From owner-freebsd-pf@FreeBSD.ORG  Fri Nov 16 18:01:00 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 20F4416A41A;
	Fri, 16 Nov 2007 18:01:00 +0000 (UTC)
	(envelope-from james@jlauser.net)
Received: from Pancake.jlauser.net (Pancake.jlauser.net
	[IPv6:2002:1869:aa6e::1])
	by mx1.freebsd.org (Postfix) with ESMTP id CD27B13C448;
	Fri, 16 Nov 2007 18:00:59 +0000 (UTC)
	(envelope-from james@jlauser.net)
Received: from Orthrus.jlauser.net (Orthrus.jlauser.net
	[IPv6:2002:48e2:55a7:1:216:cbff:fe83:6ae4]) (authenticated bits=0)
	by Pancake.jlauser.net (8.13.8/8.13.8) with ESMTP id lAGI0wio081521
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
	Fri, 16 Nov 2007 13:00:58 -0500 (EST)
	(envelope-from james@jlauser.net)
Message-Id: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net>
From: James Lauser <james@jlauser.net>
To: kmacy@FreeBSD.org
In-Reply-To: <200711161753.lAGHr9OA025080@freefall.freebsd.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v915)
Date: Fri, 16 Nov 2007 13:00:57 -0500
References: <200711161753.lAGHr9OA025080@freefall.freebsd.org>
X-Mailer: Apple Mail (2.915)
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
	milter-greylist-3.0 (Pancake.jlauser.net
	[IPv6:2002:1869:aa6e::1]); Fri, 16 Nov 2007 13:00:58 -0500 (EST)
Cc: freebsd-pf@FreeBSD.org
Subject: Re: kern/116645: pfctl -k does not work in securelevel 3
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2007 18:01:00 -0000

I understand that this is defined behavior, which is why I filed the  
PR as a change-request.  I believe it would be useful to modify the  
state table as a means of preventing an ongoing attack, even if the  
kernel is in securelevel 3.  Changes to the state table are not  
technically changes to the firewall rules.  It is currently possible,  
however, to make changes to pf tables through pfctl -T, even in  
securelevel 3, and this feature _is_ actually changing the firewall  
rules (though this may be an unintended feature).


--  James L. Lauser
     james@jlauser.net
     Owner, jlauser.net Hosting Services
     http://jlauser.net/


On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote:

> Synopsis: pfctl -k does not work in securelevel 3
>
> State-Changed-From-To: open->closed
> State-Changed-By: kmacy
> State-Changed-When: Fri Nov 16 17:52:23 UTC 2007
> State-Changed-Why:
>
>> From the securelevel man page:
>     3     Network secure mode - same as highly secure mode, plus IP  
> packet
>           filter rules (see ipfw(8), ipfirewall(4) and pfctl(8))  
> cannot be
>           changed and dummynet(4) or pf(4) configuration cannot be  
> adjusted.
>
> You are seeing the defined behavior.
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=116645