Date: Wed, 18 Apr 2001 20:31:45 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: neswold@fnal.gov Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Protecting IPFW kernel variables... Message-ID: <200104181831.UAA49728@info.iet.unipi.it> In-Reply-To: <20010418113053.A34196@spiv.fnal.gov> from Rich Neswold at "Apr 18, 2001 11:30:54 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello, > > I have a couple of machines that connect to the Internet via a FreeBSD box > running ipfw. My firewall rules haven't been changed in quite a while, so I > decided to run the box using secure level 3 (firewall rules can't get > changed.) I noticed, however, that even at this secure level, I can still > open my firewall by using sysctl! > > The following patch corrects this: > > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.131.2.23 > diff -r1.131.2.23 ip_fw.c > 100c100 > < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > --- > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, > > The CTLFLAG_SECURE flag doesn't allow the variable to be changed when > securelevel >= 0, so it is more strict than it needs to be. > > Should I submit this? i think it is a bit late for 4.3 also given that CTLFLAG_SECURE is not used anywhere. This reminds me that i had some patches (which i did not commit) to extend the CTLFLAG_SECURE thing so that it would let you specify a level L, so the variable could be modified if securelevel<=L and not otherwise. I think i even posted them to the -security mailing list some time between dec.2000 and feb.2001 cheers luigi > (Please CC: me in any response. I'm subscribed to -questions, -hackers, and > -stable, but not -ipfw.) > > -- > Rich > > ------------------------------------------------------------------------ > Richard Neswold, Beams Division / Controls Dept | neswold@fnal.gov > Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454 > | fax 1.630.840.3093 [application/pgp-signature is not supported, skipping...] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104181831.UAA49728>