Date: Tue, 15 May 2001 14:21:18 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: Bill Fumerola <billf@FreeBSD.org>, Luigi Rizzo <luigi@FreeBSD.org>, ipfw@FreeBSD.org Subject: Re: ipfw rules and securelevel Message-ID: <20010515142118.G11592@ringworld.oblivion.bg> In-Reply-To: <20010515140943.A41014@sunbay.com>; from ru@FreeBSD.org on Tue, May 15, 2001 at 02:09:43PM %2B0300 References: <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> <20010514180928.A52742@sunbay.com> <20010515140943.A41014@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 15, 2001 at 02:09:43PM +0300, Ruslan Ermilov wrote: > Here is a slightly reworked version of the above patch. It prohibits > all MIB modifications under net.inet.ip.fw node except a few ones: > debug, verbose, and verbose_limit that shouldn't affect security. > Please review. I wonder if verbose and verbose_limit shouldn't also be prohibited. Arguably, if someone has obtained superuser privileges on your securelevel 3 box, they don't need to try any more exploits or something. Still, I personally would maybe feel a bit more warm and fuzzy if I knew that no one could disable ipfw logging, even if the system is already compromised. G'luck, Peter -- What would this sentence be like if pi were 3? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010515142118.G11592>