Date: Fri, 16 Nov 2007 10:04:19 -0800 From: "Kip Macy" <kip.macy@gmail.com> To: "James Lauser" <james@jlauser.net> Cc: Robert Watson <rwatson@freebsd.org>, freebsd-pf@freebsd.org Subject: Re: kern/116645: pfctl -k does not work in securelevel 3 Message-ID: <b1fa29170711161004k70e027f0yfd37468a3cf69fb2@mail.gmail.com> In-Reply-To: <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net> References: <200711161753.lAGHr9OA025080@freefall.freebsd.org> <443E4458-A6C6-4C78-98B7-38D41DA0E131@jlauser.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 16, 2007 10:00 AM, James Lauser <james@jlauser.net> wrote: > I understand that this is defined behavior, which is why I filed the > PR as a change-request. I believe it would be useful to modify the > state table as a means of preventing an ongoing attack, even if the > kernel is in securelevel 3. Changes to the state table are not > technically changes to the firewall rules. It is currently possible, > however, to make changes to pf tables through pfctl -T, even in > securelevel 3, and this feature _is_ actually changing the firewall > rules (though this may be an unintended feature). > > > -- James L. Lauser > james@jlauser.net > Owner, jlauser.net Hosting Services > http://jlauser.net/ > Ok, I don't have strong enough feelings on the matter. I'm putting Robert and Max on the CC to get their thoughts. -Kip > > > On Nov 16, 2007, at 12:53 , kmacy@FreeBSD.org wrote: > > > Synopsis: pfctl -k does not work in securelevel 3 > > > > State-Changed-From-To: open->closed > > State-Changed-By: kmacy > > State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 > > State-Changed-Why: > > > >> From the securelevel man page: > > 3 Network secure mode - same as highly secure mode, plus IP > > packet > > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) > > cannot be > > changed and dummynet(4) or pf(4) configuration cannot be > > adjusted. > > > > You are seeing the defined behavior. > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b1fa29170711161004k70e027f0yfd37468a3cf69fb2>