Bug 22600
| Summary: | It is possible to change ipfw rules with kernel secure level == 3. | ||
|---|---|---|---|
| Product: | Base System | Reporter: | andre <andre> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
State Changed From-To: open->closed Fixed in 5.0-CURRENT (ip_fw.c,v 1.149) and 4.2-BETA (v 1.131.2.10). |
From man 8 init: "3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted." It IS possible to change ipfw rules in security level 3. How-To-Repeat: satan:/usr/home/andre#ipfw show 65535 76 7632 allow ip from any to any satan:/usr/home/andre#sysctl -a|grep secur kern.securelevel: -1 satan:/usr/home/andre#sysctl -w kern.securelevel=3 kern.securelevel: -1 -> 3 satan:/usr/home/andre#ipfw show 65535 76 7632 allow ip from any to any satan:/usr/home/andre#ipfw add 200 deny ip from any to any 00200 deny ip from any to any satan:/usr/home/andre#ping a.b.c.d PING a.b.c.d (a.b.c.d): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ^C --- a.b.c.d ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss satan:/usr/home/andre#ipfw add 100 allow ip from any to any 00100 allow ip from any to any satan:/usr/home/andre#ping a.b.c.d PING a.b.c.d (a.b.c.d): 56 data bytes 64 bytes from a.b.c.d: icmp_seq=0 ttl=254 time=11.915 ms 64 bytes from a.b.c.d: icmp_seq=1 ttl=254 time=6.089 ms ^C --- a.b.c.d ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 6.089/9.002/11.915/2.913 ms satan:/usr/home/andre#ipfw -q flush ipfw: setsockopt(IP_FW_FLUSH): Operation not permitted