Re: services(5): add default ftps ports
On Thu, May 06, 2021 at 11:09:03AM -0600, Theo de Raadt wrote: > Jan Klemkow wrote: > > > > > > I'm working on a diff to bring ftps with libtls into our ftpd(8). > > > > > There > > > > > is a "getaddrinfo(NULL, "ftps", , )" call, which uses this > > > > > port. Thus, I made this change. > > > > > > > > Hang on -- does the world want ftps support? > > > > I don't know, what "the world" wants. But, I want ftps. As far as I > > can see, ftps is the only way to bring our ftpd(8) into the 21st > > century. > > I have a really hard time with that. > > The protocol is completely broken, and in a way that adding TLS makes it > even worse. OK. And what should we do with ftpd(8)? I see just three ways: 1. Prepare it for usage in modern internet with crypto support. 2. Just use it for anonymous public file distribution. 3. Remove the daemon. In my opinion the protocol is not that bad and our daemon just need some refactoring and encryption support.
Re: services(5): add default ftps ports
On Thu, May 06, 2021 at 06:36:52PM +0200, Mark Kettenis wrote: > > From: "Theo de Raadt" > > Date: Thu, 06 May 2021 10:26:31 -0600 > > > > Jan Klemkow wrote: > > > > > On Wed, May 05, 2021 at 12:18:43PM -0600, Theo de Raadt wrote: > > > > I would like a further justification for removing these ports from > > > > the very limited dynamic reserved space used by bindresvport. > > > > > > > > (but not by rresvport, which appears still stomp over them) > > > > > > > > For tcp, 32 of the 512 are locked out. > > > > For udp, 19. > > > > > > > > What software is actually using these ports? > > > > > > > > Is that software irrelevant these days? > > > > > > I'm working on a diff to bring ftps with libtls into our ftpd(8). There > > > is a "getaddrinfo(NULL, "ftps", , )" call, which uses this > > > port. Thus, I made this change. > > > > Hang on -- does the world want ftps support? I don't know, what "the world" wants. But, I want ftps. As far as I can see, ftps is the only way to bring our ftpd(8) into the 21st century. I use ftp in my private local setup. I also want to use over public internet in the future, like I did in the past. Thats why I'm working on it. > I was going to ask the same thing. I mean even with encryption the > FTP protocol still is a bad idea given all the problems with NAT > traversal and such. In don't use NAT or packet filters in my setup. With IPv6 there is no active FTP problem.
Re: services(5): add default ftps ports
On Wed, May 05, 2021 at 12:18:43PM -0600, Theo de Raadt wrote: > I would like a further justification for removing these ports from > the very limited dynamic reserved space used by bindresvport. > > (but not by rresvport, which appears still stomp over them) > > For tcp, 32 of the 512 are locked out. > For udp, 19. > > What software is actually using these ports? > > Is that software irrelevant these days? I'm working on a diff to bring ftps with libtls into our ftpd(8). There is a "getaddrinfo(NULL, "ftps", , )" call, which uses this port. Thus, I made this change. > Jan Klemkow wrote: > > On Wed, May 05, 2021 at 11:09:12AM +0100, Stuart Henderson wrote: > > > On 2021/05/04 12:07, Jan Klemkow wrote: > > > > Add missing ftps defaults ports to servies(5). > > > > > > > > Index: services > > > > === > > > > RCS file: /cvs/src/etc/services,v > > > > retrieving revision 1.99 > > > > diff -u -p -r1.99 services > > > > --- services18 Feb 2021 02:30:29 - 1.99 > > > > +++ services4 May 2021 10:01:35 - > > > > @@ -318,6 +318,10 @@ krb_prop 754/tcp hprop # > > > > Kerberos slav > > > > krbupdate 760/tcp kreg# BSD Kerberos > > > > registration > > > > supfilesrv 871/tcp # SUP server > > > > swat 901/tcp # Samba Web > > > > Administration Tool > > > > +ftps-data 989/tcp # ftp data over TLS/SSL > > > > +ftps-data 989/udp # ftp data over TLS/SSL > > > > +ftps 990/tcp # ftp control over > > > > TLS/SSL > > > > +ftps 990/udp # ftp control over > > > > TLS/SSL > > > > > > I'm OK with adding the TCP ones (though ftp-over-tls always makes me > > > want to rant...). It's not going to run on UDP though so I think those > > > should not be added. > > > > OK? > > > > Index: services > > === > > RCS file: /cvs/src/etc/services,v > > retrieving revision 1.99 > > diff -u -p -r1.99 services > > --- services18 Feb 2021 02:30:29 - 1.99 > > +++ services5 May 2021 12:24:29 - > > @@ -318,6 +318,8 @@ krb_prop754/tcp hprop # > > Kerberos slav > > krbupdate 760/tcp kreg# BSD Kerberos registration > > supfilesrv 871/tcp # SUP server > > swat 901/tcp # Samba Web > > Administration Tool > > +ftps-data 989/tcp # ftp data over TLS > > +ftps 990/tcp # ftp control over TLS > > supfiledbg 1127/tcp# SUP debugging > > support1529/tcp# GNATS, cygnus bug > > tracker > > datametrics1645/udp > > >
Re: services(5): add default ftps ports
Jan Klemkow wrote: > > > > I'm working on a diff to bring ftps with libtls into our ftpd(8). There > > > > is a "getaddrinfo(NULL, "ftps", , )" call, which uses this > > > > port. Thus, I made this change. > > > > > > Hang on -- does the world want ftps support? > > I don't know, what "the world" wants. But, I want ftps. As far as I > can see, ftps is the only way to bring our ftpd(8) into the 21st > century. I have a really hard time with that. The protocol is completely broken, and in a way that adding TLS makes it even worse.
Re: services(5): add default ftps ports
> From: "Theo de Raadt" > Date: Thu, 06 May 2021 10:26:31 -0600 > > Jan Klemkow wrote: > > > On Wed, May 05, 2021 at 12:18:43PM -0600, Theo de Raadt wrote: > > > I would like a further justification for removing these ports from > > > the very limited dynamic reserved space used by bindresvport. > > > > > > (but not by rresvport, which appears still stomp over them) > > > > > > For tcp, 32 of the 512 are locked out. > > > For udp, 19. > > > > > > What software is actually using these ports? > > > > > > Is that software irrelevant these days? > > > > I'm working on a diff to bring ftps with libtls into our ftpd(8). There > > is a "getaddrinfo(NULL, "ftps", , )" call, which uses this > > port. Thus, I made this change. > > Hang on -- does the world want ftps support? I was going to ask the same thing. I mean even with encryption the FTP protocol still is a bad idea given all the problems with NAT traversal and such.
Re: services(5): add default ftps ports
Jan Klemkow wrote: > On Wed, May 05, 2021 at 12:18:43PM -0600, Theo de Raadt wrote: > > I would like a further justification for removing these ports from > > the very limited dynamic reserved space used by bindresvport. > > > > (but not by rresvport, which appears still stomp over them) > > > > For tcp, 32 of the 512 are locked out. > > For udp, 19. > > > > What software is actually using these ports? > > > > Is that software irrelevant these days? > > I'm working on a diff to bring ftps with libtls into our ftpd(8). There > is a "getaddrinfo(NULL, "ftps", , )" call, which uses this > port. Thus, I made this change. Hang on -- does the world want ftps support?
