Date: Wed, 26 Sep 2007 01:35:32 GMT From: "James L. Lauser" <james@jlauser.net> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/116645: pfctl -k does not work in securelevel 3 Message-ID: <200709260135.l8Q1ZWvG072867@www.freebsd.org> Resent-Message-ID: <200709260140.l8Q1e6xm012148@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 116645 >Category: kern >Synopsis: pfctl -k does not work in securelevel 3 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Sep 26 01:40:06 GMT 2007 >Closed-Date: >Last-Modified: >Originator: James L. Lauser >Release: 6.2-STABLE >Organization: >Environment: FreeBSD Pancake.jlauser.net 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #7: Mon May 28 21:18:23 EDT 2007 root@Pancake.jlauser.net:/usr/obj/usr/src/sys/SMP_POLLING amd64 >Description: When in network secure mode (kern.securelevel=3), pfctl -k does not work, as DIOCKILLSTATES is not permitted. I believe this is counter-intuitive. If a rule such as "block drop quick from <blacklisted> to any" is present, it is possible to firewall an attacking host by executing 'pfctl -t blacklisted -T add 1.2.3.4', even in network secure mode, but any states that the particular host already has open continue to work, as state table evaluation is done before rule evaluation. >How-To-Repeat: Set kern.securelevel to 3, and attempt to kill a firewall state with pfctl -k. >Fix: Do not prevent calls to DIOCKILLSTATES when in securelevel 3. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709260135.l8Q1ZWvG072867>