kern/116645: pfctl -k does not work in securelevel 3
James L. Lauser
james at jlauser.net
Tue Sep 25 18:40:07 PDT 2007
>Number: 116645
>Category: kern
>Synopsis: pfctl -k does not work in securelevel 3
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 26 01:40:06 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: James L. Lauser
>Release: 6.2-STABLE
>Organization:
>Environment:
FreeBSD Pancake.jlauser.net 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #7: Mon May 28 21:18:23 EDT 2007 root at Pancake.jlauser.net:/usr/obj/usr/src/sys/SMP_POLLING amd64
>Description:
When in network secure mode (kern.securelevel=3), pfctl -k does not work, as DIOCKILLSTATES is not permitted. I believe this is counter-intuitive.
If a rule such as "block drop quick from <blacklisted> to any" is present, it is possible to firewall an attacking host by executing 'pfctl -t blacklisted -T add 1.2.3.4', even in network secure mode, but any states that the particular host already has open continue to work, as state table evaluation is done before rule evaluation.
>How-To-Repeat:
Set kern.securelevel to 3, and attempt to kill a firewall state with pfctl -k.
>Fix:
Do not prevent calls to DIOCKILLSTATES when in securelevel 3.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list