Re: services(5): add default ftps ports
I would like a further justification for removing these ports from the very limited dynamic reserved space used by bindresvport. (but not by rresvport, which appears still stomp over them) For tcp, 32 of the 512 are locked out. For udp, 19. What software is actually using these ports? Is that software irrelevant these days? Jan Klemkow wrote: > On Wed, May 05, 2021 at 11:09:12AM +0100, Stuart Henderson wrote: > > On 2021/05/04 12:07, Jan Klemkow wrote: > > > Add missing ftps defaults ports to servies(5). > > > > > > Index: services > > > === > > > RCS file: /cvs/src/etc/services,v > > > retrieving revision 1.99 > > > diff -u -p -r1.99 services > > > --- services 18 Feb 2021 02:30:29 - 1.99 > > > +++ services 4 May 2021 10:01:35 - > > > @@ -318,6 +318,10 @@ krb_prop 754/tcp hprop # > > > Kerberos slav > > > krbupdate760/tcp kreg# BSD Kerberos > > > registration > > > supfilesrv 871/tcp # SUP server > > > swat 901/tcp # Samba Web > > > Administration Tool > > > +ftps-data989/tcp # ftp data over TLS/SSL > > > +ftps-data989/udp # ftp data over TLS/SSL > > > +ftps 990/tcp # ftp control over > > > TLS/SSL > > > +ftps 990/udp # ftp control over > > > TLS/SSL > > > > I'm OK with adding the TCP ones (though ftp-over-tls always makes me > > want to rant...). It's not going to run on UDP though so I think those > > should not be added. > > OK? > > Index: services > === > RCS file: /cvs/src/etc/services,v > retrieving revision 1.99 > diff -u -p -r1.99 services > --- services 18 Feb 2021 02:30:29 - 1.99 > +++ services 5 May 2021 12:24:29 - > @@ -318,6 +318,8 @@ krb_prop 754/tcp hprop # Kerberos slav > krbupdate760/tcp kreg# BSD Kerberos registration > supfilesrv 871/tcp # SUP server > swat 901/tcp # Samba Web Administration Tool > +ftps-data989/tcp # ftp data over TLS > +ftps 990/tcp # ftp control over TLS > supfiledbg 1127/tcp# SUP debugging > support 1529/tcp# GNATS, cygnus bug > tracker > datametrics 1645/udp >
Re: services(5): add default ftps ports
On Wed, May 05, 2021 at 11:09:12AM +0100, Stuart Henderson wrote: > On 2021/05/04 12:07, Jan Klemkow wrote: > > Add missing ftps defaults ports to servies(5). > > > > Index: services > > === > > RCS file: /cvs/src/etc/services,v > > retrieving revision 1.99 > > diff -u -p -r1.99 services > > --- services18 Feb 2021 02:30:29 - 1.99 > > +++ services4 May 2021 10:01:35 - > > @@ -318,6 +318,10 @@ krb_prop 754/tcp hprop # > > Kerberos slav > > krbupdate 760/tcp kreg# BSD Kerberos registration > > supfilesrv 871/tcp # SUP server > > swat 901/tcp # Samba Web > > Administration Tool > > +ftps-data 989/tcp # ftp data over TLS/SSL > > +ftps-data 989/udp # ftp data over TLS/SSL > > +ftps 990/tcp # ftp control over > > TLS/SSL > > +ftps 990/udp # ftp control over > > TLS/SSL > > I'm OK with adding the TCP ones (though ftp-over-tls always makes me > want to rant...). It's not going to run on UDP though so I think those > should not be added. OK? Index: services === RCS file: /cvs/src/etc/services,v retrieving revision 1.99 diff -u -p -r1.99 services --- services18 Feb 2021 02:30:29 - 1.99 +++ services5 May 2021 12:24:29 - @@ -318,6 +318,8 @@ krb_prop754/tcp hprop # Kerberos slav krbupdate 760/tcp kreg# BSD Kerberos registration supfilesrv 871/tcp # SUP server swat 901/tcp # Samba Web Administration Tool +ftps-data 989/tcp # ftp data over TLS +ftps 990/tcp # ftp control over TLS supfiledbg 1127/tcp# SUP debugging support1529/tcp# GNATS, cygnus bug tracker datametrics1645/udp
Re: services(5): add default ftps ports
Stuart Henderson wrote: > Every new entry in this file reduces the range available for dynamic > port selection, so it would seem a good idea to cull a few if we're > adding some. Here are some likely candidates; Precisely. And one day there will be no reserved ports left, and then what?
