Re: ipfw rules and securelevel

From: Peter Pentchev (roam@orbitel.bg)
Date: 05/14/01 

Date: Mon, 14 May 2001 17:09:28 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Igor Podlesny <poige@morning.ru>

On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote:
>
> >> Dear friends,
> >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I
> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When
> >> I run a command
>
> >> sysctl -w net.inet.ip.fw.enable=0
>
> >> It disables the ipfw rules.
>
> >> Is it a feature or hole in freebsd.
>
> > doesn't matter how it is called, only matters how it hurts... (it does)
>
> >> please help
>
> the "patch" (hard to call it a patch, but nevertheless) is adding
> CTLFLAG_SECURE to the relevant definition of the node:
>
> this diff out is for 3.5 stable:
>
> 92c92
> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
> ---
> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,

Patches/diffs are usually much easier to review and apply if they are
in context or unified diff format - this helps when the patch is made
against a possibly changed file :) And.. well.. it might be obvious
to you (in this case it's pretty obvious to figure out ;), but still
it helps a lot to mention which file(s) the patch is against :)

G'luck,
Peter 

-- 
I am the meaning of this sentence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: [OT] Q: what would you choose for a VCS today
    ... FreeBSD as base that would allow better teams cooperation and easy code ... control fly out the window from, say, the 42nd floor. ... If you think you need a vendor branch, take a look at mercurial patch ... Patch queues are quite powerful, and even though you end up versioning ...
    (freebsd-hackers)
  • RE: For the love of God, is it even possible to make the Atheros ath.patch & updated HALactually
    ... > # mv ath_hal_20051212 ath ... in hopes that maybe the patch was FINALLY ... This FreeBSD installation is sitting here doing ... To June/July 2005 madwifi was very unstable, after merging cvs BSD tree of ...
    (freebsd-current)
  • Re: NAT-T patch for 7-STABLE
    ... the NAT-T patch from HEAD to 7-STABLE: ... I also merged back the NAT-T changes from FreeBSD 8/HEAD. ... (basically the cvs checkout and the tarball creation; ... and the port isn't ready to be used as a automatic port as you have to do ...
    (freebsd-net)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
    ... > There's no patch for these, and in the case of the embedded ... >>FreeBSD only: NO ... In a few instances in the resolver code, ... >>can spoof DNS messages) may produce a specially crafted DNS message ...
    (FreeBSD-Security)
  • Re: FreeBSD 6.0 compat with DL320 G4
    ... The patch I created makes the broadcom chip work without panicing ... FreeBSD 6.0 compat with DL320 G4 ... this server also has bge interfaces and had no ...
    (freebsd-questions)