Date: Tue, 12 Oct 1999 13:43:38 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: freebsd-security@freebsd.org Subject: ipfilter and securelevels Message-ID: <Pine.BSF.4.05.9910121340340.8060-100000@cactus.fi.uba.ar>
next in thread | raw e-mail | index | archive | help
While configuring a FreeBSD Box as a firewall with IPFilter, I've noticed that you can still change the filter rules even if securelevel > 1. I have merged the changes made by the OpenBSD people to prevent this into ip_fil.c, and I will fill a PR with the patch unless there is a reason to leave ipfilter as it is now. Here's the patch: ----------------8< cut here ---------------------------------------- *** ip_fil.c.orig Sun Oct 10 21:31:12 1999 --- ip_fil.c Sun Oct 10 21:43:32 1999 *************** *** 364,367 **** --- 364,396 ---- #endif + # if defined(__OpenBSD__) || defined (__FreeBSD__) + if (securelevel > 1) { + switch (cmd) { + # ifndef IPFILTER_LKM + case SIOCFRENB: + # endif + case SIOCSETFF: + case SIOCADAFR: + case SIOCADIFR: + case SIOCINAFR: + case SIOCINIFR: + case SIOCRMAFR: + case SIOCRMIFR: + case SIOCZRLST: + case SIOCSWAPA: + case SIOCFRZST: + case SIOCIPFFL: + # ifdef IPFILTER_LOG + case SIOCIPFFB: + # endif + case SIOCADNAT: + case SIOCRMNAT: + case SIOCFLNAT: + case SIOCCNATL: + return EPERM; + } + } + # endif + SPL_NET(s); ----------------8< cut here ---------------------------------------- Fer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9910121340340.8060-100000>