From owner-freebsd-ipfw Wed Apr 18 9:30:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from spiv.fnal.gov (spiv.fnal.gov [131.225.124.126]) by hub.freebsd.org (Postfix) with ESMTP id 135C037B423 for ; Wed, 18 Apr 2001 09:30:55 -0700 (PDT) (envelope-from neswold@spiv.fnal.gov) Received: (from neswold@localhost) by spiv.fnal.gov (8.9.3/8.9.3) id LAA35054 for freebsd-ipfw@freebsd.org; Wed, 18 Apr 2001 11:30:54 -0500 (CDT) (envelope-from neswold) Date: Wed, 18 Apr 2001 11:30:54 -0500 From: Rich Neswold To: freebsd-ipfw@freebsd.org Subject: Protecting IPFW kernel variables... Message-ID: <20010418113053.A34196@spiv.fnal.gov> Reply-To: neswold@fnal.gov Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" X-Mailer: Mutt 1.0.1i Organization: Fermi National Accelerator Laboratory X-PGP-RSAfprint: 0A C8 A5 76 DF 8E E1 B3 F3 97 BE 73 DA CD 4B C9 X-PGP-RSAkey: ftp://ftp.mcs.net/mcsnet.users/rneswold/pub.key X-Operating-System: FreeBSD 3.4-STABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello, I have a couple of machines that connect to the Internet via a FreeBSD box running ipfw. My firewall rules haven't been changed in quite a while, so I decided to run the box using secure level 3 (firewall rules can't get changed.) I noticed, however, that even at this secure level, I can still open my firewall by using sysctl! The following patch corrects this: RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.23 diff -r1.131.2.23 ip_fw.c 100c100 < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, --- > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECU= RE, The CTLFLAG_SECURE flag doesn't allow the variable to be changed when securelevel >=3D 0, so it is more strict than it needs to be. Should I submit this? (Please CC: me in any response. I'm subscribed to -questions, -hackers, and -stable, but not -ipfw.) --=20 Rich =20 ------------------------------------------------------------------------ Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 | fax 1.630.840.3093 --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOt3BPNyo48HBVqoBAQHXhQP9FdylX6sDKCpsy03KpmDscmRcvR+93ZC6 mOf42C1DyVBLtuxCppKvdDG9CP2hp2FFwwLPdbpcFQtVhV8TSmrREwakSz5hLmk1 Or1vltDM1TURdHs27BAzT1jzoQlRCN+ZxrXQbC7bx+FdNpg8Mf9CKmq/fZ6LyCmb s75fbyBmVpU= =ObUi -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message