I'm using the SuSE Firewall 2.0 script to set my firewall. However, I still need to manual add the following IPchains to be able to reach the VPN from my
clients
behind the firewall.
ipchains -I input -j ACCEPT -p 17 -s [vpn server ip address] -d [my external IP] -i eth1
ipchains -I forward -j MASQ -p 47 -s 192.168.0.1/32 -d [vpn server IP] -i eth1
ipchains -I output -j ACCEPT -p 47 -s [my external IP] -d [vpn server IP] -i eth1
ipchains -I input -j ACCEPT -p 47 -s [vpn server IP] -d [my external IP] -i eth1
Is there a way to configure the firewall.rc.config file to take care of this from within the script?
Thanks for your help.
DREW.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 14 Feb 2000, Thomas Biege wrote:
> The reason is simple:
> The bug wasn't known to the public and only the vendors got
> notified by me right after I found it. To give other linux
> ditributors the time to fix their stuff I wait some days
> before releasing our announcement.
>
> Hope that explains everything.
The respect of your competition is more important then the security of
your users?
- --
..Yashy
".. I used to get in more fights with SCO than I did my girlfriend, but
now, thanks to Linux, she has more than happily accepted her place back at
number one antagonist in my life.. "
(Jason Stiefel, krypto(a)s30.nmex.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4uXDXFM22zL2gTQcRAqLAAJ9UmyzrWcRQ2L3Xy0SMEKf20qxcsgCeNtVJ
TpB2I2qC/3yJUYX48W31y0Q=
=4ek0
-----END PGP SIGNATURE-----
Cracker Gets 18 Month Sentence for Five Year Old Computer Break-Ins.
A man who broke into several large computer systems more than five years
ago will serve 18 months in prison and pay $10,000 in restitution. He
had been employed as a computer consultant.
http://www.foxnews.com/vtech/030500/hack.sml
--
----/ / _ Fred A. Miller
---/ / (_)__ __ ____ __ Systems Administrator
--/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services
-/____/_/_//_/\_,_/ /_/\_\ fm(a)cupserv.org
S.A.F.E.R. Security Bulletin 000309.EXP.1.4
__________________________________________________________
TITLE : Vulnerabilities in StarScheduler
DATE : March 09, 2000
NATURE : Denial-of-Service, Remote Code Execution, Access to
privileged files
PLATFORMS : StarScheduler/StarOffice 5.1
DETAILS:
StarOffice comes with a nice groupware server, called StarScheduler. It
also includes a web server that is vulnerable to several security
problems.
PROBLEM:
A buffer overflow exists in the StarScheduler web server (which listens
on port 801), that can lead to remote execution of code and root access.
Since the server dies, this is also a Denial-of-Service issue. The
problem is in the way web server handles long requests.
Sending a "GET /['A' x 933] HTTP/1.0" will crash the server. This web
server is running as a root.
Another silly problem exists in the server that allows any user to gain
read access to files to which they normally don't have access to.
Example:
http://starscheduler_server:801/../../../../etc/shadow
This will display the content of the /etc/shadow file.
FIXES:
No fixes are available yet. Sun has been contacted on 6th of February,
but we have received no response from them.
JOB OFFERS:
The Relay Group is seeking security enthusiasts with a vast experience
in intrusion testing, firewall/IDS configuration and other
security-related fields. For more information, please visit:
http://relaygroup.com/secjobs.html
___________________________________________________________
S.A.F.E.R. - Security Alert For Entreprise Resources
Copyright (c) 2000 The Relay Group
http://www.safermag.com ---- security(a)relaygroup.com
--
----/ / _ Fred A. Miller
---/ / (_)__ __ ____ __ Systems Administrator
--/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services
-/____/_/_//_/\_,_/ /_/\_\ fm(a)cupserv.org
Sorry.... in suse 6.3 the MD5_CRYPT_ENAB doesn't appear in /etc/login.defs and if you enable it, suse doesn't seem to change passwords to MD5... I think
this feature has been removed. (in suse 6.1 i obtained md5 passwd sucessfully)
I think was removed for security, MD5 is an algorithm that has collisions, however DES does not undergo problems of collisions, although it is "in theory easy to crack" by brute force.
