Date: Fri, 1 Sep 2000 08:36:57 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: billf@chimesnet.com (Bill Fumerola) Cc: green@FreeBSD.ORG (Brian Fundakowski Feldman), will@physics.purdue.edu (Will Andrews), rsharma@apsara.barc.ernet.in (R.Sharma), freebsd-security@FreeBSD.ORG Subject: Re: How to clear IPFW counters Message-ID: <200009011536.IAA61934@gndrsh.dnsmgr.net> In-Reply-To: <20000901010621.A33771@jade.chc-chimes.com> from Bill Fumerola at "Sep 1, 2000 01:06:21 am"
next in thread | previous in thread | raw e-mail | index | archive | help
IMHO, it is time to rethink securelevel and change it from a very course grain add more restrictions as levels rise to a set of flags that control security features, flags that can be written 0 -> 1, but not 1 -> 0 if flag bit securelevel_enabled is set, or some such. > > > >From init(8) manpage: > > > > > > 3 Network secure mode - same as highly secure mode, plus IP packet > > > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > > > dummynet(4) configuration cannot be adjusted. > > > > > > You are SOL. > > > > Unless what you want to do is reset the logging counters. That's a > > nice thing to be able to do :) > > Right, you actually can do that, which is what the original poster was asking. > > /* > * Disallow sets in really-really secure mode, but still allow > * the logging counters to be reset. > */ > if (sopt->sopt_dir == SOPT_SET && securelevel >= 3 && > sopt->sopt_name != IP_FW_RESETLOG) > return (EPERM); -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009011536.IAA61934>