On Sun, 13 Jul 2014 07:42:42 +1200, Peter Toth wrote: > Hi Ian, > > This is for the jail's securelevel option. If you set it to the highest > number 3 it will fail to load IPFW rules in a jail during startup. > > Snip from "man securelevel": > Network secure mode - same as highly secure mode, plus IP packet > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be > changed and dummynet(4) or pf(4) configuration cannot be adjusted. > > Cheers, > Peter
I understood why 3 wouldn't work. What I hadn't realised was that you were defaulting iocage jails to securelevel 3, which just shows that I hadn't read the manual :) ezjail has tests for securelevel > 0 re installing or updating, but I assumed that to refer to the host's securelevel. Thanks, Ian > On Sun, Jul 13, 2014 at 4:08 AM, Ian Smith <[email protected]> wrote: > > > Hi Peter, > > > > from your FAQ at http://iocage.readthedocs.org/en/latest/faq.html > > > > "If you plan on using IPFW inside a jail make sure securelevel is set to 2" > > > > Unless this is also a FAQ you can point me to, can you explain why this > > is needed? Reading security(7) leaves me unclear on how securelevels > > apply in a jail, or what it may be about ipfw(8) particularly that could > > compromise jail (or host?) security, that other services could not? > > > > cheers, Ian _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[email protected]"
