From owner-freebsd-ipfw Tue May 15 4:22: 1 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 5604A37B43C for ; Tue, 15 May 2001 04:21:58 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 15751 invoked by uid 1000); 15 May 2001 11:21:18 -0000 Date: Tue, 15 May 2001 14:21:18 +0300 From: Peter Pentchev To: Ruslan Ermilov Cc: Bill Fumerola , Luigi Rizzo , ipfw@FreeBSD.org Subject: Re: ipfw rules and securelevel Message-ID: <20010515142118.G11592@ringworld.oblivion.bg> References: <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> <20010514180928.A52742@sunbay.com> <20010515140943.A41014@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010515140943.A41014@sunbay.com>; from ru@FreeBSD.org on Tue, May 15, 2001 at 02:09:43PM +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, May 15, 2001 at 02:09:43PM +0300, Ruslan Ermilov wrote: > Here is a slightly reworked version of the above patch. It prohibits > all MIB modifications under net.inet.ip.fw node except a few ones: > debug, verbose, and verbose_limit that shouldn't affect security. > Please review. I wonder if verbose and verbose_limit shouldn't also be prohibited. Arguably, if someone has obtained superuser privileges on your securelevel 3 box, they don't need to try any more exploits or something. Still, I personally would maybe feel a bit more warm and fuzzy if I knew that no one could disable ipfw logging, even if the system is already compromised. G'luck, Peter -- What would this sentence be like if pi were 3? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message