similar to: filesystem firewall rules

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:

Hello, Are there many people actually using the MAC subsystem in the real world? I have been working to set up a shared hosting webserver and I've stumbled against some limitations with the BIBA policy. In short, it's an excellent model, and can be used succesfully if applications are aware of its existance, but I find it incompatible with the real-world needs in Unix, and,

CentOS 4.6 Hi All: I am now officially stumped. I have tried everything that can think of and I have googled until I am blue in the face and tried just about everything that I could find that looked the least bit like it might apply and still no (or at least partial) joy. I am going to cram as much information into this email as I can and hope that someone out there can either tell me what I am

I'm interested in crafting firewall rules that throttle connections that have lasted more than a certain amount of time. (Most such connections are P2P traffic, which should be given a lower priority than other connections and may constitute network abuse.) Alas, it doesn't appear that FreeBSD's IPFW can keep tabs on how long a connection has been established. Is there another firewall

I've just realized that I see in releng/7 something that I did not see in releng/6 - even if I use a file with custom rules in firewall_type I still get default loopback rules installed. I think that this is not correct, I am using custom rules exactly because I want to control *everything* (e.g. all deny rules come with log logamount xxx). -- Andriy Gapon

I've googled this question without a great deal of information. Monday I'm rebuilding a Linux server at work. Instead of purchasing 3 drives for this system I purchased 4 with intent to create a hot spare. Here is my usual setup which I'll do again but with a hot spare for each partion. Create /dev/md0 mount point /boot RAID1 3 drives with 1 hot spare Create two more raid setups

Hello, I get mail from this list (freebsd-stable@), yet mailman server claims that I'm not subscribed. Any attempt to unsubscribe via conventional means results in failure. I have sent mail to freebsd-stable-unsubscribe@freebsd.org, and have sent mail to the list directly with "unsubscribe" in the subject, and the main body. Somebody please remove

I ditched the idea of using Asterisk straight through my router, there was too much to set up in too little time for me. I've found a spare machine and installed Asterisk@Home on it. Things run smoothly except for connecting to my IAX provider; It doesn't even look like packets are going out at all. Here's my config: ANY Cable ------> Firewall/Router

> These are false positives. I had this showing on a box of mine > (chkrootkit-0.43). And What I did was remove the binarys and resync'ed my > source > and did a new build. Yea, this is basically what I did. re'synched my sources, pulled the ethernet cable, made world, and it's still showing that. I'm pretty sure this is a false positive, but just wanted to touch base

Can someone clear something up for me? [[[ # For apache to read user files, the ruleadd must give # it permissions by default. #### ${CMD} add subject uid 80 object not uid 80 mode rxws; ${CMD} add subject gid 80 object not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the

I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework?

I've seen that is possible to use switch port blocking with freeradius and cisco switches via 802.1X and EAP protocol. Here is more info: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO What if I don't have switch that supports 802.1X or I want that blocking is done by FreeBSD, not the switch. Because FreeBSD is the firewall or gateway to some networks. Is there

Greg White,. I have noted your comment on some documentation found on the web, "I have successfully (and repeatedly) used Nortel VPN client on a NATed host through a FreeBSD gateway." Currently i have the same problem with a Nortel BCM Running M$ Windows VPN, the BCM sit's behind a FreeBSD Firewall / NATD. ---- Network ---- ADSL Modem | FreeBSD Server / Gateway / HTTP etc.

I'd like to request information about the FreeBSD native firewall software Does the firewall attends to the security certification at International Computer Security Association (ICSA Labs Firewall Certification Program) Labs or Trust Technology Assessment Program (TTAP) or similar programs? Thanks for your attention Fernando Castro fcastro@smsweb.com.br

I'm getting lost ... Running two NICs - no problem. But trying to screw down the rules a bit and getting lost on passing the www - or port 80, through the firewall both waqys. There are WebServers - real and virtual, on the inside interface, with their own PublicIP. I'm not using the OutsideInterface as their web address, as I'm using my own DNS etc. So, in rc.firewall, what do I

Hallo there, I had to change the provider. And after that my public IP adress are routed straight through FreeBSD Box. What is it best way to do it? I personally done it the way, where exist the localnet alias for every interface... eg.. ifconfig_ed0="inet 62.168.40.188 netmask 255.255.255.252 broadcast 62.168.40.191" after that there is local interface 192.168.1.1/255 and it's

Can anyone help with this. Bridge is enabled, even in sysctl. Firewall is enabled and configured. But my reality is done this way.. Cisco (NATing 192.168.1.0/24) ---- Freebsd Bridge (Public IP) ------ stations (Public IP) (NATing 172.16.0.0/24 192.168.1.xx or something similar) 172.16.0.xx and on one public IP one

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, a good friend of mine had some trouble with his fs yesterday. i have some details now and wonder if you have some thoughts on it, even it may turn out not to be an ext3 issue at all. sorry, the post is a bit too long: the ext3 fs was running for several months now on a RAID controller. due to a user error, the RAID controller decided to rebuild

> I use, thus far, "allow icmp from any to any icmptypes 0,3,4,8,11". That > include 'echo request', of course. Someone else may have a better idea. You want to be pinged? Why don't you let something in and something out? I.e.: add 10000 allow icmp from any to any icmptypes 8 out add 10100 allow icmp from any to any icmptypes 0 in add 10200 allow icmp from any to any