Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Apr 2001 11:30:54 -0500
From:      Rich Neswold <neswold@fnal.gov>
To:        freebsd-ipfw@freebsd.org
Subject:   Protecting IPFW kernel variables...
Message-ID:  <20010418113053.A34196@spiv.fnal.gov>
next in thread | raw e-mail | index | archive | help 

--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hello,

I have a couple of machines that connect to the Internet via a FreeBSD box
running ipfw. My firewall rules haven't been changed in quite a while, so I
decided to run the box using secure level 3 (firewall rules can't get
changed.) I noticed, however, that even at this secure level, I can still
open my firewall by using sysctl!

The following patch corrects this:

    RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
    retrieving revision 1.131.2.23
    diff -r1.131.2.23 ip_fw.c
    100c100
    < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
    ---
    > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECU=
RE,

The CTLFLAG_SECURE flag doesn't allow the variable to be changed when
securelevel >=3D 0, so it is more strict than it needs to be.

Should I submit this?

(Please CC: me in any response. I'm subscribed to -questions, -hackers, and
-stable, but not -ipfw.)

--=20
  Rich
=20
 ------------------------------------------------------------------------
  Richard Neswold, Beams Division / Controls Dept |     neswold@fnal.gov
  Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454
                                                  |   fax 1.630.840.3093

--pWyiEgJYm5f9v55/
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOt3BPNyo48HBVqoBAQHXhQP9FdylX6sDKCpsy03KpmDscmRcvR+93ZC6
mOf42C1DyVBLtuxCppKvdDG9CP2hp2FFwwLPdbpcFQtVhV8TSmrREwakSz5hLmk1
Or1vltDM1TURdHs27BAzT1jzoQlRCN+ZxrXQbC7bx+FdNpg8Mf9CKmq/fZ6LyCmb
s75fbyBmVpU=
=ObUi
-----END PGP SIGNATURE-----

--pWyiEgJYm5f9v55/--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418113053.A34196>