Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jul 1999 14:02:19 -0500 (CDT)
From:      Joe Greco <>
To: (Nate Williams)
Cc:,,, green@FreeBSD.ORG,, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: securelevel and ipfw zero
Message-ID:  <>
In-Reply-To: <> from Nate Williams at "Jul 27, 1999 11:35:20 am"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> > > How do you figure?  Currently, the kernel will quit 'logging' denied
> > > packets when the counter reaches a specific (compiled-in) number.
> >                                               ^^^^^^^^^^^^^
> > Then what is
> > 
> > net.inet.ip.fw.verbose_limit: 0
> Well I'll be.  You learn something new everyday. :)
> > made for and why does it help changing it? 8-)
> Ahh.  However, unfortunately, this 'limit' changes *all* of the per-rule
> counters, when in fact you may only want to change a single counter.

The _problem_ with this (and it is FINE for doing interactive work on the
system as far as I am concerned) is that in a production environment with
machines with 800 day uptimes and securelevel 3, once you pass the
VERBOSE_LIMIT, you _can_ disable VERBOSE_LIMIT by setting this to 0, but
you then become vulnerable to the DoS attacks we have all been arguing
about.  In other words, it simply disables VERBOSE_LIMIT.

Useful, as I said, if you have a low VERBOSE_LIMIT and you are getting
some attack that you want to monitor firsthand in more detail...

... Joe

Joe Greco - Systems Administrator
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>