Re[2]: ipfw rules and securelevel

From: Igor Podlesny (poige@morning.ru)
Date: 05/15/01


Date: Tue, 15 May 2001 10:39:09 +0700
From: Igor Podlesny <poige@morning.ru>
To: Peter Pentchev <roam@orbitel.bg>


> On Mon, May 14, 2001 at 10:21:18PM +0700, Igor Podlesny wrote:
>>
>>
>> > On Mon, May 14, 2001 at 10:06:10PM +0700, Igor Podlesny wrote:
>> >>
>> >> >> Dear friends,
>> >> >> Even in securelevel 3 I can bypass ipfw rules. In securelevel 3 I
>> >> >> as root can change the variable "net.inet.ip.fw.enable" using sysctl. When
>> >> >> I run a command
>> >>
>> >> >> sysctl -w net.inet.ip.fw.enable=0
>> >>
>> >> >> It disables the ipfw rules.
>> >>
>> >> >> Is it a feature or hole in freebsd.
>> >>
>> >> > doesn't matter how it is called, only matters how it hurts... (it does)
>> >>
>> >> >> please help
>> >>
>> >> the "patch" (hard to call it a patch, but nevertheless) is adding
>> >> CTLFLAG_SECURE to the relevant definition of the node:
>> >>
>> >> this diff out is for 3.5 stable:
>> >>
>> >> 92c92
>> >> < SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
>> >> ---
>> >> > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
>>
>> > Patches/diffs are usually much easier to review and apply if they are
>> > in context or unified diff format - this helps when the patch is made
>> > against a possibly changed file :) And.. well.. it might be obvious
>> > to you (in this case it's pretty obvious to figure out ;), but still
>> > it helps a lot to mention which file(s) the patch is against :)
>>
>> oh, you're right :)
>>
>> it was
>> /usr/src/sys/netinet/ip_fw.c
>>
>> unified diff:
>>
>> --- /usr/src/sys/netinet/ip_fw.c.orig Fri Mar 23 19:44:27 2001
>> +++ /usr/src/sys/netinet/ip_fw.c Mon May 14 22:15:55 2001
>> @@ -89,7 +89,7 @@
>>
>> #ifdef SYSCTL_NODE
>> SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
>> -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
>> +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
>> &fw_enable, 0, "Enable ipfw");
>> SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
>> &fw_one_pass, 0,

> Yup, this patch is much clearer, and I see no real reason against
> committing it.
My quick patch letter was for a person asking for help -- he asked and
I tried to answer. I'm not a member of FreeBSD developer team, just a
user/amateur :)

> Actually, I think that even more of those sysctl's
> should be flagged as 'secure' - e.g. the ones related to logging.

I deem it is a business of the core team to decide what sysctls to be
protected depending on the securelevel value... cause it is theirs
design :)

-- 
 Igor                            mailto:poige@morning.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages