From owner-freebsd-security Tue Oct 12 9:37:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 5763315A59 for ; Tue, 12 Oct 1999 09:36:27 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.9.2/8.9.2) with ESMTP id NAA08191 for ; Tue, 12 Oct 1999 13:43:38 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 12 Oct 1999 13:43:38 -0300 (ART) From: Fernando Gleiser To: freebsd-security@freebsd.org Subject: ipfilter and securelevels Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While configuring a FreeBSD Box as a firewall with IPFilter, I've noticed that you can still change the filter rules even if securelevel > 1. I have merged the changes made by the OpenBSD people to prevent this into ip_fil.c, and I will fill a PR with the patch unless there is a reason to leave ipfilter as it is now. Here's the patch: ----------------8< cut here ---------------------------------------- *** ip_fil.c.orig Sun Oct 10 21:31:12 1999 --- ip_fil.c Sun Oct 10 21:43:32 1999 *************** *** 364,367 **** --- 364,396 ---- #endif + # if defined(__OpenBSD__) || defined (__FreeBSD__) + if (securelevel > 1) { + switch (cmd) { + # ifndef IPFILTER_LKM + case SIOCFRENB: + # endif + case SIOCSETFF: + case SIOCADAFR: + case SIOCADIFR: + case SIOCINAFR: + case SIOCINIFR: + case SIOCRMAFR: + case SIOCRMIFR: + case SIOCZRLST: + case SIOCSWAPA: + case SIOCFRZST: + case SIOCIPFFL: + # ifdef IPFILTER_LOG + case SIOCIPFFB: + # endif + case SIOCADNAT: + case SIOCRMNAT: + case SIOCFLNAT: + case SIOCCNATL: + return EPERM; + } + } + # endif + SPL_NET(s); ----------------8< cut here ---------------------------------------- Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message