From bernd@heitec.net  Thu Oct  2 04:29:58 2003
Return-Path: <bernd@heitec.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 941A716A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Oct 2003 04:29:58 -0700 (PDT)
Received: from christel.heitec.net (christel.heitec.net [213.70.109.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5034543FDF
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Oct 2003 04:29:57 -0700 (PDT)
	(envelope-from bernd@heitec.net)
Received: from heitec.net (paladin.heitec.net [193.101.232.30])
	by christel.heitec.net (Postfix) with ESMTP id 122A2B8101
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  2 Oct 2003 13:29:54 +0200 (CEST)
Received: (from bernd@localhost)
	by  heitec.net (8.12.9/8.12.9) id h92BTr8o026696;
	Thu, 2 Oct 2003 13:29:53 +0200 (CEST)
	(envelope-from bernd)
Message-Id: <200310021129.h92BTr8o026696@ heitec.net>
Date: Thu, 2 Oct 2003 13:29:53 +0200 (CEST)
From: Bernd Luevelsmeyer <bernd@heitec.net>
Reply-To: Bernd Luevelsmeyer <bdluevel@heitec.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Firewall can be disabled in securelevel 3
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         57492
>Category:       kern
>Synopsis:       Firewall can be disabled in securelevel 3
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 02 04:40:09 PDT 2003
>Closed-Date:    Sat Nov 15 00:35:58 PST 2003
>Last-Modified:  Sat Nov 15 00:35:58 PST 2003
>Originator:     Bernd Luevelsmeyer
>Release:        FreeBSD 4.9-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD 4.9-PRERELEASE #0: Mon Sep 8 15:08:58 CEST 2003 i386


>Description:
    init(8) says, you cannot change ipfw rules in securelevel 3.
    It is possible, though, to disable the entire firewall,
    effectively deleting all rules and adding a rule "pass all
    from any to any".

>How-To-Repeat:
    On a machine that has a firewall and runs in securelevel 3,
    as root enter
      sysctl net.inet.ip.fw.enable=0
    You can now send and receive packets that otherwise would
    be rejected by the firewall.

>Fix:
    unknown
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: ru 
State-Changed-When: Thu Oct 2 05:05:26 PDT 2003 
State-Changed-Why:  
# uname -r 
4.9-PRERELEASE 
# sysctl kern.securelevel 
kern.securelevel: -1 
# sysctl net.inet.ip.fw.enable=0 
net.inet.ip.fw.enable: 1 -> 0 
# sysctl net.inet.ip.fw.enable=1 
net.inet.ip.fw.enable: 0 -> 1 
# sysctl kern.securelevel=3 
kern.securelevel: -1 -> 3 
# sysctl net.inet.ip.fw.enable=0 
net.inet.ip.fw.enable: 1 
sysctl: net.inet.ip.fw.enable: Operation not permitted 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57492 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: bdluevel@heitec.net
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/57492: Firewall can be disabled in securelevel 3
Date: Thu, 2 Oct 2003 15:09:03 +0300

 On Thu, Oct 02, 2003 at 05:06:02AM -0700, Ruslan Ermilov wrote:
 > Synopsis: Firewall can be disabled in securelevel 3
 > 
 > State-Changed-From-To: open->closed
 > State-Changed-By: ru
 > State-Changed-When: Thu Oct 2 05:05:26 PDT 2003
 > State-Changed-Why: 
 > # uname -r
 > 4.9-PRERELEASE
 > # sysctl kern.securelevel
 > kern.securelevel: -1
 > # sysctl net.inet.ip.fw.enable=0
 > net.inet.ip.fw.enable: 1 -> 0
 > # sysctl net.inet.ip.fw.enable=1
 > net.inet.ip.fw.enable: 0 -> 1
 > # sysctl kern.securelevel=3
 > kern.securelevel: -1 -> 3
 > # sysctl net.inet.ip.fw.enable=0
 > net.inet.ip.fw.enable: 1
 > sysctl: net.inet.ip.fw.enable: Operation not permitted
 > 
 My apologies, I forgot that I have this problem fixed locally,
 but it's not in the FreeBSD repository.  I will re-open the
 bug.  The patch, FWIW, is as follows:
 
 %%%
 Index: ip_fw.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/Attic/ip_fw.c,v
 retrieving revision 1.131.2.39
 diff -u -p -r1.131.2.39 ip_fw.c
 --- ip_fw.c	20 Jan 2003 02:23:07 -0000	1.131.2.39
 +++ ip_fw.c	2 Oct 2003 12:07:35 -0000
 @@ -94,11 +94,21 @@ LIST_HEAD (ip_fw_head, ip_fw) ip_fw_chai
  MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's");
  
