From root@kew.com  Sun Oct 15 17:30:20 2000
Return-Path: <root@kew.com>
Received: from kendra.ne.mediaone.net (kendra.ne.mediaone.net [24.218.227.234])
	by hub.freebsd.org (Postfix) with ESMTP id 46F5837B66C
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 15 Oct 2000 17:30:20 -0700 (PDT)
Received: by kendra.ne.mediaone.net (Postfix, from userid 0)
	id 9ED048C47; Sun, 15 Oct 2000 20:30:19 -0400 (EDT)
Message-Id: <20001016003019.9ED048C47@kendra.ne.mediaone.net>
Date: Sun, 15 Oct 2000 20:30:19 -0400 (EDT)
From: ahd@kew.com
Sender: root@kew.com
Reply-To: ahd@kew.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: Secure level 2 in kernel prevents read access to ipnat information
X-Send-Pr-Version: 3.2

>Number:         22012
>Category:       kern
>Synopsis:       Secure level 2 in kernel prevents read access to ipnat information
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 15 17:40:01 PDT 2000
>Closed-Date:    Tue Mar 26 02:12:03 PST 2002
>Last-Modified:  Tue Mar 26 02:12:03 PST 2002
>Originator:     Drew Derbyshire
>Release:        FreeBSD 4.1-RELEASE i386
>Organization:
Kendra Electronic Wonderworks, Stoneham, MA 02180 (http://www.kew.com)
>Environment:

	FreeBSD 4.1 running ipnat on firewall.

>Description:

	Raising secure level of the kernel to 2 prevents even read only access to the
	IPNAT maps.

>How-To-Repeat:

   sonata,134# sysctl -a | grep secure
   kern.securelevel: -1

   sonata,136# ipnat -l
   List of active MAP/Redirect filters:
   map ep0 192.168.200.0/22  -> 0.0.0.0/32  proxy port ftp ftp/tcp
   map ep0 192.168.200.0/22  -> 0.0.0.0/32  proxy port 7070 raudio/tcp
   map ep0 192.168.200.0/22  -> 0.0.0.0/32  portmap tcp/udp 20000:21999

   List of active sessions:

   sonata,137# sysctl -w kern.securelevel=2
   kern.securelevel: -1 -> 2

   sonata,138# ipnat -l
   ioctl(SIOCGNATS): Operation not permitted


>Fix:

	Workaround: Disable raising kernel security level.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: darrenr 
Responsible-Changed-When: Wed Feb 21 13:31:43 PST 2001 
Responsible-Changed-Why:  
darrenr is responsible for ipfilter 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22012 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Fri Oct 19 20:52:19 PDT 2001 
State-Changed-Why:  
this is being worked on 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=22012 
State-Changed-From-To: feedback->closed 
State-Changed-By: darrenr 
State-Changed-When: Tue Mar 26 02:11:13 PST 2002 
State-Changed-Why:  
this bas been fixed in -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22012 
>Unformatted:
