kern/116645: pfctl -k does not work in securelevel 3
kip.macy at gmail.com
Fri Nov 16 10:33:12 PST 2007
On Nov 16, 2007 10:00 AM, James Lauser <james at jlauser.net> wrote:
> I understand that this is defined behavior, which is why I filed the
> PR as a change-request. I believe it would be useful to modify the
> state table as a means of preventing an ongoing attack, even if the
> kernel is in securelevel 3. Changes to the state table are not
> technically changes to the firewall rules. It is currently possible,
> however, to make changes to pf tables through pfctl -T, even in
> securelevel 3, and this feature _is_ actually changing the firewall
> rules (though this may be an unintended feature).
> -- James L. Lauser
> james at jlauser.net
> Owner, jlauser.net Hosting Services
Ok, I don't have strong enough feelings on the matter. I'm putting
Robert and Max on the CC to get their thoughts.
> On Nov 16, 2007, at 12:53 , kmacy at FreeBSD.org wrote:
> > Synopsis: pfctl -k does not work in securelevel 3
> > State-Changed-From-To: open->closed
> > State-Changed-By: kmacy
> > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007
> > State-Changed-Why:
> >> From the securelevel man page:
> > 3 Network secure mode - same as highly secure mode, plus IP
> > packet
> > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8))
> > cannot be
> > changed and dummynet(4) or pf(4) configuration cannot be
> > adjusted.
> > You are seeing the defined behavior.
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645
More information about the freebsd-pf