Date: Wed, 18 Apr 2001 11:30:54 -0500 From: Rich Neswold <neswold@fnal.gov> To: freebsd-ipfw@freebsd.org Subject: Protecting IPFW kernel variables... Message-ID: <20010418113053.A34196@spiv.fnal.gov>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hello,
I have a couple of machines that connect to the Internet via a FreeBSD box
running ipfw. My firewall rules haven't been changed in quite a while, so I
decided to run the box using secure level 3 (firewall rules can't get
changed.) I noticed, however, that even at this secure level, I can still
open my firewall by using sysctl!
The following patch corrects this:
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.23
diff -r1.131.2.23 ip_fw.c
100c100
< SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
---
> SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
The CTLFLAG_SECURE flag doesn't allow the variable to be changed when
securelevel >= 0, so it is more strict than it needs to be.
Should I submit this?
(Please CC: me in any response. I'm subscribed to -questions, -hackers, and
-stable, but not -ipfw.)
--
Rich
------------------------------------------------------------------------
Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov
Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454
| fax 1.630.840.3093
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOt3BPNyo48HBVqoBAQHXhQP9FdylX6sDKCpsy03KpmDscmRcvR+93ZC6
mOf42C1DyVBLtuxCppKvdDG9CP2hp2FFwwLPdbpcFQtVhV8TSmrREwakSz5hLmk1
Or1vltDM1TURdHs27BAzT1jzoQlRCN+ZxrXQbC7bx+FdNpg8Mf9CKmq/fZ6LyCmb
s75fbyBmVpU=
=ObUi
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418113053.A34196>