kern/116645: pfctl -k does not work in securelevel 3
James Lauser
james at jlauser.net
Fri Nov 16 10:01:00 PST 2007
I understand that this is defined behavior, which is why I filed the
PR as a change-request. I believe it would be useful to modify the
state table as a means of preventing an ongoing attack, even if the
kernel is in securelevel 3. Changes to the state table are not
technically changes to the firewall rules. It is currently possible,
however, to make changes to pf tables through pfctl -T, even in
securelevel 3, and this feature _is_ actually changing the firewall
rules (though this may be an unintended feature).
-- James L. Lauser
james at jlauser.net
Owner, jlauser.net Hosting Services
http://jlauser.net/
On Nov 16, 2007, at 12:53 , kmacy at FreeBSD.org wrote:
> Synopsis: pfctl -k does not work in securelevel 3
>
> State-Changed-From-To: open->closed
> State-Changed-By: kmacy
> State-Changed-When: Fri Nov 16 17:52:23 UTC 2007
> State-Changed-Why:
>
>> From the securelevel man page:
> 3 Network secure mode - same as highly secure mode, plus IP
> packet
> filter rules (see ipfw(8), ipfirewall(4) and pfctl(8))
> cannot be
> changed and dummynet(4) or pf(4) configuration cannot be
> adjusted.
>
> You are seeing the defined behavior.
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=116645
More information about the freebsd-pf
mailing list