Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jul 1999 14:02:19 -0500 (CDT)
From:      Joe Greco <jgreco@ns.sol.net>
To:        nate@mt.sri.com (Nate Williams)
Cc:        ap@bnc.net, nate@mt.sri.com, dillon@apollo.backplane.com, green@FreeBSD.ORG, jgreco@ns.sol.net, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: securelevel and ipfw zero
Message-ID:  <199907271902.OAA09915@aurora.sol.net>
In-Reply-To: <199907271735.LAA26067@mt.sri.com> from Nate Williams at "Jul 27, 1999 11:35:20 am"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> > > How do you figure?  Currently, the kernel will quit 'logging' denied
> > > packets when the counter reaches a specific (compiled-in) number.
> >                                               ^^^^^^^^^^^^^
> > Then what is
> > 
> > net.inet.ip.fw.verbose_limit: 0
> 
> Well I'll be.  You learn something new everyday. :)
> 
> > made for and why does it help changing it? 8-)
> 
> Ahh.  However, unfortunately, this 'limit' changes *all* of the per-rule
> counters, when in fact you may only want to change a single counter.

The _problem_ with this (and it is FINE for doing interactive work on the
system as far as I am concerned) is that in a production environment with
machines with 800 day uptimes and securelevel 3, once you pass the
VERBOSE_LIMIT, you _can_ disable VERBOSE_LIMIT by setting this to 0, but
you then become vulnerable to the DoS attacks we have all been arguing
about.  In other words, it simply disables VERBOSE_LIMIT.

Useful, as I said, if you have a low VERBOSE_LIMIT and you are getting
some attack that you want to monitor firsthand in more detail...

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199907271902.OAA09915>