Re: new IPFW
[moving from -ipfw and -arch to -hackers]
Tony Landells [EMAIL PROTECTED] writes:
One concern I would have with that is that there are a lot of tools
built on BPF that I would prefer to not be able to run on the firewall.
Don't confuse BPF with promiscuous mode. BPF is simply a programmable
packet filter and does not in and of itself represent a security risk.
Promiscuous mode allows a host to capture packets not destined to
itself, and may represent a security risk on shared media networks
(e.g. 10Base2, unswitched 10BaseT).
The attached patch prevents switching into promiscuous mode when
running in "Network secure mode" (securelevel 3 or higher).
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
Index: if.c
===
RCS file: /home/ncvs/src/sys/net/if.c,v
retrieving revision 1.77
diff -u -r1.77 if.c
--- if.c1999/11/22 02:44:51 1.77
+++ if.c1999/11/29 12:52:07
@@ -908,6 +908,8 @@
int error;
if (pswitch) {
+ if (securelevel = 3)
+ return (EPERM);
/*
* If the device is not configured up, we cannot put it in
* promiscuous mode.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
Re: new IPFW
The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). What happens with yout patch if i need to run an mrouted on such a machine ? cheers luigi To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: new IPFW
Luigi Rizzo [EMAIL PROTECTED] writes: The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). What happens with yout patch if i need to run an mrouted on such a machine ? It'll crash and burn, which demonstrates the inadequacy of the secure level mechanism. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: new IPFW
Dag-Erling Smorgrav wrote: Luigi Rizzo [EMAIL PROTECTED] writes: The attached patch prevents switching into promiscuous mode when running in "Network secure mode" (securelevel 3 or higher). What happens with yout patch if i need to run an mrouted on such a machine ? It'll crash and burn, which demonstrates the inadequacy of the secure level mechanism. Or you start mrouted before going to securelevel 3. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC [EMAIL PROTECTED] http://softweyr.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
