Re: new IPFW
[moving from -ipfw and -arch to -hackers] Tony Landells [EMAIL PROTECTED] writes: One concern I would have with that is that there are a lot of tools built on BPF that I would prefer to not be able to run on the firewall. Don't confuse BPF with promiscuous mode. BPF is simply a programmable packet filter and does not in and of itself represent a security risk. Promiscuous mode allows a host to capture packets not destined to itself, and may represent a security risk on shared media networks (e.g. 10Base2, unswitched 10BaseT). The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] Index: if.c === RCS file: /home/ncvs/src/sys/net/if.c,v retrieving revision 1.77 diff -u -r1.77 if.c --- if.c1999/11/22 02:44:51 1.77 +++ if.c1999/11/29 12:52:07 @@ -908,6 +908,8 @@ int error; if (pswitch) { + if (securelevel = 3) + return (EPERM); /* * If the device is not configured up, we cannot put it in * promiscuous mode. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: new IPFW
The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). What happens with yout patch if i need to run an mrouted on such a machine ? cheers luigi To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: new IPFW
Luigi Rizzo [EMAIL PROTECTED] writes: The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). What happens with yout patch if i need to run an mrouted on such a machine ? It'll crash and burn, which demonstrates the inadequacy of the secure level mechanism. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: new IPFW
Dag-Erling Smorgrav wrote: Luigi Rizzo [EMAIL PROTECTED] writes: The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). What happens with yout patch if i need to run an mrouted on such a machine ? It'll crash and burn, which demonstrates the inadequacy of the secure level mechanism. Or you start mrouted before going to securelevel 3. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC [EMAIL PROTECTED] http://softweyr.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message