From owner-doc-jp@jp.freebsd.org  Wed Nov 22 10:00:03 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id KAA68899;
	Wed, 22 Nov 2000 10:00:03 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from ns4.sony.co.jp (ns4.Sony.CO.JP [202.238.80.4])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id KAA68894
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 10:00:02 +0900 (JST)
	(envelope-from mho@pobox.com)
From: mho@pobox.com
Received: from mail2.sony.co.jp (gatekeeper7.Sony.CO.JP [202.238.80.21])
	by ns4.sony.co.jp (R8) with ESMTP id KAA68715
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 10:00:02 +0900 (JST)
Received: from mail2.sony.co.jp (localhost [127.0.0.1])
	by mail2.sony.co.jp (R8) with ESMTP id eAM14ki15178
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 10:04:46 +0900 (JST)
Received: from sjp01002.meis.sony.co.jp (sjp01002.meis.sony.co.jp [43.15.126.31])
	by mail2.sony.co.jp (R8) with ESMTP id eAM14ke15171
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 10:04:46 +0900 (JST)
Received: from FREYA.hmp.sony.co.jp (FREYA [43.13.250.51]) by sjp01002.meis.sony.co.jp with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2651.97)
	id X2HNZTSC; Wed, 22 Nov 2000 10:00:01 +0900
Date: Wed, 22 Nov 2000 10:01:21 +0900
Message-ID: <wk1yw4g6qm.wl@FREYA.hmp.sony.co.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: In your message of "Mon, 20 Nov 2000 05:41:54 +0900"
	<200011192042.FAA03001@eos.ocn.ne.jp>
References: <200011192042.FAA03001@eos.ocn.ne.jp>
User-Agent: Wanderlust/1.1.1 (Purple Rain) SEMI/1.13.7 (Awazu) FLIM/1.13.2 (Kasanui) Emacs/20.4 (i386-*-windows98.1998) MULE/4.1 (AOI) Meadow/1.10 (TSUYU)
MIME-Version: 1.0 (generated by SEMI 1.13.7 - "Awazu")
Content-Type: text/plain; charset=ISO-2022-JP
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7856
Subject: [doc-jp 7856] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA	-00:70.ppp-nat
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: mho@pobox.com


$B$$$D$b$46lO+MM$G$9!%(B

At Mon, 20 Nov 2000 05:41:54 +0900,
Hiroki Sato <hrs@eos.ocn.ne.jp> wrote:

> =============================================================================
> FreeBSD-SA-00:70                                           Security Advisory

> II.  $BLdBj$N>\:Y(B - Problem Description
> 
> connection attempt".  While this was arguably incorrect behaviour in
> itself, the code also incorrectly allowed through ALL incoming
> traffic, effectively turning "deny_incoming" into a no-op.
> 
> $B$h$&$K$J$j$^$7$?(B.  $B$3$l<+BN$b$*$=$i$/@5$7$$F0:n$H$O8@$($J$$$N$G$9$,(B,
> ppp $B$N=hM}%3!<%I$O$5$i$K(B, $B8m$C$FE~Ce$9$k!V$9$Y$F$N!W%Q%1%C%H$NDL2a$b(B
> $B5v2D$7$F$7$^$$(B, "deny_incoming" $B$N5!G=$rL58z$J$b$N$K$7$F$7$^$$$^$9(B.

"$B8m$C$F(B"$B$,8e$m$K$"$C$?$[$&$,0UL#$,$O$C$-$j$9$k$+$b!#(B

  ppp $B$N%3!<%I$O$5$i$K(B, $BE~Ce$9$k!V$9$Y$F$N!W%Q%1%C%H$NDL2a$r8m$C$F5v2D(B
  $B$7$F$*$j(B, "deny_incoming" $B$N5!G=$r7k2LE*$KL58z$J$b$N$K$7$F$7$^$$$^$9(B.

> Thus, users who are using the deny_incoming functionality in the
> expectation that it provides a "deny by default" firewall which only
> allows through packets known to be part of an existing NAT session,
> are in fact allowing other types of unsolicited IP traffic into their
> internal network.
> 
> $B$7$?$,$C$F(B, $B4{B8$N(B NAT $B%;%7%g%s$K4^$^$l$k%Q%1%C%H$N$_$NDL2a$r5v2D$9$k(B,
> $B!V%G%U%)%k%H$G5qH]!W$N%U%!%$%"%&%)!<%k$r<B8=$9$k$?$a$K(B deny_incoming $B$r(B
> $B;H$C$F$$$k%f!<%6$O(B, $B<B:]$K$OFbIt%M%C%H%o!<%/$KBP$7$F(B, $B$"$k<o$N0U?^$7$J$$(B
> IP $B%Q%1%C%H$N?/F~$r5v$7$F$7$^$$$^$9(B.

other types$B$r!V$"$k<o!W$H$9$k$H>/$70UL#$,0c$&$+$J(B, $B$H$$$&$3$H$G;nLu!#(B

  $B$7$?$,$C$F(B, $B4{B8$N(B NAT $B%;%7%g%s$K4^$^$l$k%Q%1%C%H$N$_$NDL2a$r5v2D$9$k(B
  $B!V%G%U%)%k%H$G5qH]!W$N%U%!%$%"%&%)!<%k$r<B8=$9$k$?$a$K(B deny_incoming $B$r(B
  $B;H$C$F$$$k%f!<%6$O(B, $B<B:]$K$OFbIt%M%C%H%o!<%/$KBP$7$F(B, $B0U?^$7$J$$$=$N(B
  $BB>$N(B IP $B%Q%1%C%H$N?/F~$r5v$7$F$7$^$$$^$9(B.

