Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Apr 2001 20:31:45 +0200 (CEST)
From:      Luigi Rizzo <luigi@info.iet.unipi.it>
To:        neswold@fnal.gov
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Protecting IPFW kernel variables...
Message-ID:  <200104181831.UAA49728@info.iet.unipi.it>
In-Reply-To: <20010418113053.A34196@spiv.fnal.gov> from Rich Neswold at "Apr 18, 2001 11:30:54 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> Hello,
> 
> I have a couple of machines that connect to the Internet via a FreeBSD box
> running ipfw. My firewall rules haven't been changed in quite a while, so I
> decided to run the box using secure level 3 (firewall rules can't get
> changed.) I noticed, however, that even at this secure level, I can still
> open my firewall by using sysctl!
> 
> The following patch corrects this:
> 
>     RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
>     retrieving revision 1.131.2.23
>     diff -r1.131.2.23 ip_fw.c
>     100c100
>     < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
>     ---
>     > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
> 
> The CTLFLAG_SECURE flag doesn't allow the variable to be changed when
> securelevel >= 0, so it is more strict than it needs to be.
> 
> Should I submit this?

i think it is a bit late for 4.3 also given that CTLFLAG_SECURE
is not used anywhere. This reminds me that i had some
patches (which i did not commit) to extend the CTLFLAG_SECURE
thing so that it would let you specify a level L, so
the variable could be modified if securelevel<=L and not
otherwise.

I think i even posted them to the -security mailing list some
time between dec.2000 and feb.2001

	cheers
	luigi
> (Please CC: me in any response. I'm subscribed to -questions, -hackers, and
> -stable, but not -ipfw.)
> 
> -- 
>   Rich
>  
>  ------------------------------------------------------------------------
>   Richard Neswold, Beams Division / Controls Dept |     neswold@fnal.gov
>   Fermilab, PO Box 500, MS 360, Batavia, IL 60510 | voice 1.630.840.3454
>                                                   |   fax 1.630.840.3093

[application/pgp-signature is not supported, skipping...]


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104181831.UAA49728>