From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 04:04:58 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id D457416A4D0; Thu, 16 Sep 2004 04:04:58 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 16691 invoked by uid 1005); 8 Jun 2004 04:17:53 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 16688 invoked from network); 8 Jun 2004 04:17:53 -0000 Received: from moutng.kundenserver.de (212.227.126.186) by pd953008e.dip.t-dialin.net with SMTP; 8 Jun 2004 04:17:53 -0000 Received: from [212.227.126.158] (helo=mxng08.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BXY3m-0005en-00 for max@vampire.homelinux.org; Tue, 08 Jun 2004 06:18:02 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng08.kundenserver.de with esmtp (Exim 3.35 #1) id 1BXY3l-0004Xy-00 for max@love2party.net; Tue, 08 Jun 2004 06:18:01 +0200 Received: from localhost (localhost [127.0.0.1])ESMTP id E13CE72C1F0; Mon, 7 Jun 2004 22:58:52 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28246-24; Mon, 7 Jun 2004 22:58:52 -0500 (EST) Received: from turing (localhost [127.0.0.1])ESMTP id 69D7672C0E9; Mon, 7 Jun 2004 22:58:52 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Mon, 07 Jun 2004 22:58:35 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from localhost (localhost [127.0.0.1])ESMTP id EDF3072C0AA for ; Mon, 7 Jun 2004 22:58:34 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25965-91 for ; Mon, 7 Jun 2004 22:58:34 -0500 (EST) Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) ESMTP id 0D80572C065 for ; Mon, 7 Jun 2004 22:58:34 -0500 (EST) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i584HRAh061181 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 8 Jun 2004 13:17:27 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i584HU1L004157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 8 Jun 2004 13:17:30 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i584HPE9004156 for pf4freebsd@freelists.org; Tue, 8 Jun 2004 13:17:25 +0900 (KST) (envelope-from yongari@kt-is.co.kr) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20040608041725.GA3640@kt-is.co.kr> References: <20040607154341.9A9CAB870@relay.md-moldes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040607154341.9A9CAB870@relay.md-moldes.com> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) X-Virus-Scanned: by amavisd-new at freelists.org X-archive-position: 318 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd X-Virus-Scanned: by amavisd-new at freelists.org X-Provags-Forward: max@love2party.net -> max@vampire.homelinux.org X-UID: 434 X-Length: 5022 X-Mailman-Approved-At: Thu, 16 Sep 2004 04:05:47 +0000 Subject: [pf4freebsd] Re: pf and securelevel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 04:04:59 -0000 X-Original-Date: Tue, 8 Jun 2004 13:17:25 +0900 X-List-Received-Date: Thu, 16 Sep 2004 04:04:59 -0000 On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote: > Hi all, > > Is it disallowed to change pf rules when FreeBSD is running at securelevel 3 > as it is with ipfw and ipfilter? > OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD supports 5 securelevel(-1, 0, 1, 2 and 3). So the highest secure level on OpenBSD is 2. At present, pf on OpenBSD rejects some ioctls(2) when system's securelevel is higher than 1. Because FreeBSD's highest securelevel is 3, pf on FreeBSD can check process credentials with securelevel 3. But at the time of my first porting, that was ignored. So if you have securelevel higher than 1 you can't manipulate pf ruleset. If you want the same behavior of ipfw(8) change the check statement at the beginning of pfioctl() in pf_ioctl.c. Also, you can use jail-friendly wrapper function securelevel_gt(). But it's not clear to me how pf should act in jailed process. Maybe Max and Daniel have more idea. > Thanks, > Nuno > > Regards, Pyun YongHyeon -- Pyun YongHyeon