Date: Tue, 12 Oct 1999 13:43:38 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: freebsd-security@freebsd.org Subject: ipfilter and securelevels Message-ID: <Pine.BSF.4.05.9910121340340.8060-100000@cactus.fi.uba.ar>
next in thread | raw e-mail | index | archive | help
While configuring a FreeBSD Box as a firewall with IPFilter, I've noticed
that you can still change the filter rules even if securelevel > 1.
I have merged the changes made by the OpenBSD people to
prevent this into ip_fil.c, and I will fill a PR with the patch unless there
is a reason to leave ipfilter as it is now.
Here's the patch:
----------------8< cut here ----------------------------------------
*** ip_fil.c.orig Sun Oct 10 21:31:12 1999
--- ip_fil.c Sun Oct 10 21:43:32 1999
***************
*** 364,367 ****
--- 364,396 ----
#endif
+ # if defined(__OpenBSD__) || defined (__FreeBSD__)
+ if (securelevel > 1) {
+ switch (cmd) {
+ # ifndef IPFILTER_LKM
+ case SIOCFRENB:
+ # endif
+ case SIOCSETFF:
+ case SIOCADAFR:
+ case SIOCADIFR:
+ case SIOCINAFR:
+ case SIOCINIFR:
+ case SIOCRMAFR:
+ case SIOCRMIFR:
+ case SIOCZRLST:
+ case SIOCSWAPA:
+ case SIOCFRZST:
+ case SIOCIPFFL:
+ # ifdef IPFILTER_LOG
+ case SIOCIPFFB:
+ # endif
+ case SIOCADNAT:
+ case SIOCRMNAT:
+ case SIOCFLNAT:
+ case SIOCCNATL:
+ return EPERM;
+ }
+ }
+ # endif
+
SPL_NET(s);
----------------8< cut here ----------------------------------------
Fer
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9910121340340.8060-100000>