From owner-freebsd-security@FreeBSD.ORG  Sun May 25 14:01:17 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8842237B401
	for <freebsd-security@freebsd.org>;
	Sun, 25 May 2003 14:01:17 -0700 (PDT)
Received: from thalia.otenet.gr (mailsrv.otenet.gr [195.170.0.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6853B43F85
	for <freebsd-security@freebsd.org>;
	Sun, 25 May 2003 14:01:16 -0700 (PDT)
	(envelope-from keramida@freebsd.org)
Received: from gothmog.gr (patr530-b130.otenet.gr [212.205.244.138])
	by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h4PL19Kd013647;
	Mon, 26 May 2003 00:01:12 +0300 (EEST)
Received: from gothmog.gr (gothmog [127.0.0.1])
	by gothmog.gr (8.12.9/8.12.9) with ESMTP id h4PL13hC021914;
	Mon, 26 May 2003 00:01:09 +0300 (EEST)
	(envelope-from keramida@freebsd.org)
Received: (from giorgos@localhost)
	by gothmog.gr (8.12.9/8.12.9/Submit) id h4PKpFUJ021821;
	Sun, 25 May 2003 23:51:15 +0300 (EEST)
	(envelope-from keramida@freebsd.org)
Date: Sun, 25 May 2003 23:51:15 +0300 (EEST)
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
X-X-Sender: giorgos@gothmog
To: Santos <sansan@cas.port995.com>
In-Reply-To: <3ED06967.90306@cas.port995.com>
Message-ID: <20030525234819.U21691@gothmog>
References: <3ED06967.90306@cas.port995.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: ipfirewall(4)) cannot be changed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 May 2003 21:01:17 -0000

On 2003-05-25 07:57, Santos wrote:
> root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5
>
> 3   Network secure mode - same as highly secure mode, plus IP packet
>      filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
>      dummynet(4) configuration cannot be adjusted.
>
> root@vigilante /root cuaa1# sysctl -a |grep secure
> kern.securelevel: 3
> [...]
> root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0
> net.inet.ip.fw.enable: 1 -> 0
>
> root@vigilante /root cuaa1# ping  216.136.204.21
> PING 216.136.204.21 (216.136.204.21): 56 data bytes
> 64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms
> ^C

Try this patch.  Unless of course, you're not using IPFW version 1,
in which case someone more knowledgeable will hopefully correct me :)

<<<<<<<
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.192
diff -u -r1.192 ip_fw.c
--- sys/netinet/ip_fw.c	19 Feb 2003 05:47:33 -0000	1.192
+++ sys/netinet/ip_fw.c	25 May 2003 20:46:37 -0000
@@ -95,7 +95,7 @@

 #ifdef SYSCTL_NODE
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
     &fw_enable, 0, "Enable ipfw");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
     &fw_one_pass, 0,
>>>>>>>

- Giorgos