From owner-freebsd-security Mon May 14 8: 2:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 9A9F737B423 for ; Mon, 14 May 2001 08:02:40 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 565 invoked by uid 1000); 14 May 2001 15:02:02 -0000 Date: Mon, 14 May 2001 18:02:02 +0300 From: Peter Pentchev To: Igor Podlesny Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules and securelevel Message-ID: <20010514180201.C453@ringworld.oblivion.bg> Mail-Followup-To: Igor Podlesny , freebsd-security@FreeBSD.ORG References: <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5523460344.20010514222118@morning.ru>; from poige@morning.ru on Mon, May 14, 2001 at 10:21:18PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 14, 2001 at 10:21:18PM +0700, Igor Podlesny wrote: > > > > On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote: > >> > >> >> Dear friends, > >> >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I > >> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When > >> >> I run a command > >> > >> >> sysctl -w net.inet.ip.fw.enable=0 > >> > >> >> It disables the ipfw rules. > >> > >> >> Is it a feature or hole in freebsd. > >> > >> > doesn't matter how it is called, only matters how it hurts... (it does) > >> > >> >> please help > >> > >> the "patch" (hard to call it a patch, but nevertheless) is adding > >> CTLFLAG_SECURE to the relevant definition of the node: > >> > >> this diff out is for 3.5 stable: > >> > >> 92c92 > >> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > >> --- > >> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > > > Patches/diffs are usually much easier to review and apply if they are > > in context or unified diff format - this helps when the patch is made > > against a possibly changed file :) And.. well.. it might be obvious > > to you (in this case it's pretty obvious to figure out ;), but still > > it helps a lot to mention which file(s) the patch is against :) > > oh, you're right :) > > it was > /usr/src/sys/netinet/ip_fw.c > > unified diff: > > --- /usr/src/sys/netinet/ip_fw.c.orig Fri Mar 23 19:44:27 2001 > +++ /usr/src/sys/netinet/ip_fw.c Mon May 14 22:15:55 2001 > @@ -89,7 +89,7 @@ > > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > &fw_enable, 0, "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, Yup, this patch is much clearer, and I see no real reason against committing it. Actually, I think that even more of those sysctl's should be flagged as 'secure' - e.g. the ones related to logging. G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message