Date: Thu, 16 Sep 2004 04:05:04 -0000 From: Max Laier <max@love2party.net> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pf and securelevel Message-ID: <200406081656.07353.max@love2party.net> In-Reply-To: <20040608041725.GA3640@kt-is.co.kr> References: <20040607154341.9A9CAB870@relay.md-moldes.com> <20040608041725.GA3640@kt-is.co.kr>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tuesday 08 June 2004 06:17, Pyun YongHyeon wrote: > On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote: > > Hi all, > > > > Is it disallowed to change pf rules when FreeBSD is running at > > securelevel 3 as it is with ipfw and ipfilter? > > OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD > supports 5 securelevel(-1, 0, 1, 2 and 3). > So the highest secure level on OpenBSD is 2. At present, pf > on OpenBSD rejects some ioctls(2) when system's securelevel is > higher than 1. > > Because FreeBSD's highest securelevel is 3, pf on FreeBSD can > check process credentials with securelevel 3. But at the > time of my first porting, that was ignored. So if you have > securelevel higher than 1 you can't manipulate pf ruleset. > > If you want the same behavior of ipfw(8) change the check > statement at the beginning of pfioctl() in pf_ioctl.c. > Also, you can use jail-friendly wrapper function securelevel_gt(). > But it's not clear to me how pf should act in jailed process. > Maybe Max and Daniel have more idea. I have been thinking about this recently in connection with: http://people.freebsd.org/~mlaier/jailed.patch which allows filtering tcp/udp connections based inside jails. (e.g. you could allow only connections to a successfully jailed httpd: "pass in on $ext_if proto tcp from any to $jail_ip port 22 user www jailed keep state" or other things of that kind. The conclusion for above problem is: 1) Jailed root should normally not be able to modify the filter rules. 2) Real root might want to allow jailed root to configure certain things inside its own jail. The implementation I am looking for at the moment would work like this: 1) Real root places anchors with a special name inside the ruleset. 2) Jailed root can place its rules inside these anchors. This will give real root the full control over what jailed root can and can not manipulate without changing much code. It will boil down to a few extra checks in pf_ioctl.c ... At the moment I am busy with ALTQ and maybe CARP in a bit so the FreeBSD specific stuff will rest for the moment. I will, however, try to commit the jailed patch once the 3.5 import is done. -- Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAxdOHXyyEoT62BG0RAugwAJ93FXcXmQj2w5WFuGxFoh6lvGeYBgCeLyQi VLVvCMD7DP4b5yFo3FafX0s= =lxFk -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406081656.07353.max>