ipfirewall(4)) cannot be changed

Giorgos Keramidas keramida at ceid.upatras.gr
Mon May 26 00:54:56 PDT 2003 

On 2003-05-26 05:18, Santos <sansan at cas.port995.com> wrote:
> Giorgos Keramidas wrote:
> >Try this patch.  Unless of course, you're not using IPFW version 1,
> >in which case someone more knowledgeable will hopefully correct me :)
> >
> ><<<<<<<
> >Index: ip_fw.c
> >===================================================================
> >RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> >retrieving revision 1.192
> >diff -u -r1.192 ip_fw.c
> >--- sys/netinet/ip_fw.c	19 Feb 2003 05:47:33 -0000	1.192
> >+++ sys/netinet/ip_fw.c	25 May 2003 20:46:37 -0000
> >@@ -95,7 +95,7 @@
> >
> > #ifdef SYSCTL_NODE
> > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
> >-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
> >+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
> >     &fw_enable, 0, "Enable ipfw");
> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
> >     &fw_one_pass, 0,
>
> Sorry i missed a uname and a grep :)

Ah, that's fine.  I don't have the time to test it now, but something
similar to the following should do the trick.  Sorry for not running
this through a compile and a test run, but this is a very hectic day.
Someone with enough time to run a full buildworld/buildkernel and fix
any errors I have made should check that this fixes the problem and then
notify the security officer.  It looks like something that would be nice
to have in STABLE *and* the security branches IMHO.

<<<<<<<
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.39
diff -u -r1.131.2.39 ip_fw.c
--- ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
+++ ip_fw.c	26 May 2003 07:50:05 -0000
@@ -94,9 +94,25 @@
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
 #ifdef SYSCTL_NODE
+
+static int
+sysctl_fw_enable(SYSCTL_HANDLER_ARGS)
+{
+        int error, v;
+
+	if (securelevel >= 3)
+		return (ENOPERM);
+
+        error = sysctl_handle_int(oidp, oidp->oid_arg1, 0, req);
+        if (error || !req->newptr)
+                return (error);
+
+        return (0);
+}
+
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
-    &fw_enable, 0, "Enable ipfw");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
+    &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
     &fw_one_pass, 0, 
     "Only do a single pass through ipfw when using dummynet(4)");
>>>>>>>

More information about the freebsd-security mailing list