From owner-freebsd-ipfw Tue May 15 4:10:13 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 15BBC37B424; Tue, 15 May 2001 04:09:47 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f4FB9iK42189; Tue, 15 May 2001 14:09:44 +0300 (EEST) (envelope-from ru) Date: Tue, 15 May 2001 14:09:43 +0300 From: Ruslan Ermilov To: Bill Fumerola , Luigi Rizzo Cc: ipfw@FreeBSD.org Subject: Re: ipfw rules and securelevel Message-ID: <20010515140943.A41014@sunbay.com> Mail-Followup-To: Bill Fumerola , Luigi Rizzo , ipfw@FreeBSD.org References: <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> <20010514180928.A52742@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010514180928.A52742@sunbay.com>; from ru@FreeBSD.org on Mon, May 14, 2001 at 06:09:28PM +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [Redirected to -ipfw] On Mon, May 14, 2001 at 06:09:28PM +0300, Ruslan Ermilov wrote: > On Mon, May 14, 2001 at 06:02:02PM +0300, Peter Pentchev wrote: > > On Mon, May 14, 2001 at 10:21:18PM +0700, Igor Podlesny wrote: > > > > > > > > > > On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote: > > > >> > > > >> >> Dear friends, > > > >> >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I > > > >> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When > > > >> >> I run a command > > > >> > > > >> >> sysctl -w net.inet.ip.fw.enable=0 > > > >> > > > >> >> It disables the ipfw rules. > > > >> > > > >> >> Is it a feature or hole in freebsd. > > > >> > > > >> > doesn't matter how it is called, only matters how it hurts... (it does) > > > >> > > > >> >> please help > > > >> > > > >> the "patch" (hard to call it a patch, but nevertheless) is adding > > > >> CTLFLAG_SECURE to the relevant definition of the node: > > > >> > > > >> this diff out is for 3.5 stable: > > > >> > > > >> 92c92 > > > >> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > > > >> --- > > > >> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > > > > > > > Patches/diffs are usually much easier to review and apply if they are > > > > in context or unified diff format - this helps when the patch is made > > > > against a possibly changed file :) And.. well.. it might be obvious > > > > to you (in this case it's pretty obvious to figure out ;), but still > > > > it helps a lot to mention which file(s) the patch is against :) > > > > > > oh, you're right :) > > > > > > it was > > > /usr/src/sys/netinet/ip_fw.c > > > > > > unified diff: > > > > > > --- /usr/src/sys/netinet/ip_fw.c.orig Fri Mar 23 19:44:27 2001 > > > +++ /usr/src/sys/netinet/ip_fw.c Mon May 14 22:15:55 2001 > > > @@ -89,7 +89,7 @@ > > > > > > #ifdef SYSCTL_NODE > > > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > > > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > > > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > > > &fw_enable, 0, "Enable ipfw"); > > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > > > &fw_one_pass, 0, > > > > Yup, this patch is much clearer, and I see no real reason against > > committing it. Actually, I think that even more of those sysctl's > > should be flagged as 'secure' - e.g. the ones related to logging. > > > Hmm, but I think that for (securelevel < 3) the transition should > still be allowed. The correct fix then would be: > > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.164 > diff -u -p -r1.164 ip_fw.c > --- ip_fw.c 2001/04/06 06:52:25 1.164 > +++ ip_fw.c 2001/05/14 15:04:12 > @@ -96,9 +96,19 @@ LIST_HEAD (ip_fw_head, ip_fw_chain) ip_f > MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); > > #ifdef SYSCTL_NODE > + > +static int > +sysctl_fw_enable(SYSCTL_HANDLER_ARGS) > +{ > + > + if (req->newptr && securelevel >= 3) > + return (EPERM); > + return sysctl_handle_int(oidp, arg1, arg2, req); > +} > + > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > - &fw_enable, 0, "Enable ipfw"); > +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, > + &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > "Only do a single pass through ipfw when using dummynet(4)"); > Here is a slightly reworked version of the above patch. It prohibits all MIB modifications under net.inet.ip.fw node except a few ones: debug, verbose, and verbose_limit that shouldn't affect security. Please review. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=p Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.164 diff -u -p -r1.164 ip_fw.c --- ip_fw.c 2001/04/06 06:52:25 1.164 +++ ip_fw.c 2001/05/15 10:57:41 @@ -96,11 +96,21 @@ LIST_HEAD (ip_fw_head, ip_fw_chain) ip_f MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); #ifdef SYSCTL_NODE + +static int +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS) +{ + + if (req->newptr && securelevel >= 3) + return (EPERM); + return sysctl_handle_int(oidp, arg1, arg2, req); +} + SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, - &fw_enable, 0, "Enable ipfw"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, - &fw_one_pass, 0, +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, + &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW, + &fw_one_pass, 0, sysctl_fw_securelevel_check, "I", "Only do a single pass through ipfw when using dummynet(4)"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, "Enable printing of debug ip_fw statements"); @@ -108,8 +118,9 @@ SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, ve &fw_verbose, 0, "Log matches to ipfw rules"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW, - &fw_permanent_rules, 0, "Set rule number, below which rules are permanent"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLTYPE_INT|CTLFLAG_RW, + &fw_permanent_rules, 0, sysctl_fw_securelevel_check, "I", + "Set rule number, below which rules are permanent"); /* * Extension for stateful ipfw. @@ -163,24 +174,31 @@ static u_int32_t dyn_rst_lifetime = 5 ; static u_int32_t dyn_short_lifetime = 30 ; static u_int32_t dyn_count = 0 ; static u_int32_t dyn_max = 1000 ; -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW, - &dyn_buckets, 0, "Number of dyn. buckets"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD, - &curr_dyn_buckets, 0, "Current Number of dyn. buckets"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD, - &dyn_count, 0, "Number of dyn. rules"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW, - &dyn_max, 0, "Max number of dyn. rules"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW, - &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW, - &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW, - &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW, - &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW, - &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLTYPE_INT|CTLFLAG_RW, + &dyn_buckets, 0, sysctl_fw_securelevel_check, "IU", + "Number of dyn. buckets"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD, + &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU", + "Current Number of dyn. buckets"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLTYPE_INT|CTLFLAG_RD, + &dyn_count, 0, sysctl_fw_securelevel_check, "IU", "Number of dyn. rules"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLTYPE_INT|CTLFLAG_RW, + &dyn_max, 0, sysctl_fw_securelevel_check, "IU", "Max number of dyn. rules"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_ack_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for acks"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_syn_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for syn"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_fin_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for fin"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_rst_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for rst"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, + CTLTYPE_INT|CTLFLAG_RW, &dyn_short_lifetime, 0, sysctl_fw_securelevel_check, + "IU", "Lifetime of dyn. rules for other situations"); #endif --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message