From owner-freebsd-ipfw  Tue May 15  4:10:13 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65])
	by hub.freebsd.org (Postfix) with ESMTP
	id 15BBC37B424; Tue, 15 May 2001 04:09:47 -0700 (PDT)
	(envelope-from ru@whale.sunbay.crimea.ua)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f4FB9iK42189;
	Tue, 15 May 2001 14:09:44 +0300 (EEST)
	(envelope-from ru)
Date: Tue, 15 May 2001 14:09:43 +0300
From: Ruslan Ermilov <ru@FreeBSD.org>
To: Bill Fumerola <billf@FreeBSD.org>,
	Luigi Rizzo <luigi@FreeBSD.org>
Cc: ipfw@FreeBSD.org
Subject: Re: ipfw rules and securelevel
Message-ID: <20010515140943.A41014@sunbay.com>
Mail-Followup-To: Bill Fumerola <billf@FreeBSD.org>,
	Luigi Rizzo <luigi@FreeBSD.org>, ipfw@FreeBSD.org
References: <Pine.LNX.4.33.0105141802230.18115-100000@apsara.barc.ernet.in> <10320318256.20010514212856@morning.ru> <19322552168.20010514220610@morning.ru> <20010514170927.A849@ringworld.oblivion.bg> <5523460344.20010514222118@morning.ru> <20010514180201.C453@ringworld.oblivion.bg> <20010514180928.A52742@sunbay.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010514180928.A52742@sunbay.com>; from ru@FreeBSD.org on Mon, May 14, 2001 at 06:09:28PM +0300
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

[Redirected to -ipfw]

On Mon, May 14, 2001 at 06:09:28PM +0300, Ruslan Ermilov wrote:
> On Mon, May 14, 2001 at 06:02:02PM +0300, Peter Pentchev wrote:
> > On Mon, May 14, 2001 at 10:21:18PM +0700, Igor Podlesny wrote:
> > > 
> > > 
> > > > On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote:
> > > >> 
> > > >> >> Dear friends,
> > > >> >>         Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I
> > > >> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When
> > > >> >> I run a command
> > > >> 
> > > >> >>         sysctl -w net.inet.ip.fw.enable=0
> > > >> 
> > > >> >>         It disables the ipfw rules.
> > > >> 
> > > >> >> Is it a feature or hole in freebsd.
> > > >> 
> > > >> > doesn't matter how it is called, only matters how it hurts... (it does)
> > > >> 
> > > >> >> please help
> > > >> 
> > > >> the "patch" (hard to call it a patch, but nevertheless) is adding
> > > >> CTLFLAG_SECURE to the relevant definition of the node:
> > > >> 
> > > >> this diff out is for 3.5 stable:
> > > >> 
> > > >> 92c92
> > > >> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,                
> > > >> ---                                                                        
> > > >> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE, 
> > > 
> > > > Patches/diffs are usually much easier to review and apply if they are
> > > > in context or unified diff format - this helps when the patch is made
> > > > against a possibly changed file :)  And.. well.. it might be obvious
> > > > to you (in this case it's pretty obvious to figure out ;), but still
> > > > it helps a lot to mention which file(s) the patch is against :)
> > > 
> > > oh, you're right :)
> > > 
> > > it was
> > > /usr/src/sys/netinet/ip_fw.c
> > > 
> > > unified diff:
> > > 
> > > --- /usr/src/sys/netinet/ip_fw.c.orig   Fri Mar 23 19:44:27 2001
> > > +++ /usr/src/sys/netinet/ip_fw.c        Mon May 14 22:15:55 2001           
> > > @@ -89,7 +89,7 @@                                                          
> > >                                                                            
> > >  #ifdef SYSCTL_NODE                                                        
> > >  SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");       
> > > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,                 
> > > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,  
> > >      &fw_enable, 0, "Enable ipfw");                                        
> > >  SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,                 
> > >      &fw_one_pass, 0,                                                      
> > 
> > Yup, this patch is much clearer, and I see no real reason against
> > committing it.  Actually, I think that even more of those sysctl's
> > should be flagged as 'secure' - e.g. the ones related to logging.
> > 
> Hmm, but I think that for (securelevel < 3) the transition should
> still be allowed.  The correct fix then would be:
> 
> Index: ip_fw.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.164
> diff -u -p -r1.164 ip_fw.c
> --- ip_fw.c	2001/04/06 06:52:25	1.164
> +++ ip_fw.c	2001/05/14 15:04:12
> @@ -96,9 +96,19 @@ LIST_HEAD (ip_fw_head, ip_fw_chain) ip_f
>  MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
>  
>  #ifdef SYSCTL_NODE
> +
> +static int
> +sysctl_fw_enable(SYSCTL_HANDLER_ARGS)
> +{
> +
> +	if (req->newptr && securelevel >= 3)
> +		return (EPERM);
> +	return sysctl_handle_int(oidp, arg1, arg2, req);
> +}
> +
>  SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
> -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
> -    &fw_enable, 0, "Enable ipfw");
> +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
> +    &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw");
>  SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
>      &fw_one_pass, 0, 
>      "Only do a single pass through ipfw when using dummynet(4)");
> 
Here is a slightly reworked version of the above patch.  It prohibits
all MIB modifications under net.inet.ip.fw node except a few ones:
debug, verbose, and verbose_limit that shouldn't affect security.
Please review.


