Date: Sun, 17 May 1998 22:58:30 -0400 (EDT) From: spork <spork@super-g.com> To: Charlie Root <root@ftp1.mfn.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Possible bug in IPFW Message-ID: <Pine.BSF.3.96.980517225150.18023C-100000@super-g.inch.com> In-Reply-To: <199805171900.OAA07502@ftp1.mfn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
As others have stated, it's a config option in the kernel. The main
reason that it should be there is to avoid a DoS attack by someone wanting
to fill your /var partition. The one thing I'm curious about is if it
ever resets itself... It is nice to know if someone's banging on a port
they shouldn't be, I see *tons* of snmp probes of our routers and the
subnets containing most of our public machines, usually from Canada for
some odd reason(??!?)
You can manually reset the counters with "ipfw zero".
You could probably cron that each day if you want, that way you can see
what you denied in your daily security mailing, and you'd still be
protected from /var fillage as long as it's a "watched" machine.
I highly recommend printing out the man page as a reference, ipfw is very
useful, and very well documented...
Good Luck,
Charles
Charles Sprickman
spork@super-g.com
----
"I'm not a prophet or a stone-age man
Just a mortal with potential of a superman
I'm living on" -DB
On Sun, 17 May 1998, Charlie Root wrote:
>
> As everyone on this list knows, we've been playing with IPFW pretty
> intensely over the last couple of days. Having finalized our rule
> sets, we went about a stress-test (sans appreciable load) yesterday.
>
> Here is the basic outline:
>
> (1) Rulesets. Allow this, that, blah, blah, blah...
> (2) Final rule: 65500 deny log all from any to any
>
> So we bring up the filter machine, and start attacking it:
>
> (3) First, (and last it turns out), we scan it twice, first on port
> 1080, and second on port 23 (dont ask why these ports, it's a long
> story). The scan consists of attempting to establish connections
> (i.e., *not* a "stealth" scanner) at each address of our ip blocks.
>
> About half way through the "23 series" of scans (which would make it
> about 750 connections attempted, it ceased logging (forever!) with the
> following message:
>
> May 17 00:39:21 attackme /kernel: ipfw: 65500 Deny TCP x.x.x.x:1065 me.me.me.me:23 in via de3
>
> I have checked for disk space, which AFAIK has never exceeded 50% usage on any
> slice, and sure enough, the top user of space was at a mere 45%. /var is at 3%.
>
> Except for the fact that it is no longer logging, it appears to be ok: cron
> is running and doing it's thing, it succeeded in backing itself up last night,
> and it still appears to be filtering, although *without* logging bad packets.
>
> Should I be forwarding this to the bugs list, or have I missed something
> very basic here?
>
> TIA
>
> J.A. Terranson
> sysadmin@mfn.org
>
> A small fading light in a vast and obscure universe.
>
> SUPPORT YOUR RIGHT TO PRIVACY: ENCRYPT!
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980517225150.18023C-100000>