Date: Fri, 16 Nov 2007 13:00:57 -0500 From: James Lauser <james@jlauser.net> To: kmacy@FreeBSD.org Cc: freebsd-pf@FreeBSD.org Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 Message-ID: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> In-Reply-To: <200711161753.lAGHr9OA025080@freefall.freebsd.org> References: <200711161753.lAGHr9OA025080@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I understand that this is defined behavior, which is why I filed the PR as a change-request. I believe it would be useful to modify the state table as a means of preventing an ongoing attack, even if the kernel is in securelevel 3. Changes to the state table are not technically changes to the firewall rules. It is currently possible, however, to make changes to pf tables through pfctl -T, even in securelevel 3, and this feature _is_ actually changing the firewall rules (though this may be an unintended feature). -- James L. Lauser james@jlauser.net Owner, jlauser.net Hosting Services http://jlauser.net/ On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote: > Synopsis: pfctl -k does not work in securelevel 3 > > State-Changed-From-To: open->closed > State-Changed-By: kmacy > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 > State-Changed-Why: > >> From the securelevel man page: > 3 Network secure mode - same as highly secure mode, plus IP > packet > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) > cannot be > changed and dummynet(4) or pf(4) configuration cannot be > adjusted. > > You are seeing the defined behavior. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443E4458-A6C6-4C78-98B7-38D41DA0E131>