From owner-freebsd-security  Fri Sep  1  8:37:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8508F37B42C; Fri,  1 Sep 2000 08:37:08 -0700 (PDT)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id IAA61934;
	Fri, 1 Sep 2000 08:36:58 -0700 (PDT)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200009011536.IAA61934@gndrsh.dnsmgr.net>
Subject: Re: How to clear IPFW counters
In-Reply-To: <20000901010621.A33771@jade.chc-chimes.com> from Bill Fumerola at "Sep 1, 2000 01:06:21 am"
To: billf@chimesnet.com (Bill Fumerola)
Date: Fri, 1 Sep 2000 08:36:57 -0700 (PDT)
Cc: green@FreeBSD.ORG (Brian Fundakowski Feldman),
	will@physics.purdue.edu (Will Andrews),
	rsharma@apsara.barc.ernet.in (R.Sharma), freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

IMHO, it is time to rethink securelevel and change it from a very course
grain add more restrictions as levels rise to a set of flags that
control security features, flags that can be written 0 -> 1, but not
1 -> 0 if flag bit securelevel_enabled is set, or some such.


> > > >From init(8) manpage:
> > > 
> > >      3     Network secure mode - same as highly secure mode, plus IP packet
> > >            filter rules (see ipfw(8) and ipfirewall(4))  cannot be changed and
> > >            dummynet(4) configuration cannot be adjusted.
> > > 
> > > You are SOL.
> > 
> > Unless what you want to do is reset the logging counters.  That's a
> > nice thing to be able to do :)
> 
> Right, you actually can do that, which is what the original poster was asking.
> 
>         /*
>          * Disallow sets in really-really secure mode, but still allow
>          * the logging counters to be reset.
>          */
>         if (sopt->sopt_dir == SOPT_SET && securelevel >= 3 &&
>             sopt->sopt_name != IP_FW_RESETLOG)
>                         return (EPERM);

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message