From owner-freebsd-ipfw  Tue Jul 27 10:44:40 1999
Delivered-To: freebsd-ipfw@freebsd.org
Received: from gemini.bnc.net (gemini.bnc.net [195.247.233.33])
	by hub.freebsd.org (Postfix) with ESMTP
	id 99BFA152B7; Tue, 27 Jul 1999 10:44:34 -0700 (PDT)
	(envelope-from ap@bnc.net)
Received: (from ap@localhost)
          by gemini.bnc.net (8.9.3/8.9.3) id TAA74659;
          Tue, 27 Jul 1999 19:42:45 +0200 (CEST)
          (envelope-from ap)
Date: Tue, 27 Jul 1999 19:42:45 +0200
From: Achim Patzner <ap@bnc.net>
To: Nate Williams <nate@mt.sri.com>
Cc: Julian Elischer <julian@whistle.com>,
	"Brian F. Feldman" <green@FreeBSD.ORG>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG,
	freebsd-ipfw@FreeBSD.ORG
Subject: Re: securelevel and ipfw zero
Message-ID: <19990727194245.L58970@bnc.net>
References: <Pine.BSF.4.10.9907262322120.35843-100000@janus.syracuse.net> <Pine.BSF.3.95.990726204047.28343P-100000@current1.whistle.com> <199907271715.LAA25892@mt.sri.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <199907271715.LAA25892@mt.sri.com>; from Nate Williams on Tue, Jul 27, 1999 at 11:15:11AM -0600
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Jul 27, 1999 at 11:15:11AM -0600, Nate Williams wrote:
> Then we'd have to implement per-rule counters that default to
> IPFW_VERBOSE_LIMIT but that could be changed to anything.

*falling on my knees* If you're going to do that what would it cost me (in
chocolate bars or sushi) to get you to implement a second set of counters
that will be filled by zeroing the first set (so I was able to read out
counters and reset them without losing accounting information)? Or at least
make zeroing printing out the contents before clearing them? Oh and while
we're at it.... *runs away and tries hiding*

> (Another thing I just thought of is that this could cause DoS attacks on
> the system if a user compromised root and then set the limit to a very
> high number.)

If you have someone going berzerk as "root" on a firewall you're definitely
going to have a completely different set of headaches. Why should someone
start DoS attacks after capturing a firewall? It's like painting the
fingernails before amputating the hand.


Achim


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message