Re: services(5): add default ftps ports
reads good. OK florian On 2021-05-05 11:09 +01, Stuart Henderson wrote: > On 2021/05/04 12:07, Jan Klemkow wrote: >> Hi, >> >> Add missing ftps defaults ports to servies(5). >> >> OK? >> >> bye, >> Jan >> >> Index: services >> === >> RCS file: /cvs/src/etc/services,v >> retrieving revision 1.99 >> diff -u -p -r1.99 services >> --- services 18 Feb 2021 02:30:29 - 1.99 >> +++ services 4 May 2021 10:01:35 - >> @@ -318,6 +318,10 @@ krb_prop754/tcp hprop # >> Kerberos slav >> krbupdate 760/tcp kreg# BSD Kerberos registration >> supfilesrv 871/tcp # SUP server >> swat901/tcp # Samba Web >> Administration Tool >> +ftps-data 989/tcp # ftp data over TLS/SSL >> +ftps-data 989/udp # ftp data over TLS/SSL >> +ftps990/tcp # ftp control over >> TLS/SSL >> +ftps990/udp # ftp control over >> TLS/SSL > > I'm OK with adding the TCP ones (though ftp-over-tls always makes me > want to rant...). It's not going to run on UDP though so I think those > should not be added. > > Every new entry in this file reduces the range available for dynamic > port selection, so it would seem a good idea to cull a few if we're > adding some. Here are some likely candidates; > > - removed a few UDP entries for protocols that won't use it > > - dropped some obsolete protocols > > - moved smtps/465 to the standards section (rfc8314) > > - moved the IANA UDP/TCP policy from a comment in /etc/services to > the manual, and added a pointer to the baddynamic sysctls > > Index: share/man/man5/services.5 > === > RCS file: /cvs/src/share/man/man5/services.5,v > retrieving revision 1.13 > diff -u -p -r1.13 services.5 > --- share/man/man5/services.5 3 Mar 2019 17:04:17 - 1.13 > +++ share/man/man5/services.5 5 May 2021 09:56:49 - > @@ -63,6 +63,20 @@ end of the line are not interpreted by t > .Pp > Service names may contain any printable character other than a > field delimiter, newline, or comment character. > +.Pp > +To protect service ports from being used for dynamic port assignment, > +.Xr rc 8 > +reads > +.Nm > +at boot and uses the contents to populate > +.Va net.inet.tcp.baddynamic > +and > +.Va net.inet.udp.baddynamic . > +.Pp > +While it is the policy of IANA to assign a single well-known port number > +for both TCP and UDP, to avoid reducing the dynamic port range unnecessarily, > +the unused entries are not always listed in > +.Nm . > .Sh FILES > .Bl -tag -width /etc/services -compact > .It Pa /etc/services > Index: etc/services > === > RCS file: /cvs/src/etc/services,v > retrieving revision 1.99 > diff -u -p -r1.99 services > --- etc/services 18 Feb 2021 02:30:29 - 1.99 > +++ etc/services 5 May 2021 09:56:49 - > @@ -3,10 +3,6 @@ > # Network services, Internet style > # > https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt > # > -# Note that it is presently the policy of IANA to assign a single well-known > -# port number for both TCP and UDP; hence, most entries here have two entries > -# even if the protocol doesn't support UDP operations. > -# > > tcpmux 1/tcp # TCP port service > multiplexer > echo 7/tcp > @@ -64,10 +60,7 @@ csnet-ns 105/tcp cso-ns # also used by > csnet-ns 105/udp cso-ns > rtelnet 107/tcp # Remote Telnet > rtelnet 107/udp > -pop2 109/tcp postoffice # POP version 2 > -pop2 109/udp > pop3 110/tcp # POP version 3 > -pop3 110/udp > sunrpc 111/tcp portmap rpcbind > sunrpc 111/udp portmap rpcbind > auth 113/tcp authentication tap ident > @@ -87,7 +80,6 @@ netbios-dgm 138/udp > netbios-ssn 139/tcp # NETBIOS session service > netbios-ssn 139/udp > imap 143/tcp imap2 # Internet Message Access Proto > -imap 143/udp imap2 # Internet Message Access Proto > bftp 152/tcp # Background File Transfer Proto > snmp 161/udp # Simple Net Mgmt Proto > snmp-trap162/udp snmptrap# Traps for SNMP > @@ -100,11 +92,9 @@ xdmcp 177/udp > nextstep 178/tcp NeXTStep NextStep # NeXTStep window > nextstep 178/udp NeXTStep NextStep # server > bgp 179/tcp # Border Gateway Proto. > -bgp 179/udp >
Re: services(5): add default ftps ports
