Date: Mon, 14 May 2001 22:21:18 +0700 From: Igor Podlesny <poige@morning.ru> To: Peter Pentchev <roam@orbitel.bg> Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: ipfw rules and securelevel Message-ID: <5523460344.20010514222118@morning.ru> In-Reply-To: <20010514170927.A849@ringworld.oblivion.bg> References: <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote: >> >> >> Dear friends, >> >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I >> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When >> >> I run a command >> >> >> sysctl -w net.inet.ip.fw.enable=0 >> >> >> It disables the ipfw rules. >> >> >> Is it a feature or hole in freebsd. >> >> > doesn't matter how it is called, only matters how it hurts... (it does) >> >> >> please help >> >> the "patch" (hard to call it a patch, but nevertheless) is adding >> CTLFLAG_SECURE to the relevant definition of the node: >> >> this diff out is for 3.5 stable: >> >> 92c92 >> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, >> --- >> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > Patches/diffs are usually much easier to review and apply if they are > in context or unified diff format - this helps when the patch is made > against a possibly changed file :) And.. well.. it might be obvious > to you (in this case it's pretty obvious to figure out ;), but still > it helps a lot to mention which file(s) the patch is against :) oh, you're right :) it was /usr/src/sys/netinet/ip_fw.c unified diff: --- /usr/src/sys/netinet/ip_fw.c.orig Fri Mar 23 19:44:27 2001 +++ /usr/src/sys/netinet/ip_fw.c Mon May 14 22:15:55 2001 @@ -89,7 +89,7 @@ #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, &fw_one_pass, 0, > G'luck, > Peter -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5523460344.20010514222118>