From owner-freebsd-bugs@FreeBSD.ORG Thu Oct 2 05:10:16 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5625C16A4B3 for ; Thu, 2 Oct 2003 05:10:16 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABE3B43F93 for ; Thu, 2 Oct 2003 05:10:15 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h92CAFFY054740 for ; Thu, 2 Oct 2003 05:10:15 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h92CAFjS054739; Thu, 2 Oct 2003 05:10:15 -0700 (PDT) (envelope-from gnats) Date: Thu, 2 Oct 2003 05:10:15 -0700 (PDT) Message-Id: <200310021210.h92CAFjS054739@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Ruslan Ermilov Subject: Re: kern/57492: Firewall can be disabled in securelevel 3 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ruslan Ermilov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 12:10:16 -0000 The following reply was made to PR kern/57492; it has been noted by GNATS. From: Ruslan Ermilov To: bdluevel@heitec.net Cc: bug-followup@FreeBSD.org Subject: Re: kern/57492: Firewall can be disabled in securelevel 3 Date: Thu, 2 Oct 2003 15:09:03 +0300 On Thu, Oct 02, 2003 at 05:06:02AM -0700, Ruslan Ermilov wrote: > Synopsis: Firewall can be disabled in securelevel 3 > > State-Changed-From-To: open->closed > State-Changed-By: ru > State-Changed-When: Thu Oct 2 05:05:26 PDT 2003 > State-Changed-Why: > # uname -r > 4.9-PRERELEASE > # sysctl kern.securelevel > kern.securelevel: -1 > # sysctl net.inet.ip.fw.enable=0 > net.inet.ip.fw.enable: 1 -> 0 > # sysctl net.inet.ip.fw.enable=1 > net.inet.ip.fw.enable: 0 -> 1 > # sysctl kern.securelevel=3 > kern.securelevel: -1 -> 3 > # sysctl net.inet.ip.fw.enable=0 > net.inet.ip.fw.enable: 1 > sysctl: net.inet.ip.fw.enable: Operation not permitted > My apologies, I forgot that I have this problem fixed locally, but it's not in the FreeBSD repository. I will re-open the bug. The patch, FWIW, is as follows: %%% Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/Attic/ip_fw.c,v retrieving revision 1.131.2.39 diff -u -p -r1.131.2.39 ip_fw.c --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39 +++ ip_fw.c 2 Oct 2003 12:07:35 -0000 @@ -94,11 +94,21 @@ LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chai MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); #ifdef SYSCTL_NODE + +static int +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS) +{ + + if (req->newptr && securelevel >= 3) + return (EPERM); + return sysctl_handle_int(oidp, arg1, arg2, req); +} + SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, - &fw_enable, 0, "Enable ipfw"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, - &fw_one_pass, 0, +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW, + &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW, + &fw_one_pass, 0, sysctl_fw_securelevel_check, "I", "Only do a single pass through ipfw when using dummynet(4)"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, "Enable printing of debug ip_fw statements"); @@ -173,30 +183,40 @@ static u_int32_t static_count = 0 ; /* # static u_int32_t dyn_count = 0 ; /* # of dynamic rules */ static u_int32_t dyn_max = 1000 ; /* max # of dynamic rules */ -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW, - &dyn_buckets, 0, "Number of dyn. buckets"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD, - &curr_dyn_buckets, 0, "Current Number of dyn. buckets"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD, - &dyn_count, 0, "Number of dyn. rules"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW, - &dyn_max, 0, "Max number of dyn. rules"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD, - &static_count, 0, "Number of static rules"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW, - &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW, - &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW, - &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW, - &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW, - &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW, - &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations"); -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD, - &dyn_grace_time, 0, "Grace time for dyn. rules"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLTYPE_INT|CTLFLAG_RW, + &dyn_buckets, 0, sysctl_fw_securelevel_check, "IU", + "Number of dyn. buckets"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD, + &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU", + "Current Number of dyn. buckets"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLTYPE_INT|CTLFLAG_RD, + &dyn_count, 0, sysctl_fw_securelevel_check, "IU", "Number of dyn. rules"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLTYPE_INT|CTLFLAG_RW, + &dyn_max, 0, sysctl_fw_securelevel_check, "IU", "Max number of dyn. rules"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, static_count, CTLTYPE_INT|CTLFLAG_RD, + &static_count, 0, sysctl_fw_securelevel_check, "IU", + "Number of static rules"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_ack_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for acks"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_syn_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for syn"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_fin_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for fin"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_rst_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for rst"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_udp_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for UDP"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLTYPE_INT|CTLFLAG_RW, + &dyn_short_lifetime, 0, sysctl_fw_securelevel_check, "IU", + "Lifetime of dyn. rules for other situations"); +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLTYPE_INT|CTLFLAG_RD, + &dyn_grace_time, 0, sysctl_fw_securelevel_check, "IU", + "Grace time for dyn. rules"); #endif /* SYSCTL_NODE */ %%% -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer