Date: Sun, 17 May 1998 18:26:10 -0400 (EDT) From: Dima Dorfman <dima@zwb.net> To: root@ftp1.mfn.org (Charlie Root) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Possible bug in IPFW Message-ID: <199805172226.SAA23419@nwalme.pair.com> In-Reply-To: <199805171900.OAA07502@ftp1.mfn.org> from Charlie Root at "May 17, 98 02:00:49 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
I only have an answer to the logging question. IPFW stopps logging at a certain number. I don't know what it is, but I know that you can change it in your kernel configuration file. Look in the handbook for details. > > As everyone on this list knows, we've been playing with IPFW pretty > intensely over the last couple of days. Having finalized our rule > sets, we went about a stress-test (sans appreciable load) yesterday. > > Here is the basic outline: > > (1) Rulesets. Allow this, that, blah, blah, blah... > (2) Final rule: 65500 deny log all from any to any > > So we bring up the filter machine, and start attacking it: > > (3) First, (and last it turns out), we scan it twice, first on port > 1080, and second on port 23 (dont ask why these ports, it's a long > story). The scan consists of attempting to establish connections > (i.e., *not* a "stealth" scanner) at each address of our ip blocks. > > About half way through the "23 series" of scans (which would make it > about 750 connections attempted, it ceased logging (forever!) with the > following message: > > May 17 00:39:21 attackme /kernel: ipfw: 65500 Deny TCP x.x.x.x:1065 me.me.me.me:23 in via de3 > > I have checked for disk space, which AFAIK has never exceeded 50% usage on any > slice, and sure enough, the top user of space was at a mere 45%. /var is at 3%. > > Except for the fact that it is no longer logging, it appears to be ok: cron > is running and doing it's thing, it succeeded in backing itself up last night, > and it still appears to be filtering, although *without* logging bad packets. > > Should I be forwarding this to the bugs list, or have I missed something > very basic here? > > TIA > > J.A. Terranson > sysadmin@mfn.org > > A small fading light in a vast and obscure universe. > > SUPPORT YOUR RIGHT TO PRIVACY: ENCRYPT! > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- Dima Dorfman (dima@zwb.net) "640k ought to be enough for anybody." - Bill Gates, 1981 Micro$oft Sucks! FreeBSD Rules! http://www.freebsd.org/ Finger dima@zwb.net for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805172226.SAA23419>