Re: ipfirewall(4)) cannot be changed

From: Giorgos Keramidas (keramida_at_ceid.upatras.gr)
Date: 05/26/03

  • Next message: Fernando Schapachnik: "sshd doing dns queries on localhost?" 
    Date: Mon, 26 May 2003 10:54:47 +0300
To: Santos <sansan@cas.port995.com>

    On 2003-05-26 05:18, Santos <sansan@cas.port995.com> wrote:
    > Giorgos Keramidas wrote:
    > >Try this patch. Unless of course, you're not using IPFW version 1,
    > >in which case someone more knowledgeable will hopefully correct me :)
    > >
    > ><<<<<<<
    > >Index: ip_fw.c
    > >===================================================================
    > >RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
    > >retrieving revision 1.192
    > >diff -u -r1.192 ip_fw.c
    > >--- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192
    > >+++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000
    > >@@ -95,7 +95,7 @@
    > >
    > > #ifdef SYSCTL_NODE
    > > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
    > >-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
    > >+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
    > > &fw_enable, 0, "Enable ipfw");
    > > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
    > > &fw_one_pass, 0,
    >
    > Sorry i missed a uname and a grep :)

    Ah, that's fine. I don't have the time to test it now, but something
    similar to the following should do the trick. Sorry for not running
    this through a compile and a test run, but this is a very hectic day.
    Someone with enough time to run a full buildworld/buildkernel and fix
    any errors I have made should check that this fixes the problem and then
    notify the security officer. It looks like something that would be nice
    to have in STABLE *and* the security branches IMHO.

    <<<<<<<
    Index: ip_fw.c
    ===================================================================
    RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
    retrieving revision 1.131.2.39
    diff -u -r1.131.2.39 ip_fw.c
    --- ip_fw.c 20 Jan 2003 02:23:07 -0000 1.131.2.39
    +++ ip_fw.c 26 May 2003 07:50:05 -0000
    @@ -94,9 +94,25 @@
     MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
     
     #ifdef SYSCTL_NODE
    +
    +static int
    +sysctl_fw_enable(SYSCTL_HANDLER_ARGS)
    +{
    + int error, v;
    +
    + if (securelevel >= 3)
    + return (ENOPERM);
    +
    + error = sysctl_handle_int(oidp, oidp->oid_arg1, 0, req);
    + if (error || !req->newptr)
    + return (error);
    +
    + return (0);
    +}
    +
     SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
    -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
    - &fw_enable, 0, "Enable ipfw");
    +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
    + &fw_enable, 0, sysctl_fw_enable, "I", "Enable ipfw");
     SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
         &fw_one_pass, 0,
         "Only do a single pass through ipfw when using dummynet(4)");
    >>>>>>>
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Fernando Schapachnik: "sshd doing dns queries on localhost?"