From owner-freebsd-security@FreeBSD.ORG  Sat May 24 23:57:17 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 90A6437B401
	for <freebsd-security@freebsd.org>;
	Sat, 24 May 2003 23:57:17 -0700 (PDT)
Received: from port995.com (port995.com [213.162.97.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D0B0A43F85
	for <freebsd-security@freebsd.org>;
	Sat, 24 May 2003 23:57:16 -0700 (PDT)
	(envelope-from sansan@cas.port995.com)
Received: by port995.com (Port995 Mail, from userid 77)
	id 5C31614076B7; Sun, 25 May 2003 07:57:11 +0100 (BST)
Received: from cas.port995.com (Authenticated SMTP client)
	by port995.com (Port995 Mail) with ESMTP id 1CD0B14076AE
	for <freebsd-security@freebsd.org>;
	Sun, 25 May 2003 07:57:10 +0100 (BST)
Message-ID: <3ED06967.90306@cas.port995.com>
Date: Sun, 25 May 2003 07:57:43 +0100
From: Santos <sansan@cas.port995.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.4b) Gecko/20030507
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
X-Enigmail-Version: 0.75.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: ipfirewall(4)) cannot be changed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 May 2003 06:57:17 -0000

root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5

3   Network secure mode - same as highly secure mode, plus IP packet
     filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
     dummynet(4) configuration cannot be adjusted.

root@vigilante /root cuaa1# sysctl -a |grep secure
kern.securelevel: 3

root@vigilante /root cuaa1# ipfw show
00100          0          0 allow ip from any to any via lo0
00200          0          0 deny ip from any to 127.0.0.0/8
00300          0          0 deny ip from 127.0.0.0/8 to any
65535         44       3648 deny ip from any to any

root@vigilante /root cuaa1# ping  216.136.204.21
PING 216.136.204.21 (216.136.204.21): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- 216.136.204.21 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

root@vigilante /root cuaa1# telnet  216.136.204.21 80
Trying 216.136.204.21...
telnet: connect to address 216.136.204.21: Permission denied
telnet: Unable to connect to remote host

root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0
net.inet.ip.fw.enable: 1 -> 0

root@vigilante /root cuaa1# ping  216.136.204.21

PING 216.136.204.21 (216.136.204.21): 56 data bytes
64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms
64 bytes from 216.136.204.21: icmp_seq=1 ttl=50 time=346.135 ms
^C
--- 216.136.204.21 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 338.878/342.506/346.135/3.629 ms

root@vigilante /root cuaa1# telnet  216.136.204.21 80
Trying 216.136.204.21...
Connected to freefall.freebsd.org.
Escape character is '^]'.
quit
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
quit to /index.html not supported.<P>
Invalid method in request quit / HTTP/1.1<P>
</BODY></HTML>
Connection closed by foreign host.



Santos