Date: Mon, 26 May 2003 05:18:24 +0100 From: Santos <sansan@cas.port995.com> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed Message-ID: <3ED19590.80309@cas.port995.com> In-Reply-To: <20030525234819.U21691@gothmog> References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote: > On 2003-05-25 07:57, Santos wrote: > >>root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 >> >>3 Network secure mode - same as highly secure mode, plus IP packet >> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and >> dummynet(4) configuration cannot be adjusted. >> >>root@vigilante /root cuaa1# sysctl -a |grep secure >>kern.securelevel: 3 >>[...] >>root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0 >>net.inet.ip.fw.enable: 1 -> 0 >> >>root@vigilante /root cuaa1# ping 216.136.204.21 >>PING 216.136.204.21 (216.136.204.21): 56 data bytes >>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms >>^C > > > Try this patch. Unless of course, you're not using IPFW version 1, > in which case someone more knowledgeable will hopefully correct me :) > > <<<<<<< > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.192 > diff -u -r1.192 ip_fw.c > --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 > +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 > @@ -95,7 +95,7 @@ > > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, > &fw_enable, 0, "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > > > - Giorgos Sorry i missed a uname and a grep :) root@vigilante /root p1# uname -a FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20 20:19:53 WEST 2003 root@vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE i386 root@vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE options IPFW2 I hope this gets fixed, it defeats the purpose of secure levels, at least, of the 3 one. It would be nice to have a 4 level where sysctl variables couldn't be changed, but something tells me that isn't possible... some variables are dynamic, change all the time, no? Santos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ED19590.80309>