ipfirewall(4)) cannot be changed
Santos
sansan at cas.port995.com
Sun May 25 21:17:57 PDT 2003
Giorgos Keramidas wrote:
> On 2003-05-25 07:57, Santos wrote:
>
>>root at vigilante /root cuaa1# man init |tail -n 130 |head -n 5
>>
>>3 Network secure mode - same as highly secure mode, plus IP packet
>> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
>> dummynet(4) configuration cannot be adjusted.
>>
>>root at vigilante /root cuaa1# sysctl -a |grep secure
>>kern.securelevel: 3
>>[...]
>>root at vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0
>>net.inet.ip.fw.enable: 1 -> 0
>>
>>root at vigilante /root cuaa1# ping 216.136.204.21
>>PING 216.136.204.21 (216.136.204.21): 56 data bytes
>>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms
>>^C
>
>
> Try this patch. Unless of course, you're not using IPFW version 1,
> in which case someone more knowledgeable will hopefully correct me :)
>
> <<<<<<<
> Index: ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.192
> diff -u -r1.192 ip_fw.c
> --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192
> +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000
> @@ -95,7 +95,7 @@
>
> #ifdef SYSCTL_NODE
> SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
> -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
> +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
> &fw_enable, 0, "Enable ipfw");
> SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
> &fw_one_pass, 0,
>
>
> - Giorgos
Sorry i missed a uname and a grep :)
root at vigilante /root p1# uname -a
FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20
20:19:53 WEST 2003
root at vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE i386
root at vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE
options IPFW2
I hope this gets fixed, it defeats the purpose of secure levels, at
least, of the 3 one. It would be nice to have a 4 level where sysctl
variables couldn't be changed, but something tells me that isn't
possible... some variables are dynamic, change all the time, no?
Santos
More information about the freebsd-security
mailing list