From owner-freebsd-security Mon May 14 7: 3:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id F0C2437B422 for ; Mon, 14 May 2001 07:03:27 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 ([195.161.98.236]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id WAA14049 for ; Mon, 14 May 2001 22:03:26 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Mon, 14 May 2001 22:06:10 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 2 (High) Message-ID: <19322552168.20010514220610@morning.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: ipfw rules and securelevel In-Reply-To: <10320318256.20010514212856@morning.ru> References: <10320318256.20010514212856@morning.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> Dear friends, >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When >> I run a command >> sysctl -w net.inet.ip.fw.enable=0 >> It disables the ipfw rules. >> Is it a feature or hole in freebsd. > doesn't matter how it is called, only matters how it hurts... (it does) >> please help the "patch" (hard to call it a patch, but nevertheless) is adding CTLFLAG_SECURE to the relevant definition of the node: this diff out is for 3.5 stable: 92c92 < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW, --- > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message