Date: Thu, 16 Sep 2004 04:05:04 -0000 From: Max Laier <max@love2party.net> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: pf and securelevel Message-ID: <200406081656.07353.max@love2party.net> In-Reply-To: <20040608041725.GA3640@kt-is.co.kr> References: <20040607154341.9A9CAB870@relay.md-moldes.com> <20040608041725.GA3640@kt-is.co.kr>
next in thread | previous in thread | raw e-mail | index | archive | help
--Boundary-02=_HOdxAVMRw8cb+yn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 08 June 2004 06:17, Pyun YongHyeon wrote: > On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote: > > Hi all, > > > > Is it disallowed to change pf rules when FreeBSD is running at > > securelevel 3 as it is with ipfw and ipfilter? > > OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD > supports 5 securelevel(-1, 0, 1, 2 and 3). > So the highest secure level on OpenBSD is 2. At present, pf > on OpenBSD rejects some ioctls(2) when system's securelevel is > higher than 1. > > Because FreeBSD's highest securelevel is 3, pf on FreeBSD can > check process credentials with securelevel 3. But at the > time of my first porting, that was ignored. So if you have > securelevel higher than 1 you can't manipulate pf ruleset. > > If you want the same behavior of ipfw(8) change the check > statement at the beginning of pfioctl() in pf_ioctl.c. > Also, you can use jail-friendly wrapper function securelevel_gt(). > But it's not clear to me how pf should act in jailed process. > Maybe Max and Daniel have more idea. I have been thinking about this recently in connection with:=20 http://people.freebsd.org/~mlaier/jailed.patch which allows filtering tcp/u= dp=20 connections based inside jails. (e.g. you could allow only connections to a= =20 successfully jailed httpd: "pass in on $ext_if proto tcp from any to $jail_= ip=20 port 22 user www jailed keep state" or other things of that kind. The conclusion for above problem is: 1) Jailed root should normally not be able to modify the filter rules. 2) Real root might want to allow jailed root to configure certain things=20 inside its own jail. The implementation I am looking for at the moment would work like this: 1) Real root places anchors with a special name inside the ruleset. 2) Jailed root can place its rules inside these anchors. This will give real root the full control over what jailed root can and can= =20 not manipulate without changing much code. It will boil down to a few extra= =20 checks in pf_ioctl.c ... At the moment I am busy with ALTQ and maybe CARP in a bit so the FreeBSD=20 specific stuff will rest for the moment. I will, however, try to commit the= =20 jailed patch once the 3.5 import is done. =2D-=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --Boundary-02=_HOdxAVMRw8cb+yn Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAxdOHXyyEoT62BG0RAugwAJ93FXcXmQj2w5WFuGxFoh6lvGeYBgCeLyQi VLVvCMD7DP4b5yFo3FafX0s= =lxFk -----END PGP SIGNATURE----- --Boundary-02=_HOdxAVMRw8cb+yn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406081656.07353.max>