From nobody@FreeBSD.org  Wed Sep 26 01:35:32 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CEDD716A419
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Sep 2007 01:35:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id AD33B13C455
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Sep 2007 01:35:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.1/8.14.1) with ESMTP id l8Q1ZWTm072868
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Sep 2007 01:35:32 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.1/8.14.1/Submit) id l8Q1ZWvG072867;
	Wed, 26 Sep 2007 01:35:32 GMT
	(envelope-from nobody)
Message-Id: <200709260135.l8Q1ZWvG072867@www.freebsd.org>
Date: Wed, 26 Sep 2007 01:35:32 GMT
From: "James L. Lauser" <james@jlauser.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pfctl -k does not work in securelevel 3
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         116645
>Category:       kern
>Synopsis:       [request] pfctl -k does not work in securelevel 3
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 26 01:40:06 GMT 2007
>Closed-Date:    Mon May 19 18:02:34 UTC 2008
>Last-Modified:  Mon May 19 18:02:34 UTC 2008
>Originator:     James L. Lauser
>Release:        6.2-STABLE
>Organization:
>Environment:
FreeBSD Pancake.jlauser.net 6.2-RELEASE-p4 FreeBSD 6.2-RELEASE-p4 #7: Mon May 28 21:18:23 EDT 2007     root@Pancake.jlauser.net:/usr/obj/usr/src/sys/SMP_POLLING  amd64
>Description:
When in network secure mode (kern.securelevel=3), pfctl -k does not work,
as DIOCKILLSTATES is not permitted.  I believe this is counter-intuitive.

If a rule such as "block drop quick from <blacklisted> to any" is present,
it is possible to firewall an attacking host by executing 'pfctl -t
blacklisted -T add 1.2.3.4', even in network secure mode, but any states
that the particular host already has open continue to work, as state
table evaluation is done before rule evaluation.
>How-To-Repeat:
Set kern.securelevel to 3, and attempt to kill a firewall state with pfctl -k.
>Fix:
Do not prevent calls to DIOCKILLSTATES when in securelevel 3.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Sep 26 03:48:40 UTC 2007 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 
State-Changed-From-To: open->closed 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 17:52:23 UTC 2007 
State-Changed-Why:  

From the securelevel man page: 
3     Network secure mode - same as highly secure mode, plus IP packet 
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be 
changed and dummynet(4) or pf(4) configuration cannot be adjusted. 

You are seeing the defined behavior. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 
State-Changed-From-To: closed->feedback 
State-Changed-By: kmacy 
State-Changed-When: Fri Nov 16 18:04:43 UTC 2007 
State-Changed-Why:  

Awaiting the opinions of others on what securelevel 3 should mean. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Mon May 19 18:02:09 UTC 2008 
State-Changed-Why:  
Feedback indicates that this behavior is by design; no one has stepped 
up to disagree, so far. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=116645 
>Unformatted:
