From owner-freebsd-ipfw  Mon Apr 23  7:53:15 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from spiv.fnal.gov (spiv.fnal.gov [131.225.124.126])
	by hub.freebsd.org (Postfix) with ESMTP id 74D1037B423
	for <freebsd-ipfw@FreeBSD.ORG>; Mon, 23 Apr 2001 07:53:12 -0700 (PDT)
	(envelope-from neswold@spiv.fnal.gov)
Received: (from neswold@localhost)
	by spiv.fnal.gov (8.9.3/8.9.3) id JAA81627;
	Mon, 23 Apr 2001 09:53:09 -0500 (CDT)
	(envelope-from neswold)
Date: Mon, 23 Apr 2001 09:53:09 -0500
From: Rich Neswold <neswold@fnal.gov>
To: Luigi Rizzo <luigi@info.iet.unipi.it>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: Protecting IPFW kernel variables...
Message-ID: <20010423095308.A81556@spiv.fnal.gov>
Reply-To: neswold@fnal.gov
References: <20010418113053.A34196@spiv.fnal.gov> <200104181831.UAA49728@info.iet.unipi.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <200104181831.UAA49728@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Wed, Apr 18, 2001 at 08:31:45PM +0200
Organization: Fermi National Accelerator Laboratory
X-PGP-RSAfprint: 0A C8 A5 76 DF 8E E1 B3 F3 97 BE 73 DA CD 4B C9
X-PGP-RSAkey: ftp://ftp.mcs.net/mcsnet.users/rneswold/pub.key
X-Operating-System: FreeBSD 3.4-STABLE
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

If memory serves, didn't Luigi Rizzo say:
> > I noticed, however, that even at this secure level, I can still open my
> > firewall by using sysctl!
> > 
> > The following patch corrects this:
> > 
> i think it is a bit late for 4.3 also given that CTLFLAG_SECURE is not
> used anywhere.

If the kernel secure level is >= 0, then my patch would also prevent the
system administrator from turning on the firewall (provided it was off
before increasing the kernel secure level.)

I'm going to upgrade my systems to 4.3 and try this patch out for a while
before committing it.

-- 
  Rich
 
 ------------------------------------------------------------------------
  Richard Neswold, Beams Division / Controls Dept |     neswold@fnal.gov
  Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454
                                                  |   fax 1.630.840.3093

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message