Re: ipfirewall(4)) cannot be changed

• Previous message: Santos: "ipfirewall(4)) cannot be changed"
• In reply to: Santos: "ipfirewall(4)) cannot be changed"
• Next in thread: Santos: "Re: ipfirewall(4)) cannot be changed"
• Reply: Santos: "Re: ipfirewall(4)) cannot be changed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 25 May 2003 23:51:15 +0300 (EEST)
To: Santos <sansan@cas.port995.com>

On 2003-05-25 07:57, Santos wrote:
> root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5
>
> 3 Network secure mode - same as highly secure mode, plus IP packet
> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
> dummynet(4) configuration cannot be adjusted.
>
> root@vigilante /root cuaa1# sysctl -a |grep secure
> kern.securelevel: 3
> [...]
> root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0
> net.inet.ip.fw.enable: 1 -> 0
>
> root@vigilante /root cuaa1# ping 216.136.204.21
> PING 216.136.204.21 (216.136.204.21): 56 data bytes
> 64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms
> ^C

Try this patch. Unless of course, you're not using IPFW version 1,
in which case someone more knowledgeable will hopefully correct me :)

<<<<<<<
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.192
diff -u -r1.192 ip_fw.c
--- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192
+++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000
@@ -95,7 +95,7 @@

 #ifdef SYSCTL_NODE
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
     &fw_enable, 0, "Enable ipfw");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
     &fw_one_pass, 0,
>>>>>>>

- Giorgos
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Santos: "ipfirewall(4)) cannot be changed"
• In reply to: Santos: "ipfirewall(4)) cannot be changed"
• Next in thread: Santos: "Re: ipfirewall(4)) cannot be changed"
• Reply: Santos: "Re: ipfirewall(4)) cannot be changed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: linux-next: Tree for June 13: IO APIC breakage on HP nx6325 ... we have just started using a different configuration now ... lucky previously the kernel was bad enough with the way it configured ... In that case your patch would surely make it to the regression list. ... If there's a configuration that didn't need any manual workarounds ... (Linux-Kernel) ipfw with NAT and ARP ... ipfw add divert natd all from any to any via xl1 ... When testing "ping" from external to external IP-Adress of my firewall, ... After restarting system with above configuration of icmp-protocol no ... "ipfw add allow all from any to any" ping-request get an answer. ... (freebsd-questions) Re: kern/113548: [dummynet] [patch] system hangs with dummynet queues ... Subject: kern/113548: [dummynet] system hangs with dummynet queues ... ipfw tags are stored as mbuf_tags. ... Thanks for a fast reply and for the patch. ... (freebsd-net) Re: rc.order wrong (ipfw) ... a patch to integrate IPv6 handling into rc.d/netif, ... General net configuration ... I believe that firewalls (and firewall ... rules) _should_ be loaded prior to the interfaces coming up. ... (freebsd-net) Re: kern/113548: [dummynet] [patch] system hangs with dummynet queues ... Subject: kern/113548: [dummynet] system hangs with dummynet queues ... ipfw tags are stored as mbuf_tags. ... Thanks for a fast reply and for the patch. ... (freebsd-net)