[pf4freebsd] Re: pf and securelevel
yongari at kt-is.co.kr
Wed Sep 15 21:04:59 PDT 2004
On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote:
> Hi all,
> Is it disallowed to change pf rules when FreeBSD is running at securelevel 3
> as it is with ipfw and ipfilter?
OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD
supports 5 securelevel(-1, 0, 1, 2 and 3).
So the highest secure level on OpenBSD is 2. At present, pf
on OpenBSD rejects some ioctls(2) when system's securelevel is
higher than 1.
Because FreeBSD's highest securelevel is 3, pf on FreeBSD can
check process credentials with securelevel 3. But at the
time of my first porting, that was ignored. So if you have
securelevel higher than 1 you can't manipulate pf ruleset.
If you want the same behavior of ipfw(8) change the check
statement at the beginning of pfioctl() in pf_ioctl.c.
Also, you can use jail-friendly wrapper function securelevel_gt().
But it's not clear to me how pf should act in jailed process.
Maybe Max and Daniel have more idea.
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
More information about the freebsd-pf