[pf4freebsd] Re: pf and securelevel

Max Laier max at love2party.net
Wed Sep 15 21:05:04 PDT 2004 

On Tuesday 08 June 2004 06:17, Pyun YongHyeon wrote:
> On Mon, Jun 07, 2004 at 04:35:17PM +0100, Nuno Antunes wrote:
>  > Hi all,
>  >
>  > Is it disallowed to change pf rules when FreeBSD is running at
>  > securelevel 3 as it is with ipfw and ipfilter?
>
> OpenBSD defines 4 securelevel(-1, 0, 1 and 2) whereas FreeBSD
> supports 5 securelevel(-1, 0, 1, 2 and 3).
> So the highest secure level on OpenBSD is 2. At present, pf
> on OpenBSD rejects some ioctls(2) when system's securelevel is
> higher than 1.
>
> Because FreeBSD's highest securelevel is 3, pf on FreeBSD can
> check process credentials with securelevel 3. But at the
> time of my first porting, that was ignored. So if you have
> securelevel higher than 1 you can't manipulate pf ruleset.
>
> If you want the same behavior of ipfw(8) change the check
> statement at the beginning of pfioctl() in pf_ioctl.c.
> Also, you can use jail-friendly wrapper function securelevel_gt().
> But it's not clear to me how pf should act in jailed process.
> Maybe Max and Daniel have more idea.

I have been thinking about this recently in connection with: 
http://people.freebsd.org/~mlaier/jailed.patch which allows filtering tcp/udp 
connections based inside jails. (e.g. you could allow only connections to a 
successfully jailed httpd: "pass in on $ext_if proto tcp from any to $jail_ip 
port 22 user www jailed keep state" or other things of that kind.

The conclusion for above problem is:
1) Jailed root should normally not be able to modify the filter rules.
2) Real root might want to allow jailed root to configure certain things 
inside its own jail.

The implementation I am looking for at the moment would work like this:
1) Real root places anchors with a special name inside the ruleset.
2) Jailed root can place its rules inside these anchors.

This will give real root the full control over what jailed root can and can 
not manipulate without changing much code. It will boil down to a few extra 
checks in pf_ioctl.c ...

At the moment I am busy with ALTQ and maybe CARP in a bit so the FreeBSD 
specific stuff will rest for the moment. I will, however, try to commit the 
jailed patch once the 3.5 import is done.

-- 
Best regards,				| mlaier at freebsd.org
Max Laier				| ICQ #67774661
http://pf4freebsd.love2party.net/	| mlaier at EFnet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040916/5999bd23/attachment.bin

More information about the freebsd-pf mailing list