From owner-cvs-all  Mon Jan 13  0:17:47 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4645237B401; Mon, 13 Jan 2003 00:17:46 -0800 (PST)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 704C443FE5; Mon, 13 Jan 2003 00:17:44 -0800 (PST)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id 6149D3ABB65; Mon, 13 Jan 2003 09:17:49 +0100 (CET)
Date: Mon, 13 Jan 2003 09:17:49 +0100
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c
Message-ID: <20030113081749.GF9430@garage.freebsd.pl>
References: <200301120331.h0C3VA2H040455@repoman.freebsd.org> <20030113075934.GE9430@garage.freebsd.pl> <200301130807.h0D87urr001783@apollo.backplane.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="n/aVsWSeQ4JHkrmm"
Content-Disposition: inline
In-Reply-To: <200301130807.h0D87urr001783@apollo.backplane.com>
X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc
X-OS: FreeBSD 4.7-STABLE i386
User-Agent: Mutt/1.5.1i
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


--n/aVsWSeQ4JHkrmm
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jan 13, 2003 at 12:07:56AM -0800, Matthew Dillon wrote:
+>     This type of failure usually occurs during boot in /etc/rc, before t=
he
+>     secure level is set.  Another alternative is to boot single-user.  T=
he
+>     secure level won't be set.  We obviously can't support enabling and
+>     disabling the firewall once the secure level has been raised.

Exactly, but:

SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
    &fw_enable, 0, "Enable ipfw");

So where are adequate checks?
I haven't check, but it looks like we can manipulate net.inet.ip.fw.enable
even if securelevel >=3D 3. Am I wrong?

--=20
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.

--n/aVsWSeQ4JHkrmm
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPiJ2LT/PhmMH/Mf1AQHD0QP+PKBh9Z4ynSc+ZEqR4yM/ju8fEd65nug+
OK0Yip/yI7BRRNuaTSEBPxHx5or4jFK4nVTsaLNqezwsBn02HO15FZAMTz2d0rEE
CDF9gSFoqSe80gwThDzEU1UH7hPm1Juay7EadfVjRljOEbqA8ALQoHHAAktWqXA0
K3sv3OF/J0g=
=BzSm
-----END PGP SIGNATURE-----

--n/aVsWSeQ4JHkrmm--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message