Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jul 1999 13:15:11 -0600
From:      Nate Williams <>
To:        Joe Greco <>
Cc: (Nate Williams),,
Subject:   Re: securelevel and ipfw zero
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> > > > One could argue that accounting numbers in a firewall shouldn't be
> > > > trusted, but I won't argue that point since the firewall is often the
> > > > most 'natural' place to stick network accounting software.
> > > 
> > > If you can't trust something in the kernel, then you just can't trust
> > > anything at all.
> > 
> > It isn't the kernel that's zero'ing the counters. :)
> Accounting numbers in a kernel firewall _should_ be trustable, and on that
> basis, one can clearly make an argument for separating the logging count
> from the accounting count - which should never be zero'ed, at least in
> securemode.

One could argue that 'logging counters' in a firewall _should_ be
trustable as well.  You've argued against it, but I'm not convinced that
your opinion (or mine) is enough to consider it a 'bug'.

> I'm not saying your desire for per-rule counters is invalid, I'm just not
> of that same mindset.  But it does seem clear that it would be useful to
> have a mechanism to restart the logging after an IPFW_VERBOSE_LIMIT
> throttle.

It would be useful.  But, is it's usefulness more important than being
able to rely on 'logging counters' being valid?  (You argue no, but I'm
not convinced...)

Again, it's not a fix, it's a feature.  Not being able to mess with
counters (logging or otherwise) is a feature.  It may be a feature that
you can do without, but that decision is not to be made lightly.


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>