From owner-freebsd-security  Mon May 14  7:10:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 6D89537B43E
	for <freebsd-security@FreeBSD.ORG>; Mon, 14 May 2001 07:10:08 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 1375 invoked by uid 1000); 14 May 2001 14:09:28 -0000
Date: Mon, 14 May 2001 17:09:28 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Igor Podlesny <poige@morning.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw rules and securelevel
Message-ID: <20010514170927.A849@ringworld.oblivion.bg>
Mail-Followup-To: Igor Podlesny <poige@morning.ru>,
	freebsd-security@FreeBSD.ORG
References: <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <19322552168.20010514220610@morning.ru>; from poige@morning.ru on Mon, May 14, 2001 at 10:06:10PM +0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote:
> 
> >> Dear friends,
> >>         Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I
> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When
> >> I run a command
> 
> >>         sysctl -w net.inet.ip.fw.enable=0
> 
> >>         It disables the ipfw rules.
> 
> >> Is it a feature or hole in freebsd.
> 
> > doesn't matter how it is called, only matters how it hurts... (it does)
> 
> >> please help
> 
> the "patch" (hard to call it a patch, but nevertheless) is adding
> CTLFLAG_SECURE to the relevant definition of the node:
> 
> this diff out is for 3.5 stable:
> 
> 92c92
> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,                
> ---                                                                        
> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, 

Patches/diffs are usually much easier to review and apply if they are
in context or unified diff format - this helps when the patch is made
against a possibly changed file :)  And.. well.. it might be obvious
to you (in this case it's pretty obvious to figure out ;), but still
it helps a lot to mention which file(s) the patch is against :)

G'luck,
Peter

-- 
I am the meaning of this sentence.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message