Date: Tue, 15 May 2001 18:43:29 -0500 From: Bill Fumerola <billf@mu.org> To: Peter Pentchev <roam@orbitel.bg> Cc: Ruslan Ermilov <ru@FreeBSD.org>, Luigi Rizzo <luigi@FreeBSD.org>, ipfw@FreeBSD.org Subject: Re: ipfw rules and securelevel Message-ID: <20010515184329.O37979@elvis.mu.org> In-Reply-To: <20010515142118.G11592@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, May 15, 2001 at 02:21:18PM %2B0300 References: <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> <20010514180928.A52742@sunbay.com> <20010515140943.A41014@sunbay.com> <20010515142118.G11592@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 15, 2001 at 02:21:18PM +0300, Peter Pentchev wrote:
> > Here is a slightly reworked version of the above patch. It prohibits
> > all MIB modifications under net.inet.ip.fw node except a few ones:
> > debug, verbose, and verbose_limit that shouldn't affect security.
> > Please review.
>
> I wonder if verbose and verbose_limit shouldn't also be prohibited.
> Arguably, if someone has obtained superuser privileges on your securelevel
> 3 box, they don't need to try any more exploits or something.
> Still, I personally would maybe feel a bit more warm and fuzzy if I knew
> that no one could disable ipfw logging, even if the system is already
> compromised.
When Ruslan asked me earlier regarding verbose, I told him not to prohibit it.
Why? In time of attack or crisis, kicking up the debugging on your firewall
is important. The only local problems I could see this causing is someone
kicking up the limit to a really high number and flooding.
We already allow people to resetlog at that securelevel so the associated
sysctls should stick with that security model.
thanks,
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010515184329.O37979>