From owner-freebsd-bugs Sun Oct 15 17:40: 5 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DE6B837B670 for ; Sun, 15 Oct 2000 17:40:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id RAA69986; Sun, 15 Oct 2000 17:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234]) by hub.freebsd.org (Postfix) with ESMTP id 46F5837B66C for ; Sun, 15 Oct 2000 17:30:20 -0700 (PDT) Received: by kendra.ne.mediaone.net (Postfix, from userid 0) id 9ED048C47; Sun, 15 Oct 2000 20:30:19 -0400 (EDT) Message-Id: <20001016003019.9ED048C47@kendra.ne.mediaone.net> Date: Sun, 15 Oct 2000 20:30:19 -0400 (EDT) From: ahd@kew.com Reply-To: ahd@kew.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/22012: Secure level 2 in kernel prevents read access to ipnat information Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 22012 >Category: kern >Synopsis: Secure level 2 in kernel prevents read access to ipnat information >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 15 17:40:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Drew Derbyshire >Release: FreeBSD 4.1-RELEASE i386 >Organization: Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com) >Environment: FreeBSD 4.1 running ipnat on firewall. >Description: Raising secure level of the kernel to 2 prevents even read only access to the IPNAT maps. >How-To-Repeat: sonata,134# sysctl -a | grep secure kern.securelevel: -1 sonata,136# ipnat -l List of active MAP/Redirect filters: map ep0 192.168.200.0/22 -> 0.0.0.0/32 proxy port ftp ftp/tcp map ep0 192.168.200.0/22 -> 0.0.0.0/32 proxy port 7070 raudio/tcp map ep0 192.168.200.0/22 -> 0.0.0.0/32 portmap tcp/udp 20000:21999 List of active sessions: sonata,137# sysctl -w kern.securelevel=2 kern.securelevel: -1 -> 2 sonata,138# ipnat -l ioctl(SIOCGNATS): Operation not permitted >Fix: Workaround: Disable raising kernel security level. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message