From owner-freebsd-ipfw  Wed May 16  1:46:22 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 48ECF37B422
	for <ipfw@FreeBSD.org>; Wed, 16 May 2001 01:46:19 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 24051 invoked by uid 1000); 16 May 2001 08:45:38 -0000
Date: Wed, 16 May 2001 11:45:38 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Bill Fumerola <billf@mu.org>
Cc: Ruslan Ermilov <ru@FreeBSD.org>, Luigi Rizzo <luigi@FreeBSD.org>,
	ipfw@FreeBSD.org
Subject: Re: ipfw rules and securelevel
Message-ID: <20010516114538.A23970@ringworld.oblivion.bg>
References: <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> <20010514180928.A52742@sunbay.com> <20010515140943.A41014@sunbay.com> <20010515142118.G11592@ringworld.oblivion.bg> <20010515184329.O37979@elvis.mu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010515184329.O37979@elvis.mu.org>; from billf@mu.org on Tue, May 15, 2001 at 06:43:29PM -0500
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, May 15, 2001 at 06:43:29PM -0500, Bill Fumerola wrote:
> On Tue, May 15, 2001 at 02:21:18PM +0300, Peter Pentchev wrote:
> 
> > > Here is a slightly reworked version of the above patch.  It prohibits
> > > all MIB modifications under net.inet.ip.fw node except a few ones:
> > > debug, verbose, and verbose_limit that shouldn't affect security.
> > > Please review.
> > 
> > I wonder if verbose and verbose_limit shouldn't also be prohibited.
> > Arguably, if someone has obtained superuser privileges on your securelevel
> > 3 box, they don't need to try any more exploits or something.
> > Still, I personally would maybe feel a bit more warm and fuzzy if I knew
> > that no one could disable ipfw logging, even if the system is already
> > compromised.
> 
> When Ruslan asked me earlier regarding verbose, I told him not to prohibit it.
> 
> Why? In time of attack or crisis, kicking up the debugging on your firewall
> is important. The only local problems I could see this causing is someone
> kicking up the limit to a really high number and flooding.
> 
> We already allow people to resetlog at that securelevel so the associated
> sysctls should stick with that security model.

Ah.  All good points.  OK, I agree that the rest need not be protected.

G'luck,
Peter

-- 
I am the thought you are now thinking.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message