From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 04:05:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id E47A616A4CF; Thu, 16 Sep 2004 04:05:03 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 22518 invoked by uid 1005); 8 Jun 2004 14:55:36 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 22515 invoked from network); 8 Jun 2004 14:55:36 -0000 Received: from moutng.kundenserver.de (212.227.126.187) by pd95301f6.dip.t-dialin.net with SMTP; 8 Jun 2004 14:55:36 -0000 Received: from [212.227.126.147] (helo=mxng04.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BXi0v-0002g3-00 for max@vampire.homelinux.org; Tue, 08 Jun 2004 16:55:45 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng04.kundenserver.de with esmtp (Exim 3.35 #1) id 1BXi0l-00074R-00 for max@love2party.net; Tue, 08 Jun 2004 16:55:35 +0200 Received: from localhost (localhost [127.0.0.1])ESMTP id A984F72CB8F; Tue, 8 Jun 2004 09:36:21 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14615-33; Tue, 8 Jun 2004 09:36:21 -0500 (EST) Received: from turing (localhost [127.0.0.1])ESMTP id C3F4972CF74; Tue, 8 Jun 2004 09:36:20 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Tue, 08 Jun 2004 09:36:04 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from localhost (localhost [127.0.0.1])ESMTP id E472B72CF5F for ; Tue, 8 Jun 2004 09:36:03 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14835-11 for ; Tue, 8 Jun 2004 09:36:03 -0500 (EST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188])ESMTP id 39DD972CB85 for ; Tue, 8 Jun 2004 09:36:03 -0500 (EST) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BXi0Q-0004oo-00 for pf4freebsd@freelists.org; Tue, 08 Jun 2004 16:55:14 +0200 Received: from [217.83.1.246] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1BXi0Q-000264-00 for pf4freebsd@freelists.org; Tue, 08 Jun 2004 16:55:14 +0200 From: Max Laier To: pf4freebsd@freelists.org User-Agent: KMail/1.6.2 References: <20040607154341.9A9CAB870@relay.md-moldes.com> <20040608041725.GA3640@kt-is.co.kr> In-Reply-To: <20040608041725.GA3640@kt-is.co.kr> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_HOdxAVMRw8cb+yn"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200406081656.07353.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 X-Virus-Scanned: by amavisd-new at freelists.org X-archive-position: 319 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: max@love2party.net Precedence: normal X-list: pf4freebsd X-Virus-Scanned: by amavisd-new at freelists.org X-Provags-Forward: max@love2party.net -> max@vampire.homelinux.org X-UID: 435 X-Length: 6612 X-Mailman-Approved-At: Thu, 16 Sep 2004 04:06:09 +0000 Subject: [pf4freebsd] Re: pf and securelevel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 04:05:04 -0000 X-Original-Date: Tue, 8 Jun 2004 16:56:00 +0200 X-List-Received-Date: Thu, 16 Sep 2004 04:05:04 -0000 --Boundary-02=_HOdxAVMRw8cb+yn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 08 June 2004 06:17, Pyun YongHyeon wrote: > On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote: > > Hi all, > > > > Is it disallowed to change pf rules when FreeBSD is running at > > securelevel 3 as it is with ipfw and ipfilter? > > OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD > supports 5 securelevel(-1, 0, 1, 2 and 3). > So the highest secure level on OpenBSD is 2. At present, pf > on OpenBSD rejects some ioctls(2) when system's securelevel is > higher than 1. > > Because FreeBSD's highest securelevel is 3, pf on FreeBSD can > check process credentials with securelevel 3. But at the > time of my first porting, that was ignored. So if you have > securelevel higher than 1 you can't manipulate pf ruleset. > > If you want the same behavior of ipfw(8) change the check > statement at the beginning of pfioctl() in pf_ioctl.c. > Also, you can use jail-friendly wrapper function securelevel_gt(). > But it's not clear to me how pf should act in jailed process. > Maybe Max and Daniel have more idea. I have been thinking about this recently in connection with:=20 http://people.freebsd.org/~mlaier/jailed.patch which allows filtering tcp/u= dp=20 connections based inside jails. (e.g. you could allow only connections to a= =20 successfully jailed httpd: "pass in on $ext_if proto tcp from any to $jail_= ip=20 port 22 user www jailed keep state" or other things of that kind. The conclusion for above problem is: 1) Jailed root should normally not be able to modify the filter rules. 2) Real root might want to allow jailed root to configure certain things=20 inside its own jail. The implementation I am looking for at the moment would work like this: 1) Real root places anchors with a special name inside the ruleset. 2) Jailed root can place its rules inside these anchors. This will give real root the full control over what jailed root can and can= =20 not manipulate without changing much code. It will boil down to a few extra= =20 checks in pf_ioctl.c ... At the moment I am busy with ALTQ and maybe CARP in a bit so the FreeBSD=20 specific stuff will rest for the moment. I will, however, try to commit the= =20 jailed patch once the 3.5 import is done. =2D-=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --Boundary-02=_HOdxAVMRw8cb+yn Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAxdOHXyyEoT62BG0RAugwAJ93FXcXmQj2w5WFuGxFoh6lvGeYBgCeLyQi VLVvCMD7DP4b5yFo3FafX0s= =lxFk -----END PGP SIGNATURE----- --Boundary-02=_HOdxAVMRw8cb+yn--