Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 May 2001 22:21:18 +0700
From:      Igor Podlesny <poige@morning.ru>
To:        Peter Pentchev <roam@orbitel.bg>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re[2]: ipfw rules and securelevel
Message-ID:  <5523460344.20010514222118@morning.ru>
In-Reply-To: <20010514170927.A849@ringworld.oblivion.bg>
References:  <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 


> On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote:
>> 
>> >> Dear friends,
>> >>         Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I
>> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When
>> >> I run a command
>> 
>> >>         sysctl -w net.inet.ip.fw.enable=0
>> 
>> >>         It disables the ipfw rules.
>> 
>> >> Is it a feature or hole in freebsd.
>> 
>> > doesn't matter how it is called, only matters how it hurts... (it does)
>> 
>> >> please help
>> 
>> the "patch" (hard to call it a patch, but nevertheless) is adding
>> CTLFLAG_SECURE to the relevant definition of the node:
>> 
>> this diff out is for 3.5 stable:
>> 
>> 92c92
>> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,                
>> ---                                                                        
>> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, 

> Patches/diffs are usually much easier to review and apply if they are
> in context or unified diff format - this helps when the patch is made
> against a possibly changed file :)  And.. well.. it might be obvious
> to you (in this case it's pretty obvious to figure out ;), but still
> it helps a lot to mention which file(s) the patch is against :)

oh, you're right :)

it was
/usr/src/sys/netinet/ip_fw.c

unified diff:

--- /usr/src/sys/netinet/ip_fw.c.orig   Fri Mar 23 19:44:27 2001
+++ /usr/src/sys/netinet/ip_fw.c        Mon May 14 22:15:55 2001           
@@ -89,7 +89,7 @@                                                          
                                                                           
 #ifdef SYSCTL_NODE                                                        
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");       
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,                 
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,  
     &fw_enable, 0, "Enable ipfw");                                        
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,                 
     &fw_one_pass, 0,                                                      


> G'luck,
> Peter




-- 
 Igor                            mailto:poige@morning.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5523460344.20010514222118>