Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Nov 2007 10:04:19 -0800
From:      "Kip Macy" <kip.macy@gmail.com>
To:        "James Lauser" <james@jlauser.net>
Cc:        Robert Watson <rwatson@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: kern/116645: pfctl -k does not work in securelevel 3
Message-ID:  <b1fa29170711161004k70e027f0yfd37468a3cf69fb2@mail.gmail.com>
In-Reply-To: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net>
References:  <200711161753.lAGHr9OA025080@freefall.freebsd.org> <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Nov 16, 2007 10:00 AM, James Lauser <james@jlauser.net> wrote:
> I understand that this is defined behavior, which is why I filed the
> PR as a change-request.  I believe it would be useful to modify the
> state table as a means of preventing an ongoing attack, even if the
> kernel is in securelevel 3.  Changes to the state table are not
> technically changes to the firewall rules.  It is currently possible,
> however, to make changes to pf tables through pfctl -T, even in
> securelevel 3, and this feature _is_ actually changing the firewall
> rules (though this may be an unintended feature).
>
>
> --  James L. Lauser
>      james@jlauser.net
>      Owner, jlauser.net Hosting Services
>      http://jlauser.net/
>



Ok, I don't have strong enough feelings on the matter. I'm putting
Robert and Max on the CC to get their thoughts.


 -Kip


>
>
> On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote:
>
> > Synopsis: pfctl -k does not work in securelevel 3
> >
> > State-Changed-From-To: open->closed
> > State-Changed-By: kmacy
> > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007
> > State-Changed-Why:
> >
> >> From the securelevel man page:
> >     3     Network secure mode - same as highly secure mode, plus IP
> > packet
> >           filter rules (see ipfw(8), ipfirewall(4) and pfctl(8))
> > cannot be
> >           changed and dummynet(4) or pf(4) configuration cannot be
> > adjusted.
> >
> > You are seeing the defined behavior.
> >
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b1fa29170711161004k70e027f0yfd37468a3cf69fb2>