Date: Fri, 16 Nov 2007 13:00:57 -0500 From: James Lauser <james@jlauser.net> To: kmacy@FreeBSD.org Cc: freebsd-pf@FreeBSD.org Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 Message-ID: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> In-Reply-To: <200711161753.lAGHr9OA025080@freefall.freebsd.org> References: <200711161753.lAGHr9OA025080@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I understand that this is defined behavior, which is why I filed the
PR as a change-request. I believe it would be useful to modify the
state table as a means of preventing an ongoing attack, even if the
kernel is in securelevel 3. Changes to the state table are not
technically changes to the firewall rules. It is currently possible,
however, to make changes to pf tables through pfctl -T, even in
securelevel 3, and this feature _is_ actually changing the firewall
rules (though this may be an unintended feature).
-- James L. Lauser
james@jlauser.net
Owner, jlauser.net Hosting Services
http://jlauser.net/
On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote:
> Synopsis: pfctl -k does not work in securelevel 3
>
> State-Changed-From-To: open->closed
> State-Changed-By: kmacy
> State-Changed-When: Fri Nov 16 17:52:23 UTC 2007
> State-Changed-Why:
>
>> From the securelevel man page:
> 3 Network secure mode - same as highly secure mode, plus IP
> packet
> filter rules (see ipfw(8), ipfirewall(4) and pfctl(8))
> cannot be
> changed and dummynet(4) or pf(4) configuration cannot be
> adjusted.
>
> You are seeing the defined behavior.
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=116645
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?443E4458-A6C6-4C78-98B7-38D41DA0E131>