From owner-freebsd-doc@FreeBSD.ORG Tue Oct 28 06:19:37 2003 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0011216A4CE for ; Tue, 28 Oct 2003 06:19:36 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id E96D643F75 for ; Tue, 28 Oct 2003 06:19:35 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 032AD10BFAA; Tue, 28 Oct 2003 15:19:33 +0100 (CET) Date: Tue, 28 Oct 2003 15:19:33 +0100 From: "Simon L. Nielsen" To: Ken Smith Message-ID: <20031028141931.GA415@arthur.nitro.dk> References: <3F9E7689.9020200@uol.com.br> <20031028140906.GA24568@electra.cse.Buffalo.EDU> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: <20031028140906.GA24568@electra.cse.Buffalo.EDU> User-Agent: Mutt/1.5.4i cc: doc@freebsd.org cc: "Gabriel C. de Barros" Subject: Re: lack in the firewall chapter X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 14:19:37 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.10.28 09:09:06 -0500, Ken Smith wrote: > On Tue, Oct 28, 2003 at 12:00:41PM -0200, Gabriel C. de Barros wrote: >=20 > > i've spend two days trying to set ipfw or ipf .. before i understant th= at i=20 > > should lower my kernel security settings before messing with the rules. > >=20 > > I think the handbook should mention that, at least in a footnote or=20 > > something. > >=20 > > It was hard to find the answer, but while searching for it, i realized = it's=20 > > a very common new-user mistake. >=20 > I have a couple of ipfw related PR's I need to work on, I can take > care of this as part of finishing those up. >=20 > Basically you're saying if you have raised the security level of the > kernel above 0 you can no longer change the ipfw rules. =46rom ipfw(8): =B7 The ipfw filter list may not be modified if the system security = level is set to 3 or higher (see init(8) for information on system secur= ity levels). I haven't tested it, and I seem to remember some problems with securelevel and ipfw not being honored correctly in the past, so you might want to check the source. --=20 Simon L. Nielsen FreeBSD Documentation Team --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nnrzh9pcDSc1mlERAnoQAKC+8zn6V/jZqY6CFQocW1f1IANxrACgr17f EBLnr3G17aUXU7O3ig34i7A= =zVak -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--