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age

--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=p

Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.164
diff -u -p -r1.164 ip_fw.c
--- ip_fw.c	2001/04/06 06:52:25	1.164
+++ ip_fw.c	2001/05/15 10:57:41
@@ -96,11 +96,21 @@ LIST_HEAD (ip_fw_head, ip_fw_chain) ip_f
 MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
 
 #ifdef SYSCTL_NODE
+
+static int
+sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS)
+{
+
+	if (req->newptr && securelevel >= 3)
+		return (EPERM);
+	return sysctl_handle_int(oidp, arg1, arg2, req);
+}
+
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
-    &fw_enable, 0, "Enable ipfw");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
-    &fw_one_pass, 0, 
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
+    &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW,
+    &fw_one_pass, 0, sysctl_fw_securelevel_check, "I",
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, 
     &fw_debug, 0, "Enable printing of debug ip_fw statements");
@@ -108,8 +118,9 @@ SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, ve
     &fw_verbose, 0, "Log matches to ipfw rules");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, 
     &fw_verbose_limit, 0, "Set upper limit of matches of ipfw rules logged");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLFLAG_RW, 
-    &fw_permanent_rules, 0, "Set rule number, below which rules are permanent");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, permanent_rules, CTLTYPE_INT|CTLFLAG_RW,
+    &fw_permanent_rules, 0, sysctl_fw_securelevel_check, "I",
+    "Set rule number, below which rules are permanent");
 
 /*
  * Extension for stateful ipfw.
@@ -163,24 +174,31 @@ static u_int32_t dyn_rst_lifetime = 5 ;
 static u_int32_t dyn_short_lifetime = 30 ;
 static u_int32_t dyn_count = 0 ;
 static u_int32_t dyn_max = 1000 ;
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
-    &dyn_buckets, 0, "Number of dyn. buckets");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
-    &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
-    &dyn_count, 0, "Number of dyn. rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
-    &dyn_max, 0, "Max number of dyn. rules");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
-    &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
-    &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
-    &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
-    &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
-    &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLTYPE_INT|CTLFLAG_RW,
+    &dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
+    "Number of dyn. buckets");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD,
+    &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
+    "Current Number of dyn. buckets");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLTYPE_INT|CTLFLAG_RD,
+    &dyn_count, 0, sysctl_fw_securelevel_check, "IU", "Number of dyn. rules");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLTYPE_INT|CTLFLAG_RW,
+    &dyn_max, 0, sysctl_fw_securelevel_check, "IU", "Max number of dyn. rules");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLTYPE_INT|CTLFLAG_RW,
+    &dyn_ack_lifetime, 0, sysctl_fw_securelevel_check, "IU",
+    "Lifetime of dyn. rules for acks");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLTYPE_INT|CTLFLAG_RW,
+    &dyn_syn_lifetime, 0, sysctl_fw_securelevel_check, "IU",
+    "Lifetime of dyn. rules for syn");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLTYPE_INT|CTLFLAG_RW,
+    &dyn_fin_lifetime, 0, sysctl_fw_securelevel_check, "IU",
+    "Lifetime of dyn. rules for fin");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLTYPE_INT|CTLFLAG_RW,
+    &dyn_rst_lifetime, 0, sysctl_fw_securelevel_check, "IU",
+    "Lifetime of dyn. rules for rst");
+SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime,
+    CTLTYPE_INT|CTLFLAG_RW, &dyn_short_lifetime, 0, sysctl_fw_securelevel_check,
+    "IU", "Lifetime of dyn. rules for other situations");
 
 #endif
 

--tThc/1wpZn/ma/RB--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message