From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 18:01:00 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20F4416A41A; Fri, 16 Nov 2007 18:01:00 +0000 (UTC) (envelope-from james@jlauser.net) Received: from Pancake.jlauser.net (Pancake.jlauser.net [IPv6:2002:1869:aa6e::1]) by mx1.freebsd.org (Postfix) with ESMTP id CD27B13C448; Fri, 16 Nov 2007 18:00:59 +0000 (UTC) (envelope-from james@jlauser.net) Received: from Orthrus.jlauser.net (Orthrus.jlauser.net [IPv6:2002:48e2:55a7:1:216:cbff:fe83:6ae4]) (authenticated bits=0) by Pancake.jlauser.net (8.13.8/8.13.8) with ESMTP id lAGI0wio081521 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 16 Nov 2007 13:00:58 -0500 (EST) (envelope-from james@jlauser.net) Message-Id: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> From: James Lauser To: kmacy@FreeBSD.org In-Reply-To: <200711161753.lAGHr9OA025080@freefall.freebsd.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v915) Date: Fri, 16 Nov 2007 13:00:57 -0500 References: <200711161753.lAGHr9OA025080@freefall.freebsd.org> X-Mailer: Apple Mail (2.915) X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (Pancake.jlauser.net [IPv6:2002:1869:aa6e::1]); Fri, 16 Nov 2007 13:00:58 -0500 (EST) Cc: freebsd-pf@FreeBSD.org Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 18:01:00 -0000 I understand that this is defined behavior, which is why I filed the PR as a change-request. I believe it would be useful to modify the state table as a means of preventing an ongoing attack, even if the kernel is in securelevel 3. Changes to the state table are not technically changes to the firewall rules. It is currently possible, however, to make changes to pf tables through pfctl -T, even in securelevel 3, and this feature _is_ actually changing the firewall rules (though this may be an unintended feature). -- James L. Lauser james@jlauser.net Owner, jlauser.net Hosting Services http://jlauser.net/ On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote: > Synopsis: pfctl -k does not work in securelevel 3 > > State-Changed-From-To: open->closed > State-Changed-By: kmacy > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 > State-Changed-Why: > >> From the securelevel man page: > 3 Network secure mode - same as highly secure mode, plus IP > packet > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) > cannot be > changed and dummynet(4) or pf(4) configuration cannot be > adjusted. > > You are seeing the defined behavior. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645