  #ifdef SYSCTL_NODE
 +
 +static int
 +sysctl_fw_securelevel_check(SYSCTL_HANDLER_ARGS)
 +{
 +
 +	if (req->newptr && securelevel >= 3)
 +		return (EPERM);
 +	return sysctl_handle_int(oidp, arg1, arg2, req);
 +}
 +
  SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
 -    &fw_enable, 0, "Enable ipfw");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
 -    &fw_one_pass, 0, 
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, enable, CTLTYPE_INT|CTLFLAG_RW,
 +    &fw_enable, 0, sysctl_fw_securelevel_check, "I", "Enable ipfw");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, one_pass, CTLTYPE_INT|CTLFLAG_RW,
 +    &fw_one_pass, 0, sysctl_fw_securelevel_check, "I",
      "Only do a single pass through ipfw when using dummynet(4)");
  SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, 
      &fw_debug, 0, "Enable printing of debug ip_fw statements");
 @@ -173,30 +183,40 @@ static u_int32_t static_count = 0 ;	/* #
  static u_int32_t dyn_count = 0 ;	/* # of dynamic rules */
  static u_int32_t dyn_max = 1000 ;	/* max # of dynamic rules */
  
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLFLAG_RW,
 -    &dyn_buckets, 0, "Number of dyn. buckets");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLFLAG_RD,
 -    &curr_dyn_buckets, 0, "Current Number of dyn. buckets");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLFLAG_RD,
 -    &dyn_count, 0, "Number of dyn. rules");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLFLAG_RW,
 -    &dyn_max, 0, "Max number of dyn. rules");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, static_count, CTLFLAG_RD,
 -    &static_count, 0, "Number of static rules");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLFLAG_RW,
 -    &dyn_ack_lifetime, 0, "Lifetime of dyn. rules for acks");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLFLAG_RW,
 -    &dyn_syn_lifetime, 0, "Lifetime of dyn. rules for syn");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLFLAG_RW,
 -    &dyn_fin_lifetime, 0, "Lifetime of dyn. rules for fin");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLFLAG_RW,
 -    &dyn_rst_lifetime, 0, "Lifetime of dyn. rules for rst");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLFLAG_RW,
 -    &dyn_udp_lifetime, 0, "Lifetime of dyn. rules for UDP");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLFLAG_RW,
 -    &dyn_short_lifetime, 0, "Lifetime of dyn. rules for other situations");
 -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLFLAG_RD,
 -    &dyn_grace_time, 0, "Grace time for dyn. rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_buckets, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
 +    "Number of dyn. buckets");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, curr_dyn_buckets, CTLTYPE_INT|CTLFLAG_RD,
 +    &curr_dyn_buckets, 0, sysctl_fw_securelevel_check, "IU",
 +    "Current Number of dyn. buckets");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_count, CTLTYPE_INT|CTLFLAG_RD,
 +    &dyn_count, 0, sysctl_fw_securelevel_check, "IU", "Number of dyn. rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_max, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_max, 0, sysctl_fw_securelevel_check, "IU", "Max number of dyn. rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, static_count, CTLTYPE_INT|CTLFLAG_RD,
 +    &static_count, 0, sysctl_fw_securelevel_check, "IU",
 +    "Number of static rules");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_ack_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_ack_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for acks");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_syn_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_syn_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for syn");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_fin_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_fin_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for fin");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_rst_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_rst_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for rst");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_udp_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_udp_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for UDP");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_short_lifetime, CTLTYPE_INT|CTLFLAG_RW,
 +    &dyn_short_lifetime, 0, sysctl_fw_securelevel_check, "IU",
 +    "Lifetime of dyn. rules for other situations");
 +SYSCTL_PROC(_net_inet_ip_fw, OID_AUTO, dyn_grace_time, CTLTYPE_INT|CTLFLAG_RD,
 +    &dyn_grace_time, 0, sysctl_fw_securelevel_check, "IU",
 +    "Grace time for dyn. rules");
  
  #endif /* SYSCTL_NODE */
  
 %%%
 
 -- 
 Ruslan Ermilov		Sysadmin and DBA,
 ru@sunbay.com		Sunbay Software Ltd,
 ru@FreeBSD.org		FreeBSD committer
State-Changed-From-To: closed->open 
State-Changed-By: ru 
State-Changed-When: Thu Oct 2 05:10:49 PDT 2003 
State-Changed-Why:  
Closed by mistake. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57492 
State-Changed-From-To: open->feedback 
State-Changed-By: bms 
State-Changed-When: Sat 4 Oct 2003 23:44:19 PDT 
State-Changed-Why:  
This should have been fixed by rev 1.6.2.17 of ip_fw2.c 
Please let me know if you can still reproduce the issue. 


Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Sat 4 Oct 2003 23:44:19 PDT 
Responsible-Changed-Why:  
I recently committed a fix for PR kern/39396 which looks to be a duplicate. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57492 
State-Changed-From-To: feedback->closed 
State-Changed-By: bms 
State-Changed-When: Sat 15 Nov 2003 00:34:51 PST 
State-Changed-Why:  
Timeout on feedback from originator. Problem believed fixed in previous commit 
to RELENG_4. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57492 
>Unformatted:
