Odhiambo Washington schrieb:
Hello everyone,
I'm a PF newbie only from this week. I've been using IPFilter all along.
On my 6.0 box acting as a router, I was also playing with Mandatory
Access Control, especially mac_lomac. This seemed to work with IPFilter
but the moment I switched to PF, the machine would panic and reboot.
I had mac_lomac_enable="YES" in /boot/loader.conf. This is after I
compiled a kernel with " options MAC".
in /etc/sysctl.conf I had the following:
security.mac.lomac.enabled=1
security.mac.lomac.revocation_enabled=1
security.mac.lomac.ptys_equal=1
And in /etc/rc.conf, all active interfaces were configured with
"maclabel lomac/equal" added to the ifconfig args.
I'd switch from ipfilter/ipnat to PF by flushing rules in this order:
ipf -Fa
ipnat -FC
pfctl -e
pfctl -f /etc/pf.conf
At this juncture, the box would panic:
panic: mac_lomac_dominate_element: a->mle_type invalid.
A memory dump would then occur and the box reboots.
I went a step ahead: disabled IPFilter in rc.conf and enabled
PF and rebooted. The box would fail to reboot in this case and
panic over and over until I disabled mac_lomac_enable="YES" in
/boot/loader.conf, the relevant entries in rc.conf and sysctl.conf
Anyone using MAC who can reproduce the same?
Not exactly the same, but I had similar problems with mac_mls using pf.
These panics occur because pf is imported from OpenBSD and not aware of
using MAC at all; in fact it ignores MAC completely and thus it breaks
policies. The best thing that you can do now is either to avoid using
MAC or to use ipfw instead of pf.
Regards
Björn
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
