From owner-freebsd-stable@FreeBSD.ORG Fri Jan 21 03:32:03 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0999D16A4CE for ; Fri, 21 Jan 2005 03:32:03 +0000 (GMT) Received: from pop-a065d05.pas.sa.earthlink.net (pop-a065d05.pas.sa.earthlink.net [207.217.121.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4BB243D45 for ; Fri, 21 Jan 2005 03:32:02 +0000 (GMT) (envelope-from andrei@kableu.com) Received: from h-69-3-26-80.snvacaid.dynamic.covad.net ([69.3.26.80] helo=mail.kableu.com) by pop-a065d05.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CrpWk-00012C-00 for freebsd-stable@freebsd.org; Thu, 20 Jan 2005 19:32:02 -0800 Received: from warrior.kableu.com (warrior.kableu.com [192.168.0.1]) by mail.kableu.com (Postfix) with ESMTP id 6472AC0DB for ; Thu, 20 Jan 2005 19:32:02 -0800 (PST) Received: by warrior.kableu.com (Postfix, from userid 1001) id D89A411445; Thu, 20 Jan 2005 19:32:01 -0800 (PST) Date: Thu, 20 Jan 2005 19:32:01 -0800 From: Andrew Konstantinov To: freebsd-stable@freebsd.org Message-ID: <20050121033201.GA81807@warrior.kableu.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: secure level 2 unable to modify pf rules X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jan 2005 03:32:03 -0000 --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, The manual page for securelevel says that secure level 3 provides the same functionality as secure level 2 plus the protection of pf/ipf/ipfw against modification. Since pf/ipf/ipfw protection is an addition, I assume that it should not be present with secure level 2. For some reason that's not the reality. gater# id uid=0(root) gid=0(wheel) groups=0(wheel), 5(operator) gater# uname -rs FreeBSD 5.3-RELEASE-p5 gater# sysctl kern.securelevel kern.securelevel: 2 gater# pfctl -F all pfctl: pfctl_clear_rules: Operation not permitted gater# Is there a bug in the documentation or in the implementation of secure level? Or perhaps, did I misinterpret something? Thanks in advance, Andrew --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB8Hexg+6MtxSjexcRAtowAKCmoTEt5PtPHh96zdea6/HxFe/zYwCeI+kp C4LFfe9yHCRgCmISL9vrELQ= =gTa9 -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi--