Date: Tue, 10 Jul 2001 21:20:08 -0600 From: freebsd <freebsd@hobbydump.com> To: freebsd-security@freebsd.org Subject: securelevel AND ipfilter Message-ID: <20010710212008.A22314@hobbydump.com>
next in thread | raw e-mail | index | archive | help
Does anyone know why I cannot change my ipfilter rules while in multi-user mode at kern_securelevel=2. Here is the settings in my rc.conf. kern_securelevel_enable="YES" kern_securelevel="2" I'm using a GENERIC kernel with these mods. options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK When reading man securelevel I understand it to be disallowed at level 3 not 2. > 2 Highly secure mode - same as secure mode, plus disks may not be > opened for writing (except by mount(2)) whether mounted or not. > This level precludes tampering with filesystems by unmounting them, > but also inhibits running newfs(8) while the system is multi-user. > > In addition, kernel time changes are restricted to less than or > equal to one second. Attempts to change the time by more than this > will log the message ``Time adjustment clamped to +1 second''. > > 3 Network secure mode - same as highly secure mode, plus IP packet > filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and > dummynet(4) configuration cannot be adjusted. I'm running the command ipf -Fa -f /etc/ipf.rules and I get output that looks like. ioctl(SIOCIPFFL): Operation not permitted etc... Thanks for the help, Sheldon Jones To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010710212008.A22314>