From nobody@FreeBSD.ORG  Sat Nov  4 01:59:58 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id ED5FD37B4CF; Sat,  4 Nov 2000 01:59:57 -0800 (PST)
Message-Id: <20001104095957.ED5FD37B4CF@hub.freebsd.org>
Date: Sat,  4 Nov 2000 01:59:57 -0800 (PST)
From: andre@express.ru
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: It is possible to change ipfw rules with kernel secure level == 3.
X-Send-Pr-Version: www-1.0

>Number:         22600
>Category:       kern
>Synopsis:       It is possible to change ipfw rules with kernel secure level == 3.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 04 02:00:02 PST 2000
>Closed-Date:    Tue Nov 7 01:51:15 PST 2000
>Last-Modified:  Tue Nov 07 01:52:43 PST 2000
>Originator:     Andre Yelistratov
>Release:        4.2-BETA
>Organization:
>Environment:
FreeBSD satan.express.ru 4.2-BETA FreeBSD 4.2-BETA #0: Thu Nov  2 17:22:44 MSK 2000     andre@satan.express.ru:/usr/obj/usr/src/sys/SATAN  i386

>Description:
From man 8 init:
"3     Network secure mode - same as highly secure mode, plus IP packet
      filter rules (see ipfw(8) and ipfirewall(4))  cannot be changed and
      dummynet(4) configuration cannot be adjusted."
It IS possible to change ipfw rules in security level 3.

>How-To-Repeat:
satan:/usr/home/andre#ipfw show
65535 76 7632 allow ip from any to any

satan:/usr/home/andre#sysctl -a|grep secur
kern.securelevel: -1

satan:/usr/home/andre#sysctl -w kern.securelevel=3
kern.securelevel: -1 -> 3

satan:/usr/home/andre#ipfw show
65535 76 7632 allow ip from any to any

satan:/usr/home/andre#ipfw add 200 deny ip from any to any
00200 deny ip from any to any

satan:/usr/home/andre#ping a.b.c.d
PING a.b.c.d (a.b.c.d): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- a.b.c.d ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
satan:/usr/home/andre#ipfw add 100 allow ip from any to any
00100 allow ip from any to any

satan:/usr/home/andre#ping a.b.c.d
PING a.b.c.d (a.b.c.d): 56 data bytes
64 bytes from a.b.c.d: icmp_seq=0 ttl=254 time=11.915 ms
64 bytes from a.b.c.d: icmp_seq=1 ttl=254 time=6.089 ms
^C
--- a.b.c.d ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.089/9.002/11.915/2.913 ms

satan:/usr/home/andre#ipfw -q flush
ipfw: setsockopt(IP_FW_FLUSH): Operation not permitted


>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Tue Nov 7 01:51:15 PST 2000 
State-Changed-Why:  
Fixed in 5.0-CURRENT (ip_fw.c,v 1.149) and 4.2-BETA (v 1.131.2.10). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22600 
>Unformatted:
