From owner-freebsd-ipfw Wed Apr 18 11:33:26 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 645C937B422 for ; Wed, 18 Apr 2001 11:33:23 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id UAA49728; Wed, 18 Apr 2001 20:31:45 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104181831.UAA49728@info.iet.unipi.it> Subject: Re: Protecting IPFW kernel variables... In-Reply-To: <20010418113053.A34196@spiv.fnal.gov> from Rich Neswold at "Apr 18, 2001 11:30:54 am" To: neswold@fnal.gov Date: Wed, 18 Apr 2001 20:31:45 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Hello, > > I have a couple of machines that connect to the Internet via a FreeBSD box > running ipfw. My firewall rules haven't been changed in quite a while, so I > decided to run the box using secure level 3 (firewall rules can't get > changed.) I noticed, however, that even at this secure level, I can still > open my firewall by using sysctl! > > The following patch corrects this: > > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.23 > diff -r1.131.2.23 ip_fw.c > 100c100 > < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > --- > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > > The CTLFLAG_SECURE flag doesn't allow the variable to be changed when > securelevel >= 0, so it is more strict than it needs to be. > > Should I submit this? i think it is a bit late for 4.3 also given that CTLFLAG_SECURE is not used anywhere. This reminds me that i had some patches (which i did not commit) to extend the CTLFLAG_SECURE thing so that it would let you specify a level L, so the variable could be modified if securelevel<=L and not otherwise. I think i even posted them to the -security mailing list some time between dec.2000 and feb.2001 cheers luigi > (Please CC: me in any response. I'm subscribed to -questions, -hackers, and > -stable, but not -ipfw.) > > -- > Rich > > ------------------------------------------------------------------------ > Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov > Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 > | fax 1.630.840.3093 [application/pgp-signature is not supported, skipping...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message