Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 May 2001 06:56:10 -0700 (PDT)
From:      andria@tovaris.com
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/27615: ipf restricts rule-changing at securelevel 2
Message-ID:  <200105241356.f4ODuAp66088@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         27615
>Category:       kern
>Synopsis:       ipf restricts rule-changing at securelevel 2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 24 07:00:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Andria Thomas
>Release:        4.3-STABLE
>Organization:
Tovaris
>Environment:
FreeBSD fw.intranet 4.3-STABLE FreeBSD 4.3-STABLE #1: Wed May 23 09:45:59 EDT 2001     root@fw.intranet:/data/obj/data/src/sys/FW  i386

>Description:
According to the 'init' manpage, running at securelevel 2 should still
allow the flushing/changing of ipf/ipnat rules.  This is true for ipfw,
but is not true for ipf.
>How-To-Repeat:
Run a firewall at securelevel 2 and try to flush/change your ipf or 
ipnat rules.
>Fix:
There are only two references to securelevel in the ip-filter code.
They should be changed from 'securelevel >= 2' to 'securelevel >=3'.

*** ip_fil.c    Wed May 23 09:39:37 2001
--- ip_fil.c.orig       Wed May 23 09:39:12 2001
***************
*** 461,465 ****
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 3) && (mode & FWRITE))
                return EPERM;
  #endif
--- 461,465 ----
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 2) && (mode & FWRITE))
                return EPERM;
  #endif
-----------------------------------------------------------
*** ip_nat.c    Wed May 23 09:39:50 2001
--- ip_nat.c.orig       Wed May 23 09:39:19 2001
***************
*** 428,432 ****
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 3) && (mode & FWRITE))
                return EPERM;
  #endif
--- 428,432 ----
  
  #if (BSD >= 199306) && defined(_KERNEL)
!       if ((securelevel >= 2) && (mode & FWRITE))
                return EPERM;
  #endif

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105241356.f4ODuAp66088>