From owner-freebsd-security@FreeBSD.ORG Sun May 25 21:17:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8027937B401 for ; Sun, 25 May 2003 21:17:57 -0700 (PDT) Received: from port995.com (port995.com [213.162.97.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3171943F75 for ; Sun, 25 May 2003 21:17:56 -0700 (PDT) (envelope-from sansan@cas.port995.com) Received: by port995.com (Port995 Mail, from userid 77) id CA7E81407681; Mon, 26 May 2003 05:17:38 +0100 (BST) Received: from cas.port995.com (Authenticated SMTP client) by port995.com (Port995 Mail) with ESMTP id 48EA21407683; Mon, 26 May 2003 05:17:37 +0100 (BST) Message-ID: <3ED19590.80309@cas.port995.com> Date: Mon, 26 May 2003 05:18:24 +0100 From: Santos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog> In-Reply-To: <20030525234819.U21691@gothmog> X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 04:17:57 -0000 Giorgos Keramidas wrote: > On 2003-05-25 07:57, Santos wrote: > >>root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 >> >>3 Network secure mode - same as highly secure mode, plus IP packet >> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and >> dummynet(4) configuration cannot be adjusted. >> >>root@vigilante /root cuaa1# sysctl -a |grep secure >>kern.securelevel: 3 >>[...] >>root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0 >>net.inet.ip.fw.enable: 1 -> 0 >> >>root@vigilante /root cuaa1# ping 216.136.204.21 >>PING 216.136.204.21 (216.136.204.21): 56 data bytes >>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms >>^C > > > Try this patch. Unless of course, you're not using IPFW version 1, > in which case someone more knowledgeable will hopefully correct me :) > > <<<<<<< > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.192 > diff -u -r1.192 ip_fw.c > --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 > +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 > @@ -95,7 +95,7 @@ > > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, > &fw_enable, 0, "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > > > - Giorgos Sorry i missed a uname and a grep :) root@vigilante /root p1# uname -a FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20 20:19:53 WEST 2003 root@vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE i386 root@vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE options IPFW2 I hope this gets fixed, it defeats the purpose of secure levels, at least, of the 3 one. It would be nice to have a 4 level where sysctl variables couldn't be changed, but something tells me that isn't possible... some variables are dynamic, change all the time, no? Santos