Date: 29 Nov 1999 13:59:05 +0100 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Tony Landells <ahl@austclear.com.au> Cc: hackers@freebsd.org Subject: Re: new IPFW Message-ID: <xzpemd93146.fsf@flood.ping.uio.no> In-Reply-To: Tony Landells's message of "Thu, 25 Nov 1999 08:52:28 %2B1100" References: <199911242152.IAA26077@tungsten.austclear.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
[moving from -ipfw and -arch to -hackers]
Tony Landells <ahl@austclear.com.au> writes:
> One concern I would have with that is that there are a lot of tools
> built on BPF that I would prefer to not be able to run on the firewall.
Don't confuse BPF with promiscuous mode. BPF is simply a programmable
packet filter and does not in and of itself represent a security risk.
Promiscuous mode allows a host to capture packets not destined to
itself, and may represent a security risk on shared media networks
(e.g. 10Base2, unswitched 10BaseT).
The attached patch prevents switching into promiscuous mode when
running in "Network secure mode" (securelevel 3 or higher).
DES
--
Dag-Erling Smorgrav - des@flood.ping.uio.no
Index: if.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if.c,v
retrieving revision 1.77
diff -u -r1.77 if.c
--- if.c 1999/11/22 02:44:51 1.77
+++ if.c 1999/11/29 12:52:07
@@ -908,6 +908,8 @@
int error;
if (pswitch) {
+ if (securelevel >= 3)
+ return (EPERM);
/*
* If the device is not configured up, we cannot put it in
* promiscuous mode.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpemd93146.fsf>