$B0J2<$OItJ,E*$J;nLu$G$9!#$A$g$C$H$o$+$j$E$i$$$H46$8$?ItJ,$r<h$j>e$2$^$7(B
$B$?$,$"$^$jK\<AE*$8$c$J$$$N$G!V$4;29MDxEY!W$G$9!#(B

> The behaviour of ppp was corrected to only allow incoming packets
> which are known to be part of a valid NAT session, which gives the
> desired packet filtering behaviour in the general case.  Outgoing IP
> traffic which is not understood by libalias (such as an outgoing IPSEC
> packet part of a VPN) will cause a NAT session to be established which
> will allow incoming packets with the corresponding source and
> destination IP addresses and protocol number to pass, but all others
> to be denied.
> 
> ppp $B$NF0:n$O0lHLE*$KK>$^$l$k$h$&$J%Q%1%C%H%U%#%k%?$NF0:n$r<B8=$9$k$h$&(B,
> $BM-8z$J(B NAT $B%;%7%g%s$K4^$^$l$kE~Ce%Q%1%C%H$N$_$NDL2a$r5v2D$9$k$h$&$K(B
> $B=$@5$5$l$^$7$?(B.  libalias $B$,G'<1$G$-$J$$308~$-$N(B IP $B%Q%1%C%H(B (VPN $B$K(B
> $B;H$o$l$k308~$-$N(B IPSEC $B%Q%1%C%H$J$I(B) $B$O(B, $BBP1~$9$kAw?.85%"%I%l%9(B,
> $BAw?.@h%"%I%l%9(B, $B%W%m%H%3%kHV9f$r;}$DE~Ce%Q%1%C%H$r5v2D$7(B, $B$=$NB>$r(B
> $B5qH]$9$k(B NAT $B%;%7%g%s$r0l$D3NN)$7$^$9(B.

, which$B0J2<$rJL$NJ8$K$7$?$[$&$,4JC1$+$b!#(B

 ppp $B$NF0:n$OM-8z$J(B NAT $B%;%7%g%s$K4^$^$l$kE~Ce%Q%1%C%H$N$_$NDL2a$r5v2D(B
 $B$9$k$h$&$K=$@5$5$l$^$7$?(B.  $B$3$N=$@5$N7k2L(B, $B0lHLE*$KI,MW$J%Q%1%C%H%U%#(B
 $B%k%?$,<B8=$G$-$k$h$&$K$J$j$^$7$?(B. libalias $B$,G'<1$G$-$J$$308~$-$N(B IP 
 $B%Q%1%C%H(B (VPN $B$K;H$o$l$k308~$-$N(B IPSEC $B%Q%1%C%H$J$I(B) $B$K$D$$$F$O(B, $BBP1~(B
 $B$9$kAw?.85(BIP$B%"%I%l%9(B, $BAw?.@h(BIP$B%"%I%l%9(B, $B%W%m%H%3%kHV9f$r;}$DE~Ce%Q%1%C(B
 $B%H$r5v2D$7(B, $B$=$NB>$r5qH]$9$k(B NAT $B%;%7%g%s$r0l$D3NN)$7$^$9(B.

> This behaviour may be sufficient for the security needs of many users,
> although users with advanced filtering or security policy requirements
> are advised to use a more configurable packet filter such as those
> provided by ipfw(8) or ipf(8) which can meet their needs.
> 
> $B$3$NF0:n$O(B, $B$[$H$s$I$N%f!<%6$K$H$C$F%;%-%e%j%F%#E*$K==J,$J$b$N$G$"$k$H(B
> $B;W$o$l$^$9$,(B, $BJ#;($J%U%#%k%?$d%;%-%e%j%F%#%]%j%7$,MW5a$5$l$k>l9g$O(B
> ipfw(8) $B$d(B ipf(8) $B$,Ds6!$7$F$$$k(B, $B>\:Y$J@_Dj$,2DG=$J%Q%1%C%H%U%#%k%?$r(B
> $BMxMQ$7$F$/$@$5$$(B.  $B$3$l$i$OJ#;($JMW5a$K$bBP1~$G$-$^$9(B.

 $B$3$NF0:n$O(B, $B$*$=$i$/$[$H$s$I$N%f!<%6$K$H$C$F%;%-%e%j%F%#E*$K==J,$G(B
 $B$9(B. $B$5$i$K(B, $B9bEY$J%U%#%k%?$d%;%-%e%j%F%#%]%j%7$,I,MW$J%f!<%6$O>\:Y$J(B
 $B@_Dj$,2DG=$G<+J,$?$A$NMW5a$K9g$&(B, $B$?$H$($P(Bipfw(8) $B$d(B ipf(8) $B$,<B8=$7(B
 $B$F$$$k$h$&$J(B, $B%Q%1%C%H%U%#%k%?$rMxMQ$7$F$/$@$5$$(B.

$BKY!!???M(B
