from any to any port = 23 flags S keep state
# Allow out FBSD CVSUP function
pass out quick on ed0 proto tcp from any to any port = 5999 flags S keep state
# Allow out all icmp to public Internet
pass out quick on ed0 proto icmp from any to any keep state
# Allow out all ident to public Internet
#block out quick on ed0 proto tcp from any to any port = 113
# Allow out whois for LAN PC to public Internet
pass out quick on ed0 proto tcp from any to any port = 43 flags S keep state
# block ports that show on log and are ok to stop logging
# Deny tcp port 81 - hosts2 name server. winme is doing this.
block out quick on ed0 proto tcp from any to any port = 81
# Block and log only the first occurrence of everything
# else that's trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on ed0 all
#################################################################
# Interface facing Public internet (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################
# Block all inbound traffic from non-routable or reserved address spaces
block in quick on ed0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on ed0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on ed0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on ed0 from 127.0.0.0/8 to any #loopback
block in quick on ed0 from 0.0.0.0/8 to any #loopback
block in quick on ed0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on ed0 from 192.0.2.0/24 to any #reserved for doc's
block in quick on ed0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on ed0 from 224.0.0.0/3 to any #Class D & E multicast
##### Block a bunch of different nasty things. ############
# That I don't want to see in the log
# Block frags
block in quick on ed0 all with frags
# Block short tcp packets
block in quick on ed0 proto tcp all with short
# block source routed packets
block in quick on ed0 all with opt lsrr
block in quick on ed0 all with opt ssrr
# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on ed0 proto tcp from any to any flags FUP
# Block anything with special options
block in quick on ed0 all with ipopts
# Block public pings
block in quick on ed0 proto icmp all icmp-type 8
# Block ident
block in quick on ed0 proto tcp from any to any port = 113
# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on ed0 proto tcp/udp from any to any port = 137
block in log first quick on ed0 proto tcp/udp from any to any port = 138
block in log first quick on ed0 proto tcp/udp from any to any port = 139
block in log first quick on ed0 proto tcp/udp from any to any port = 81
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public internet.
# This is the same IP address you captured and
# used in the outbound section.
pass in quick on ed0 proto udp from x.x.x.x to any port = 68 keep state
# Allow in standard www function because I have apache server
pass in quick on ed0 proto tcp from any to any port = 80 flags S keep state
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public internet
# as clear text.
# Delete this sample group if you do not have telnet server enabled.
pass in quick on ed0 proto tcp from any to any port = 23 flags S keep state
# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
#pass in quick on ed0 proto tcp from any to any port = 22 flags S keep state
# Allow in email SMTP from public Internet if commercial user
pass in quick on ed0 proto tcp from any to any port = 25 flags S keep state
# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops an 'denial of service' attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on ed0 all
***********************************************
/etc/ipnat.rules
# Provide special NAT services for FTP from LAN users.
map ed0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp
# Provide special NAT services for FTP from gateway system.
map ed0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
# Provide Normal NAT services for LAN users.
# NAT my private LAN ip address to what every my ISP address is
map ed0 10.0.10.0/29 -> 0/32
Note: 10.0.10.0/29 is the private ip address range you assigned to
your LAN. Ed0 is the nic interface name facing the public internet.
Thursday, August 5, 2004
How to turn off sendmail
It's not as easy as it used to be to turn off sendmail. Not too long ago, you merely had to add:
to your /etc/rc.conf and the sendmail daemon wouldn't start.
But sendmail added an option early in 2003:
Sendmail FAQ, Section 3
And this makes it a little more difficult. In addition, they made it easier to add a different MTA (Mail Transport Agent), like Postfix say. So now you have to follow the instructions in /usr/src/UPDATING:
sendmail_enable="no"
to your /etc/rc.conf and the sendmail daemon wouldn't start.
But sendmail added an option early in 2003:
Sendmail FAQ, Section 3
And this makes it a little more difficult. In addition, they made it easier to add a different MTA (Mail Transport Agent), like Postfix say. So now you have to follow the instructions in /usr/src/UPDATING:
"20020404:
New sendmail startup scripts have been installed to make it
easier to use alternative MTAs with FreeBSD. Setting the rc.conf
variable sendmail_enable to "NO" no longer prevents any sendmail
daemons from starting. Instead, either set sendmail_enable to
"NONE" or change mta_start_script to a script for starting
an alternative MTA. Setting mta_start_script to "" will
also prevent any MTA from being started at boot."
Subscribe to:
Posts (Atom)