From owner-freebsd-bugs  Sat Nov  4  2: 0: 9 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 21C1A37B4D7
	for <freebsd-bugs@FreeBSD.org>; Sat,  4 Nov 2000 02:00:03 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id CAA93310;
	Sat, 4 Nov 2000 02:00:03 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id ED5FD37B4CF; Sat,  4 Nov 2000 01:59:57 -0800 (PST)
Message-Id: <20001104095957.ED5FD37B4CF@hub.freebsd.org>
Date: Sat,  4 Nov 2000 01:59:57 -0800 (PST)
From: andre@express.ru
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/22600: It is possible to change ipfw rules with kernel secure level == 3.
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         22600
>Category:       kern
>Synopsis:       It is possible to change ipfw rules with kernel secure level == 3.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 04 02:00:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Andre Yelistratov
>Release:        4.2-BETA
>Organization:
>Environment:
FreeBSD satan.express.ru 4.2-BETA FreeBSD 4.2-BETA #0: Thu Nov  2 17:22:44 MSK 2000     andre@satan.express.ru:/usr/obj/usr/src/sys/SATAN  i386

>Description:
From man 8 init:
"3     Network secure mode - same as highly secure mode, plus IP packet
      filter rules (see ipfw(8) and ipfirewall(4))  cannot be changed and
      dummynet(4) configuration cannot be adjusted."
It IS possible to change ipfw rules in security level 3.

>How-To-Repeat:
satan:/usr/home/andre#ipfw show
65535 76 7632 allow ip from any to any

satan:/usr/home/andre#sysctl -a|grep secur
kern.securelevel: -1

satan:/usr/home/andre#sysctl -w kern.securelevel=3
kern.securelevel: -1 -> 3

satan:/usr/home/andre#ipfw show
65535 76 7632 allow ip from any to any

satan:/usr/home/andre#ipfw add 200 deny ip from any to any
00200 deny ip from any to any

satan:/usr/home/andre#ping a.b.c.d
PING a.b.c.d (a.b.c.d): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- a.b.c.d ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
satan:/usr/home/andre#ipfw add 100 allow ip from any to any
00100 allow ip from any to any

satan:/usr/home/andre#ping a.b.c.d
PING a.b.c.d (a.b.c.d): 56 data bytes
64 bytes from a.b.c.d: icmp_seq=0 ttl=254 time=11.915 ms
64 bytes from a.b.c.d: icmp_seq=1 ttl=254 time=6.089 ms
^C
--- a.b.c.d ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.089/9.002/11.915/2.913 ms

satan:/usr/home/andre#ipfw -q flush
ipfw: setsockopt(IP_FW_FLUSH): Operation not permitted


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message