FreeBSD Mail Archives

Date:      Thu, 2 Oct 2003 05:10:15 -0700 (PDT)
From:      Ruslan Ermilov <ru@FreeBSD.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/57492: Firewall can be disabled in securelevel 3
Message-ID:  <200310021210.h92CAFjS054739@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

The following reply was made to PR kern/57492; it has been noted by GNATS.

From: Ruslan Ermilov <ru@FreeBSD.org>
To: bdluevel@heitec.net
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/57492: Firewall can be disabled in securelevel 3
Date: Thu, 2 Oct 2003 15:09:03 +0300

 On Thu, Oct 02, 2003 at 05:06:02AM -0700, Ruslan Ermilov wrote:
 > Synopsis: Firewall can be disabled in securelevel 3
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: ru
 > State-Changed-When: Thu Oct 2 05:05:26 PDT 2003
 > State-Changed-Why: 
 > # uname -r
 > 4.9-PRERELEASE
 > # sysctl kern.securelevel
 > kern.securelevel: -1
 > # sysctl net.inet.ip.fw.enable=0
 > net.inet.ip.fw.enable: 1 -> 0
 > # sysctl net.inet.ip.fw.enable=1
 > net.inet.ip.fw.enable: 0 -> 1
 > # sysctl kern.securelevel=3
 > kern.securelevel: -1 -> 3
 > # sysctl net.inet.ip.fw.enable=0
 > net.inet.ip.fw.enable: 1
 > sysctl: net.inet.ip.fw.enable: Operation not permitted
 > 
 My apologies, I forgot that I have this problem fixed locally,
 but it's not in the FreeBSD repository.  I will re-open the
 bug.  The patch, FWIW, is as follows:
 
 %%%
 Index: ip_fw.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/Attic/ip_fw.c,v
 retrieving revision 1.131.2.39
 diff -u -p -r1.131.2.39 ip_fw.c
 --- ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
 +++ ip_fw.c	2 Oct 2003 12:07:35 -0000
 @@ -94,11 +94,21 @@ LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chai
  MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
  
  #ifdef SYSCTL_NODE
 +
 +static int
 +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS)
 +{
 +
 +	if (req->newptr && securelevel >= 3)
 +		return (EPERM);
 +	return sysctl_handle_int(oidp, arg1, arg2, req);
 +}
 +
  SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
 -    &fw_enable, 0, "Enable ipfw");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
 -    &fw_one_pass, 0, 
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
 +    &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW,
 +    &fw_one_pass, 0, sysctl_fw_securelevel_check, "I",
      "Only do a single pass through ipfw when using dummynet(4)");
  SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, 
      &fw_debug, 0, "Enable printing of debug ip_fw statements");
 @@ -173,30 +183,40 @@ static u_int32_t static_count = 0 ;	/* #
  static u_int32_t dyn_count = 0 ;	/* # of dynamic rules */
  static u_int32_t dyn_max = 1000 ;	/* max # of dynamic rules */
  
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
 -    &dyn_buckets, 0, "Number of dyn. buckets");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
 -    &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
 -    &dyn_count, 0, "Number of dyn. rules");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
 -    &dyn_max, 0, "Max number of dyn. rules");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
 -    &static_count, 0, "Number of static rules");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
 -    &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
 -    &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
 -    &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
 -    &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
 -    &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
 -    &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD,
 -    &dyn_grace_time, 0, "Grace time for dyn. rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
 +    "Number of dyn. buckets");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD,
 +    &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
 +    "Current Number of dyn. buckets");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLTYPE_INT|CTLFLAG_RD,
 +    &dyn_count, 0, sysctl_fw_securelevel_check, "IU", "Number of dyn. rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_max, 0, sysctl_fw_securelevel_check, "IU", "Max number of dyn. rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, static_count, CTLTYPE_INT|CTLFLAG_RD,
 +    &static_count, 0, sysctl_fw_securelevel_check, "IU",
 +    "Number of static rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_ack_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for acks");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_syn_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for syn");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_fin_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for fin");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_rst_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for rst");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_udp_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for UDP");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_short_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for other situations");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLTYPE_INT|CTLFLAG_RD,
 +    &dyn_grace_time, 0, sysctl_fw_securelevel_check, "IU",
 +    "Grace time for dyn. rules");
  
  #endif /* SYSCTL_NODE */
  
 %%%
 
 -- 
 Ruslan Ermilov		Sysadmin and DBA,
 ru@sunbay.com		Sunbay Software Ltd,
 ru@FreeBSD.org		FreeBSD committer

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310021210.h92CAFjS054739>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation