From owner-freebsd-security  Tue Jul 10 20:20: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.hobbydump.com (sintax.hobbydump.com [216.84.149.8])
	by hub.freebsd.org (Postfix) with SMTP id C6FB437B403
	for <freebsd-security@freebsd.org>; Tue, 10 Jul 2001 20:19:59 -0700 (PDT)
	(envelope-from freebsd@mail.hobbydump.com)
Received: (qmail 22426 invoked by uid 1005); 11 Jul 2001 03:20:08 -0000
Date: Tue, 10 Jul 2001 21:20:08 -0600
From: freebsd <freebsd@hobbydump.com>
To: freebsd-security@freebsd.org
Subject: securelevel AND ipfilter
Message-ID: <20010710212008.A22314@hobbydump.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Does anyone know why I cannot change my ipfilter rules while in multi-user mode
at kern_securelevel=2.

Here is the settings in my rc.conf.
  kern_securelevel_enable="YES"
  kern_securelevel="2"

I'm using a GENERIC kernel with these mods.
  options         IPFILTER
  options         IPFILTER_LOG
  options         IPFILTER_DEFAULT_BLOCK

When reading man securelevel I understand it to be disallowed at level 3 not 2.
> 2     Highly secure mode - same as secure mode, plus disks may not be
>       opened for writing (except by mount(2)) whether mounted or not.
>       This level precludes tampering with filesystems by unmounting them,
>       but also inhibits running newfs(8) while the system is multi-user.
>  
>       In addition, kernel time changes are restricted to less than or
>       equal to one second.  Attempts to change the time by more than this
>       will log the message ``Time adjustment clamped to +1 second''.
>  
> 3     Network secure mode - same as highly secure mode, plus IP packet
>       filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
>       dummynet(4) configuration cannot be adjusted.

I'm running the command ipf -Fa -f /etc/ipf.rules and I get output that looks like.
ioctl(SIOCIPFFL): Operation not permitted
etc...

Thanks for the help,
Sheldon Jones

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message