From owner-freebsd-security@FreeBSD.ORG Wed May 28 09:05:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADA6337B411 for ; Wed, 28 May 2003 09:05:32 -0700 (PDT) Received: from port995.com (port995.com [213.162.97.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C97543FCB for ; Wed, 28 May 2003 09:05:26 -0700 (PDT) (envelope-from sansan@cas.port995.com) Received: by port995.com (Port995 Mail, from userid 77) id 5B3091407636; Wed, 28 May 2003 17:05:14 +0100 (BST) Received: from cas.port995.com (Authenticated SMTP client) by port995.com (Port995 Mail) with ESMTP id 2A0851407635; Wed, 28 May 2003 17:05:12 +0100 (BST) Message-ID: <3ED4DE5E.4080600@cas.port995.com> Date: Wed, 28 May 2003 17:05:50 +0100 From: Santos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> <3ED19590.80309@cas.port995.com> <20030526075447.GA29390@gothmog.gr> In-Reply-To: <20030526075447.GA29390@gothmog.gr> X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 16:05:33 -0000 Giorgos Keramidas wrote: > Ah, that's fine. I don't have the time to test it now, but something > similar to the following should do the trick. Sorry for not running > this through a compile and a test run, but this is a very hectic day. > Someone with enough time to run a full buildworld/buildkernel and fix > any errors I have made should check that this fixes the problem and then > notify the security officer. It looks like something that would be nice > to have in STABLE *and* the security branches IMHO. > > <<<<<<< > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.39 > diff -u -r1.131.2.39 ip_fw.c > --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 > +++ ip_fw.c 26 May 2003 07:50:05 -0000 > @@ -94,9 +94,25 @@ > MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); > > #ifdef SYSCTL_NODE > + > +static int > +sysctl_fw_enable(SYSCTL_HANDLER_ARGS) > +{ > + int error, v; > + > + if (securelevel >= 3) > + return (ENOPERM); > + > + error = sysctl_handle_int(oidp, oidp->oid_arg1, 0, req); > + if (error || !req->newptr) > + return (error); > + > + return (0); > +} > + > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > - &fw_enable, 0, "Enable ipfw"); > +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, > + &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > "Only do a single pass through ipfw when using dummynet(4)"); > > This doesn't fix the problem. Maybe this only fixes IPFW1 and not IPFW2 too?... Santos