[moving from -ipfw and -arch to -hackers]
Tony Landells <[EMAIL PROTECTED]> writes:
> One concern I would have with that is that there are a lot of tools
> built on BPF that I would prefer to not be able to run on the firewall.
Don't confuse BPF with promiscuous mode. BPF is simply a programmable
packet filter and does not in and of itself represent a security risk.
Promiscuous mode allows a host to capture packets not destined to
itself, and may represent a security risk on shared media networks
(e.g. 10Base2, unswitched 10BaseT).
The attached patch prevents switching into promiscuous mode when
running in "Network secure mode" (securelevel 3 or higher).
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
Index: if.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if.c,v
retrieving revision 1.77
diff -u -r1.77 if.c
--- if.c 1999/11/22 02:44:51 1.77
+++ if.c 1999/11/29 12:52:07
@@ -908,6 +908,8 @@
int error;
if (pswitch) {
+ if (securelevel >= 3)
+ return (EPERM);
/*
* If the device is not configured up, we cannot put it in
* promiscuous mode.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message