Hello, all! In the beginning I want to say, that this question seems to be a security one, isn't it so?.. Recently I was googling for the subject and coulnd't find anything... Even in the opennet.ru forum nobody answered me about this. So, as far as I got to know, randomizing source ports in FreeBSD is impossible now? (to be exact - is not implemented?) It's very interesting to me - WHY is it so? I mean - may be there are good reasons for not making all this?.. Anyway, I looked how it is done in OpenBSD and made a patch for FreeBSD. I've uploaded the patches for FreeBSD 4 and FreeBSD 5 here: http://www.625.ru/rlsp/ Direct links: http://www.625.ru/rlsp/in_pcb.c.patch.4 http://www.625.ru/rlsp/in_pcb.c.patch.5 It seems to be working on my 4.9 box =) - after recompiling the kernel the system picks up a random port for making a connetion. Especially - when I increase net.inet.ip.portrange.last, for example, to value 20000. The ports become 'more random' :) What the patch does: it creates a sysctl variable net.inet.ip.random_lport, which is "off" by default. When it is nonzero, the OpenBSD method is used in sys/netinet/in_pcb.c (in in_pcbbind() in FreeBSD 4 and in_pcbbind_setup() in FreeBSD 5) to pick up a source port. Otherwize - the 'old' FreeBSD method is used. The exact OpenBSD method for finding a free random port is used (but that wasn't just copy-paste =)) ). I don't have opportunity to test the FreeBSD 5 patch, but I tried to analyze the patching results attentively (what I worry about - is using the arc4random() function in FreeBSD 5...). I'm eager to hear your opinions on all this, as I'm rather a newbie to administrating FreeBSD (and especially - to 'hacking' the kernel). If you find errors, please try to understand that this is the first time I decided to change something 'so deep' in FreeBSD and decided to make a patch for this ;-)) (but I tried to do my best to avoid errors) Some information about this patch is here - http://www.625.ru/rlsp/ -- Best regards, Danil V. Gerun. danil@hate.spam.625.ru
On Sat, 18 Sep 2004, Danil V.Gerun wrote:> So, as far as I got to know, randomizing source ports in FreeBSD is > impossible now? (to be exact - is not implemented?) > > It's very interesting to me - WHY is it so? > I mean - may be there are good reasons for not making all this?..Source port randomization was implemented before 4.10 was released. See in_pcb.c revisions 1.143 - 1.146, 1.59.2.27, or 1.59.2.27.2.1, depending on the branch you're interested in: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_pcb.c> I don't have opportunity to test the FreeBSD 5 patch, but I tried to > analyze the patching results attentively (what I worry about - is > using the arc4random() function in FreeBSD 5...).What are your concerns with the way port randomization was implemented in FreeBSD? Mike "Silby" Silbersack
On Sat, 18 Sep 2004, stheg olloydson wrote:> Hello, > > I don't think Mr Gerun has a problem with the way port randomizing is > implemented. I believe that because he couldn't find any information > about FBSD doing port randomization, he thought it wasn't implemented > at all, so he wrote some patches to enable it. > I missed this bit in the Release Notes myself. Thanks for the effort! I > do have a question, though. I don't understand the commit procedure, so > I have always been a little perplexed by some of the nomenclature in > the CVS log. For example, entries 1.143-1.46 are to Branch: Main, while > 1.59.2.27.2.1 is to Branch: RELENG_4_10 ans 1.5.2.28 is to Branch: > RELENG_4. What exactly Branch: Main? Is it RELENG_5? If so, does that > mean your changes are not in RELENG_5_2? > > Regards, > > SthegBranch Main is -CURRENT; right now that means it's 6.0, but back when I did the commit, it was 5.2-CURRENT, and RELENG_5 did not yet exist. You are correct that port randomization was not merged into the releng_5_2 branch. Your other deductions are correct, AFAIK. To take this a bit more back on-topic, port randomization was not merged into the security branches because we don't consider RST attacks to be a threat to most users. Once we have finalized fixes for the RST and SYN vectors of the attack, we'll merge those changes, but only to 5-stable and 4-stable. (If you feel that those changes should be merged to the security branches, please tell me AFTER the fixes go in, not now - I don't need the distraction.) Mike "Silby" Silbersack