From owner-freebsd-security@FreeBSD.ORG Wed May 28 09:32:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E0E437B409; Wed, 28 May 2003 09:32:48 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84FEA43F75; Wed, 28 May 2003 09:32:47 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 08A6810BF89; Wed, 28 May 2003 18:32:46 +0200 (CEST) Date: Wed, 28 May 2003 18:32:45 +0200 From: "Simon L. Nielsen" To: Santos Message-ID: <20030528163245.GF974@nitro.dk> References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> <3ED19590.80309@cas.port995.com> <20030526075447.GA29390@gothmog.gr> <3ED4DE5E.4080600@cas.port995.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lteA1dqeVaWQ9QQl" Content-Disposition: inline In-Reply-To: <3ED4DE5E.4080600@cas.port995.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 16:32:48 -0000 --lteA1dqeVaWQ9QQl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Summary: net.inet.ip.fw.enable can be changed at any securelevel on RELENG_4] On 2003.05.28 17:05:50 +0100, Santos wrote: > Giorgos Keramidas wrote: >=20 [CUT] > ><<<<<<< > >Index: ip_fw.c > >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > >retrieving revision 1.131.2.39 > >diff -u -r1.131.2.39 ip_fw.c [CUT] > >--- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 > This doesn't fix the problem. Maybe this only fixes IPFW1 and not IPFW2= =20 > too?... Yes that fix was only for ipfw1. ipfw2 already have this fixed in -CURRENT (sys/netinet/ip_fw2.c v. 1.11 and 1.23) but was apparently never MFC'ed to -STABLE... This is also PR kern/39396. I CC'ed Crist J. Clark who added to code to -CURRENT, in hope that he has somed time to look at it. --=20 Simon L. Nielsen --lteA1dqeVaWQ9QQl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+1OSt8kocFXgPTRwRAhmtAJ9uErNf+VT9k9mFQ2YBKlRr7/LgCQCfSGvj RwqVIBXP9pt2vf4adrhX5Xk= =g4G3 -----END PGP SIGNATURE----- --lteA1dqeVaWQ9QQl--