Date: Thu, 16 Sep 2004 04:04:59 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pf and securelevel Message-ID: <20040608041725.GA3640@kt-is.co.kr> In-Reply-To: <20040607154341.9A9CAB870@relay.md-moldes.com> References: <20040607154341.9A9CAB870@relay.md-moldes.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote: > Hi all, > > Is it disallowed to change pf rules when FreeBSD is running at securelevel 3 > as it is with ipfw and ipfilter? > OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD supports 5 securelevel(-1, 0, 1, 2 and 3). So the highest secure level on OpenBSD is 2. At present, pf on OpenBSD rejects some ioctls(2) when system's securelevel is higher than 1. Because FreeBSD's highest securelevel is 3, pf on FreeBSD can check process credentials with securelevel 3. But at the time of my first porting, that was ignored. So if you have securelevel higher than 1 you can't manipulate pf ruleset. If you want the same behavior of ipfw(8) change the check statement at the beginning of pfioctl() in pf_ioctl.c. Also, you can use jail-friendly wrapper function securelevel_gt(). But it's not clear to me how pf should act in jailed process. Maybe Max and Daniel have more idea. > Thanks, > Nuno > > Regards, Pyun YongHyeon -- Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040608041725.GA3640>