[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipfilter and kern.securelevel

I need a solution for a firewall (ipfilter) running with intelligent
inspection proxies. The ftp proxy isn't up to snuff yet but it does try
to add rules to the in-kernel list.

The problem is when the machine is at securelevel=2. Changing ipf/ipnat
rules is prohibited. Does it make sense to define a level of 3 that
locks these rules or exempt ipf from level 2 checks entirely?

I don't want to give up the benefits of filesystem immutable flags and
what not just to dynamically add/drop rules.