Date: Wed, 28 Jul 1999 17:11:36 +0200 (cest) From: Henk van Oers <hvoers@anp.nl> To: "Brian F. Feldman" <green@FreeBSD.ORG> Cc: Nate Williams <nate@mt.sri.com>, Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: securelevel and ipfw zero Message-ID: <Pine.QNX4.4.02.9907281643190.13890-100000@ns.anp.nl> In-Reply-To: <Pine.BSF.4.10.9907280217180.71863-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Jul 1999, Brian F. Feldman wrote: > > > If it will get ALL of you to give it a rest, how about: > > > per-rule logging limits > > > logging limit raising > > > logging limit resetting > > > Which would all NOT affect the statistics? Separate statistics/logging counters is fine, but i don't need per-rule limits, a global limit is ok --> sysctl -w for raising and ipfw zerolog (or reset) for resetting. And then ... securelevel == 3 I think it is better NOT to permit 'sysctl -w', 'ipfw *' AND a logging limmit, just process the logfile faster to avoid DoS > > > > We need more input from people who use the code, to make sure they don't > > depend on the current 'features', or can live with changes to them. If you can keep the foot print small i can live with it. > > > > Implementing it is the easy part, making sure it's the right thing to do > > is the hard part. Right! > > Well, the easy part is done, except for raising limits. Look: > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: limit 2 reached on rule #1 > ipfw: Entry 1 logging count reset. > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: limit 2 reached on rule #1 > > I think this feature should DEFINITELY go in. I'm going to clean it up some > (ip_fw.c itself), and then make a set of diffs for this feature. > Nice? :) Nice? Depends on the diffs AND the man page ;-) Henk. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.QNX4.4.02.9907281643190.13890-100000>