----- Mensaje original -----
De: "Normando Marcolongo" <normando(a)studenti.ing.uniroma1.it>
Para: <suse-security(a)suse.com>
Enviado: martes, 07 de marzo de 2000 12:38
Asunto: [suse-security] MD5 Passwords.
>
> How can I enable MD5 passwords on SuSE 6.3?
>
> Thanks in advance!
>
> Normando.
>
> --
> Normando [enemy] Marcolongo (iW6OWQ) [] normando(a)studenti.ing.uniroma1.it
> LUG Roma - IEEE S.B. Roma - ALU [] (AX.25) IW6OWQ(a)IW7BNO.IPUG.ITA.EU
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com
>
>
In /etc/login.defs ... set MD5_CRYPT_ENAB to yes (if the line is #commented, uncomment it)
----- Mensaje original -----
De: "Normando Marcolongo" <normando(a)studenti.ing.uniroma1.it>
Para: <suse-security(a)suse.com>
Enviado: martes, 07 de marzo de 2000 12:38
Asunto: [suse-security] MD5 Passwords.
>
> How can I enable MD5 passwords on SuSE 6.3?
>
> Thanks in advance!
>
> Normando.
>
> --
> Normando [enemy] Marcolongo (iW6OWQ) [] normando(a)studenti.ing.uniroma1.it
> LUG Roma - IEEE S.B. Roma - ALU [] (AX.25) IW6OWQ(a)IW7BNO.IPUG.ITA.EU
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com
>
>
Samba usually uses ports 137-139 tcp and udp, should be easy to implement
a rule that fixes your problem.
---
At 21:24 07.03.00 +0100, you wrote:
>Hello,
>
>With Firewall 1.4 and 2.0 i have a problem:
>
>The SuSE Firewall blocking all SAMBA pakets from my internal network
>:-((
>My system has 5 Networkcards. All pakets from my local networks, e.g.
192.168.1.0:138 -> 192.168.2.0:138, will be blocked :-((
>
>When comes a bugfix ?
>
>greetings
>daniel
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
>For additional commands, e-mail: suse-security-help(a)suse.com
>
>
Erwin Zierler | Web-/Hostmaster - Stubainet
| Email: Erwin.Zierler(a)stubainet.at / webmaster(a)stubainet.at
| Mobil: 0664 - 130 67 91 Tel.: 05225 - 64325 Fax 99
Jurjen Oskam wrote:
>
> Since then (presumably because it doesn't run under root privileges
> anymore?) named complains:
>
> Mar 6 00:25:02 calvin named[5129]: couldn't create pid file
> '/var/run/named.pid'
>
> I already tried to make named.pid owned by user named.
since named.pid is re-created every time named is restarted, named must
have write privileges in /var/run
the default of this dir in suse 6.3 is
drwxrwxr-x 3 root uucp 1024 Mar 6 12:18 run
so named must run in group uucp ...
hth
Markus
--
________________________________________
Markus Gaugusch markus(a)gaugusch.dhs.org
ICQ-ID: 11374583 [www.mirabilis.com]
Hi!
I would like to connect to my FTP Server wich is running on my Linux
Server..
The Ftp server can only be reached via SSH Tunnel cause the firewall
doesn't permit the packets through. The FTP server is ony for emergeny
file access.
I can connect to the FTP server if I do a port forward of port 21, but I
the ftp server can't send me the file list cause I need an second
port. How I can configure these ports? I use wu.ftpd and for example
CuteFTP or FTP Voyager on Windows Machine.
the FTP-server error message:
500 Illegal PORT Command
500 Can't build data connection: no PORT specified
Please help me..
How I can define static ports for ftp ?
thanks,
chris