ipfirewall(4)) cannot be changed

Santos sansan at cas.port995.com
Sun May 25 21:17:57 PDT 2003 

Giorgos Keramidas wrote:

> On 2003-05-25 07:57, Santos wrote:
> 
>>root at vigilante /root cuaa1# man init |tail -n 130 |head -n 5
>>
>>3   Network secure mode - same as highly secure mode, plus IP packet
>>     filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
>>     dummynet(4) configuration cannot be adjusted.
>>
>>root at vigilante /root cuaa1# sysctl -a |grep secure
>>kern.securelevel: 3
>>[...]
>>root at vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0
>>net.inet.ip.fw.enable: 1 -> 0
>>
>>root at vigilante /root cuaa1# ping  216.136.204.21
>>PING 216.136.204.21 (216.136.204.21): 56 data bytes
>>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms
>>^C
> 
> 
> Try this patch.  Unless of course, you're not using IPFW version 1,
> in which case someone more knowledgeable will hopefully correct me :)
> 
> <<<<<<<
> Index: ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.192
> diff -u -r1.192 ip_fw.c
> --- sys/netinet/ip_fw.c	19 Feb 2003 05:47:33 -0000	1.192
> +++ sys/netinet/ip_fw.c	25 May 2003 20:46:37 -0000
> @@ -95,7 +95,7 @@
> 
>  #ifdef SYSCTL_NODE
>  SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
> -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
> +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
>      &fw_enable, 0, "Enable ipfw");
>  SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
>      &fw_one_pass, 0,
> 
> 
> - Giorgos


Sorry i missed a uname and a grep :)

root at vigilante /root p1# uname -a
FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20 
20:19:53 WEST 2003 
root at vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE  i386

root at vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE
options         IPFW2


I hope this gets fixed, it defeats the purpose of secure levels, at 
least, of the 3 one. It would be nice to have a 4 level where sysctl 
variables couldn't be changed, but something tells me that isn't 
possible... some variables are dynamic, change all the time, no?


Santos

More information about the freebsd-security mailing list