Date: Wed, 11 Jul 2001 20:32:29 +1000 (Australia/ACT) From: Darren Reed <avalon@coombs.anu.edu.au> To: freebsd@hobbydump.com (freebsd) Cc: freebsd-security@FreeBSD.ORG Subject: Re: securelevel AND ipfilter Message-ID: <200107111032.UAA24904@caligula.anu.edu.au> In-Reply-To: <20010710212008.A22314@hobbydump.com> from "freebsd" at Jul 10, 2001 09:20:08 PM
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from freebsd, sie said: > > Does anyone know why I cannot change my ipfilter rules while in multi-user mode > at kern_securelevel=2. > > Here is the settings in my rc.conf. > kern_securelevel_enable="YES" > kern_securelevel="2" > > I'm using a GENERIC kernel with these mods. > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > > When reading man securelevel I understand it to be disallowed at level 3 not 2. > > 2 Highly secure mode - same as secure mode, plus disks may not be > > opened for writing (except by mount(2)) whether mounted or not. > > This level precludes tampering with filesystems by unmounting them, > > but also inhibits running newfs(8) while the system is multi-user. > > > > In addition, kernel time changes are restricted to less than or > > equal to one second. Attempts to change the time by more than this > > will log the message ``Time adjustment clamped to +1 second''. > > > > 3 Network secure mode - same as highly secure mode, plus IP packet > > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > > dummynet(4) configuration cannot be adjusted. > > I'm running the command ipf -Fa -f /etc/ipf.rules and I get output that looks like. > ioctl(SIOCIPFFL): Operation not permitted > etc... Hmmm, ipfilter applies "3" at "2". Maybe I should change it to use 3, also. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107111032.UAA24904>