upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-19 16:35:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
OPNsense - FreeBSD source
271884 commits 29 branches 225 tags 2.1 GiB
C 59.6%
C++ 26.7%
Roff 4.9%
Shell 2.8%
Assembly 1.7%
Other 3.8%
Find a file
Gleb Smirnoff 46aaea6c19 sshd: update the libwrap patch to drop connections early 
OpenSSH has dropped libwrap support in OpenSSH 6.7p in 2014
(f2719b7c in github.com/openssh/openssh-portable) and we
maintain the patch ourselves since 2016 (a0ee8cc636).

Over the years, the libwrap support has deteriotated and probably
that was reason for removal upstream.  Original idea of libwrap was
to drop illegitimate connection as soon as possible, but over the
years the code was pushed further down and down and ended in the
forked client connection handler.

The negative effects of late dropping is increasing attack surface
for hosts that are to be dropped anyway.  Apart from hypothetical
future vulnerabilities in connection handling, today a malicious
host listed in /etc/hosts.allow still can trigger sshd to enter
connection throttling mode, which is enabled by default (see
MaxStartups in sshd_config(5)), effectively casting DoS attack.
Note that on OpenBSD this attack isn't possible, since they enable
MaxStartups together with UseBlacklist.

A only negative effect from early drop, that I can imagine, is that
now main listener parses file in /etc, and if our root filesystems
goes bad, it would get stuck.  But unlikely you'd be able to login
in that case anyway.

Implementation details:

- For brevity we reuse the same struct request_info.  This isn't
  a documented feature of libwrap, but code review, viewing data
  in a debugger and real life testing shows that if we clear
  RQ_CLIENT_NAME and RQ_CLIENT_ADDR every time, it works as intended.
- We set SO_LINGER on the socket to force immediate connection reset.
- We log message exactly as libwrap's refuse() would do.

Differential revision:	https://reviews.freebsd.org/D33044

(cherry picked from commit ca573c9a17)
2022-10-06 21:39:00 -04:00
.cirrus-ci Cirrus-CI: add some timing info on pkg install failure 2022-02-09 12:39:50 -05:00
.github/workflows .github: Add a build on Ubuntu 22.04 using llvm 14. 2022-07-13 11:44:26 -07:00
bin Handle NULL return from localtime(3) in ls(1) and find(1) 2022-09-27 09:20:29 -07:00
cddl zfs: merge openzfs/zfs@6a6bd4939 (zfs-2.1-release) into stable/13 2022-10-04 17:52:45 +02:00
contrib file: fix test case for gpkg by removing the extra \n. 2022-10-04 23:18:17 -07:00
crypto sshd: update the libwrap patch to drop connections early 2022-10-06 21:39:00 -04:00
etc Remove obsolete SystemV dir from BSD.usr.dist 2022-10-01 20:32:45 -04:00
gnu Bump shared library versions after ncurses bump in 13. 2021-02-04 17:51:45 -08:00
include libc: Add strverscmp(3) and versionsort(3) 2022-08-31 04:20:28 +03:00
kerberos5 pkgbase: split kerberos binaries and libs 2022-08-19 14:27:16 +01:00
lib ssh: update to OpenSSH v8.9p1 2022-10-06 21:39:00 -04:00
libexec rtld: teach LD_SHOW_AUXV about AT_USRSTACK* 2022-09-30 03:29:10 +03:00
release pkgbase: split kerberos binaries and libs 2022-08-19 14:27:16 +01:00
rescue Add an internal libiscsiutil library. 2022-04-29 14:13:00 -07:00
sbin ipfilter/libipf: printpool_live() consumer ignores return code 2022-10-06 06:56:27 -07:00
secure ssh: update to OpenSSH v8.9p1 2022-10-06 21:39:00 -04:00
share snd_uaudio(4): Add some examples accessing USB MIDI devices. 2022-10-04 16:40:50 +02:00
stand stand: Unbreak FAT32 in loader 2022-10-05 13:47:39 +02:00
sys nfscl: Fix parameter order in the calls to MGET(). 2022-10-06 16:52:10 -07:00
targets Fix bootstrapping to actually build lldb-tblgen for later use 2021-09-07 13:08:18 +01:00
tests posixshm tests: Map the large pages in the madvise test 2022-10-03 09:06:32 -04:00
tools check/delete-old: Fix /bin/rmail removal condition 2022-10-04 18:48:27 +03:00
usr.bin clang: remove as(1) cross-reference from man page 2022-10-01 20:35:06 -04:00
usr.sbin unbound: Adjust version string 2022-10-04 13:51:59 -07:00
.arcconfig arcconfig: add callsign again 2020-11-23 04:39:29 +00:00
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.cirrus.yml Cirrus-CI: add a manual amd64-gcc9 build and smoketest job 2022-02-22 14:53:02 -05:00
.clang-format clang-format: Add bitset loop macros 2021-11-01 09:20:11 -04:00
.gitattributes Add a basic clang-format configuration file 2019-06-07 15:23:52 +00:00
.gitignore add exuberant ctags tags file to gitignore 2022-01-11 15:25:37 +02:00
COPYRIGHT copyrights: Happy New Year 2021 2020-12-31 10:29:44 -05:00
LOCKS LOCKS: update current locks 2018-06-09 03:08:04 +00:00
MAINTAINERS Add a pointer to csprng@ for the CSPRNG driver. This is enforced anyway by 2020-09-01 08:02:12 +00:00
Makefile Add list-old-{dirs,files,libs} targets. 2022-07-13 08:22:24 -07:00
Makefile.inc1 installworld: improve portability of ldd use 2022-08-12 16:06:26 +01:00
Makefile.libcompat Prefer MK_SSP=no to SSP_CFLAGS= 2021-08-11 13:56:28 -03:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc contrib/tzdata: import tzdata 2022d 2022-09-28 09:33:38 +08:00
README README.md: update gnu directory description 2021-12-19 21:01:53 -05:00
README.md README.md: update gnu directory description 2021-12-19 21:01:53 -05:00
RELNOTES RELNOTES: Note support for KTLS RX for TLS 1.3. 2022-04-29 14:08:44 -07:00
UPDATING LinuxKPI: move pm_message_t from kernel.h to pm.h 2022-07-01 13:48:24 +00:00

README.md

FreeBSD Source:

This is the top level of the FreeBSD source directory. This file was last revised on: FreeBSD

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for more information, including setting make(1) variables.

Source Roadmap:

bin		System/user commands.

cddl		Various commands and libraries under the Common Development
		and Distribution License.

contrib		Packages contributed by 3rd parties.

crypto		Cryptography stuff (see crypto/README).

etc		Template files for /etc.

gnu		Commands and libraries under the GNU General Public License
		(GPL) or Lesser General Public License (LGPL).  Please see
		gnu/COPYING* for more information.

include		System include files.

kerberos5	Kerberos5 (Heimdal) package.

lib		System libraries.

libexec		System daemons.

release		Release building Makefile & associated tools.

rescue		Build system for statically linked /rescue utilities.

sbin		System commands.

secure		Cryptographic libraries and commands.

share		Shared resources.

stand		Boot loader sources.

sys		Kernel sources.

sys/<arch>/conf Kernel configuration files. GENERIC is the configuration
		used in release builds. NOTES contains documentation of
		all possible entries.

tests		Regression tests which can be run by Kyua.  See tests/README
		for additional information.

tools		Utilities for regression testing and miscellaneous tasks.

usr.bin		User commands.

usr.sbin	System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html