From owner-freebsd-security  Wed Jul 11  3:32:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42])
	by hub.freebsd.org (Postfix) with ESMTP id 940A237B403
	for <freebsd-security@FreeBSD.ORG>; Wed, 11 Jul 2001 03:32:38 -0700 (PDT)
	(envelope-from avalon@caligula.anu.edu.au)
Received: (from avalon@localhost)
	by caligula.anu.edu.au (8.9.3/8.9.3) id UAA24904;
	Wed, 11 Jul 2001 20:32:29 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200107111032.UAA24904@caligula.anu.edu.au>
Subject: Re: securelevel AND ipfilter
To: freebsd@hobbydump.com (freebsd)
Date: Wed, 11 Jul 2001 20:32:29 +1000 (Australia/ACT)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20010710212008.A22314@hobbydump.com> from "freebsd" at Jul 10, 2001 09:20:08 PM
X-Mailer: ELM [version 2.5 PL1]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In some mail from freebsd, sie said:
> 
> Does anyone know why I cannot change my ipfilter rules while in multi-user mode
> at kern_securelevel=2.
> 
> Here is the settings in my rc.conf.
>   kern_securelevel_enable="YES"
>   kern_securelevel="2"
> 
> I'm using a GENERIC kernel with these mods.
>   options         IPFILTER
>   options         IPFILTER_LOG
>   options         IPFILTER_DEFAULT_BLOCK
> 
> When reading man securelevel I understand it to be disallowed at level 3 not 2.
> > 2     Highly secure mode - same as secure mode, plus disks may not be
> >       opened for writing (except by mount(2)) whether mounted or not.
> >       This level precludes tampering with filesystems by unmounting them,
> >       but also inhibits running newfs(8) while the system is multi-user.
> >  
> >       In addition, kernel time changes are restricted to less than or
> >       equal to one second.  Attempts to change the time by more than this
> >       will log the message ``Time adjustment clamped to +1 second''.
> >  
> > 3     Network secure mode - same as highly secure mode, plus IP packet
> >       filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
> >       dummynet(4) configuration cannot be adjusted.
> 
> I'm running the command ipf -Fa -f /etc/ipf.rules and I get output that looks like.
> ioctl(SIOCIPFFL): Operation not permitted
> etc...

Hmmm, ipfilter applies "3" at "2".  Maybe I should change it to use 3, also.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message