Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jul 1999 15:05:11 -0500 (CDT)
From:      Joe Greco <jgreco@ns.sol.net>
To:        nate@mt.sri.com (Nate Williams)
Cc:        jgreco@ns.sol.net, nate@mt.sri.com, hackers@freebsd.org, freebsd-ipfw@freebsd.org
Subject:   Re: securelevel and ipfw zero
Message-ID:  <199907272005.PAA14464@aurora.sol.net>
In-Reply-To: <199907271959.NAA27155@mt.sri.com> from Nate Williams at "Jul 27, 1999  1:59:58 pm"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> > > > > Again, it's not a fix, it's a feature.  Not being able to mess with
> > > > > counters (logging or otherwise) is a feature.  It may be a feature that
> > >               ^^^^^^^^^^^^^^^^^^^^
> > > > > you can do without, but that decision is not to be made lightly.
> > > > 
> > > > I'm _saying_ to create a completely separate counter which has nothing to
> > > > do with accounting.
> > > 
> > > See above.
> > 
> > I did see above.  If the sole purpose of a counter is to turn _off_ a
> > feature to prevent DoS attacks, and it is clearly desirable that the
> > admin (or a representative entity such as a monitoring system) would
> > want to be able to re-enable the logging under those same terms at some
> > admin-specified interval, how exactly would you choose to implement this?
> 
> What was originally intended and what it's used for now are two
> different things.

I agree; the function of verbose log limiting was overloaded onto the
existing accounting counter.  That is why I am saying that this really,
really should be made into a separate log counter, whose sole function
in life is counting for the purpose of determining VERBOSE_LIMIT excesses.
I am not sure why you seem to have a problem with that.  If I have a
mechanism that exists for _one_ purpose and one purpose alone, why is it
unacceptable to perform operation "X" (where X == zero it) on said device
when that is an action that will cause it to work in a desired manner?

> I'd like to see people other than you, I, and Matt discussing this.
> Other people who use this feature of IPFW that have an opinion one way
> or the other should speak up.
> 
> A group of two very opinionated people doesn't make a consensus, or
> necessarily the 'right' decision. :) :) :)

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199907272005.PAA14464>