Date: Mon, 13 Jan 2003 09:17:49 +0100 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c Message-ID: <20030113081749.GF9430@garage.freebsd.pl> In-Reply-To: <200301130807.h0D87urr001783@apollo.backplane.com> References: <200301120331.h0C3VA2H040455@repoman.freebsd.org> <20030113075934.GE9430@garage.freebsd.pl> <200301130807.h0D87urr001783@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Mon, Jan 13, 2003 at 12:07:56AM -0800, Matthew Dillon wrote:
+> This type of failure usually occurs during boot in /etc/rc, before the
+> secure level is set. Another alternative is to boot single-user. The
+> secure level won't be set. We obviously can't support enabling and
+> disabling the firewall once the secure level has been raised.
Exactly, but:
SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
&fw_enable, 0, "Enable ipfw");
So where are adequate checks?
I haven't check, but it looks like we can manipulate net.inet.ip.fw.enable
even if securelevel >= 3. Am I wrong?
--
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iQCVAwUBPiJ2LT/PhmMH/Mf1AQHD0QP+PKBh9Z4ynSc+ZEqR4yM/ju8fEd65nug+
OK0Yip/yI7BRRNuaTSEBPxHx5or4jFK4nVTsaLNqezwsBn02HO15FZAMTz2d0rEE
CDF9gSFoqSe80gwThDzEU1UH7hPm1Juay7EadfVjRljOEbqA8ALQoHHAAktWqXA0
K3sv3OF/J0g=
=BzSm
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113081749.GF9430>