Date: Mon, 26 May 2003 05:18:24 +0100 From: Santos <sansan@cas.port995.com> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-security@freebsd.org Subject: Re: ipfirewall(4)) cannot be changed Message-ID: <3ED19590.80309@cas.port995.com> In-Reply-To: <20030525234819.U21691@gothmog> References: <3ED06967.90306@cas.port995.com> <20030525234819.U21691@gothmog>
index | next in thread | previous in thread | raw e-mail
Giorgos Keramidas wrote: > On 2003-05-25 07:57, Santos wrote: > >>root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 >> >>3 Network secure mode - same as highly secure mode, plus IP packet >> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and >> dummynet(4) configuration cannot be adjusted. >> >>root@vigilante /root cuaa1# sysctl -a |grep secure >>kern.securelevel: 3 >>[...] >>root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0 >>net.inet.ip.fw.enable: 1 -> 0 >> >>root@vigilante /root cuaa1# ping 216.136.204.21 >>PING 216.136.204.21 (216.136.204.21): 56 data bytes >>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms >>^C > > > Try this patch. Unless of course, you're not using IPFW version 1, > in which case someone more knowledgeable will hopefully correct me :) > > <<<<<<< > Index: ip_fw.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v > retrieving revision 1.192 > diff -u -r1.192 ip_fw.c > --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192 > +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000 > @@ -95,7 +95,7 @@ > > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3, > &fw_enable, 0, "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, > &fw_one_pass, 0, > > > - Giorgos Sorry i missed a uname and a grep :) root@vigilante /root p1# uname -a FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20 20:19:53 WEST 2003 root@vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE i386 root@vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE options IPFW2 I hope this gets fixed, it defeats the purpose of secure levels, at least, of the 3 one. It would be nice to have a 4 level where sysctl variables couldn't be changed, but something tells me that isn't possible... some variables are dynamic, change all the time, no? Santoshome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ED19590.80309>