On 2021/05/04 12:07, Jan Klemkow wrote: > Hi, > > Add missing ftps defaults ports to servies(5). > > OK? > > bye, > Jan > > Index: services > === > RCS file: /cvs/src/etc/services,v > retrieving revision 1.99 > diff -u -p -r1.99 services > --- services 18 Feb 2021 02:30:29 - 1.99 > +++ services 4 May 2021 10:01:35 - > @@ -318,6 +318,10 @@ krb_prop 754/tcp hprop # Kerberos slav > krbupdate760/tcp kreg# BSD Kerberos registration > supfilesrv 871/tcp # SUP server > swat 901/tcp # Samba Web Administration Tool > +ftps-data989/tcp # ftp data over TLS/SSL > +ftps-data989/udp # ftp data over TLS/SSL > +ftps 990/tcp # ftp control over TLS/SSL > +ftps 990/udp # ftp control over TLS/SSL I'm OK with adding the TCP ones (though ftp-over-tls always makes me want to rant...). It's not going to run on UDP though so I think those should not be added. Every new entry in this file reduces the range available for dynamic port selection, so it would seem a good idea to cull a few if we're adding some. Here are some likely candidates; - removed a few UDP entries for protocols that won't use it - dropped some obsolete protocols - moved smtps/465 to the standards section (rfc8314) - moved the IANA UDP/TCP policy from a comment in /etc/services to the manual, and added a pointer to the baddynamic sysctls Index: share/man/man5/services.5 === RCS file: /cvs/src/share/man/man5/services.5,v retrieving revision 1.13 diff -u -p -r1.13 services.5 --- share/man/man5/services.5 3 Mar 2019 17:04:17 - 1.13 +++ share/man/man5/services.5 5 May 2021 09:56:49 - @@ -63,6 +63,20 @@ end of the line are not interpreted by t .Pp Service names may contain any printable character other than a field delimiter, newline, or comment character. +.Pp +To protect service ports from being used for dynamic port assignment, +.Xr rc 8 +reads +.Nm +at boot and uses the contents to populate +.Va net.inet.tcp.baddynamic +and +.Va net.inet.udp.baddynamic . +.Pp +While it is the policy of IANA to assign a single well-known port number +for both TCP and UDP, to avoid reducing the dynamic port range unnecessarily, +the unused entries are not always listed in +.Nm . .Sh FILES .Bl -tag -width /etc/services -compact .It Pa /etc/services Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.99 diff -u -p -r1.99 services --- etc/services18 Feb 2021 02:30:29 - 1.99 +++ etc/services5 May 2021 09:56:49 - @@ -3,10 +3,6 @@ # Network services, Internet style # https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt # -# Note that it is presently the policy of IANA to assign a single well-known -# port number for both TCP and UDP; hence, most entries here have two entries -# even if the protocol doesn't support UDP operations. -# tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp @@ -64,10 +60,7 @@ csnet-ns 105/tcp cso-ns # also used by csnet-ns 105/udp cso-ns rtelnet107/tcp # Remote Telnet rtelnet107/udp -pop2 109/tcp postoffice # POP version 2 -pop2 109/udp pop3 110/tcp # POP version 3 -pop3 110/udp sunrpc 111/tcp portmap rpcbind sunrpc 111/udp portmap rpcbind auth 113/tcp authentication tap ident @@ -87,7 +80,6 @@ netbios-dgm 138/udp netbios-ssn139/tcp # NETBIOS session service netbios-ssn139/udp imap 143/tcp imap2 # Internet Message Access Proto -imap 143/udp imap2 # Internet Message Access Proto bftp 152/tcp # Background File Transfer Proto snmp 161/udp # Simple Net Mgmt Proto snmp-trap 162/udp snmptrap# Traps for SNMP @@ -100,11 +92,9 @@ xdmcp 177/udp nextstep 178/tcp NeXTStep NextStep # NeXTStep window nextstep 178/udp NeXTStep NextStep # server bgp179/tcp # Border Gateway Proto. -bgp179/udp prospero 191/tcp # Cliff Neuman's Prospero prospero 191/udp irc194/tcp # Internet Relay Chat -irc194/udp smux 199/tcp # SNMP Unix Multiplexer smux
services(5): add default ftps ports
Hi, Add missing ftps defaults ports to servies(5). OK? bye, Jan Index: services === RCS file: /cvs/src/etc/services,v retrieving revision 1.99 diff -u -p -r1.99 services --- services18 Feb 2021 02:30:29 - 1.99 +++ services4 May 2021 10:01:35 - @@ -318,6 +318,10 @@ krb_prop 754/tcp hprop # Kerberos slav krbupdate 760/tcp kreg# BSD Kerberos registration supfilesrv 871/tcp # SUP server swat 901/tcp # Samba Web Administration Tool +ftps-data 989/tcp # ftp data over TLS/SSL +ftps-data 989/udp # ftp data over TLS/SSL +ftps 990/tcp # ftp control over TLS/SSL +ftps 990/udp # ftp control over TLS/SSL supfiledbg 1127/tcp# SUP debugging support1529/tcp# GNATS, cygnus bug tracker datametrics1645/udp