Date: Sat, 4 Nov 2000 01:59:57 -0800 (PST) From: andre@express.ru To: freebsd-gnats-submit@FreeBSD.org Subject: kern/22600: It is possible to change ipfw rules with kernel secure level == 3. Message-ID: <20001104095957.ED5FD37B4CF@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 22600
>Category: kern
>Synopsis: It is possible to change ipfw rules with kernel secure level == 3.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Nov 04 02:00:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Andre Yelistratov
>Release: 4.2-BETA
>Organization:
>Environment:
FreeBSD satan.express.ru 4.2-BETA FreeBSD 4.2-BETA #0: Thu Nov 2 17:22:44 MSK 2000 andre@satan.express.ru:/usr/obj/usr/src/sys/SATAN i386
>Description:
From man 8 init:
"3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
dummynet(4) configuration cannot be adjusted."
It IS possible to change ipfw rules in security level 3.
>How-To-Repeat:
satan:/usr/home/andre#ipfw show
65535 76 7632 allow ip from any to any
satan:/usr/home/andre#sysctl -a|grep secur
kern.securelevel: -1
satan:/usr/home/andre#sysctl -w kern.securelevel=3
kern.securelevel: -1 -> 3
satan:/usr/home/andre#ipfw show
65535 76 7632 allow ip from any to any
satan:/usr/home/andre#ipfw add 200 deny ip from any to any
00200 deny ip from any to any
satan:/usr/home/andre#ping a.b.c.d
PING a.b.c.d (a.b.c.d): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- a.b.c.d ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
satan:/usr/home/andre#ipfw add 100 allow ip from any to any
00100 allow ip from any to any
satan:/usr/home/andre#ping a.b.c.d
PING a.b.c.d (a.b.c.d): 56 data bytes
64 bytes from a.b.c.d: icmp_seq=0 ttl=254 time=11.915 ms
64 bytes from a.b.c.d: icmp_seq=1 ttl=254 time=6.089 ms
^C
--- a.b.c.d ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.089/9.002/11.915/2.913 ms
satan:/usr/home/andre#ipfw -q flush
ipfw: setsockopt(IP_FW_FLUSH): Operation not permitted
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001104095957.ED5FD37B4CF>