Date: Mon, 8 Dec 1997 08:20:01 -0700 From: Nate Williams <nate@mt.sri.com> To: Jan Koum <jkb@best.com> Cc: Nate Williams <nate@mt.sri.com>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw WAS: Re: [linux-security] New Program: Abacus Sentry Message-ID: <199712081520.IAA11375@mt.sri.com> In-Reply-To: <Pine.BSF.3.96.971208010301.24278A-100000@shell6.ba.best.com> References: <199712080704.AAA10395@mt.sri.com> <Pine.BSF.3.96.971208010301.24278A-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Talking about ipfw. I have a rather stupid questions. Say I am > host a.b.c.d and I am running ipfw. I am denying a lot of stuff and it is > also logging. Now, I don't have limit on the logging set in the kernel, > which means that if I get a lot of denied connections logged, my system > message buffer doesn't have enough room to log it by default. Why you don't limit the # of logging attempts per/rule? > The question > is: how do I increase it? The space for system message buffer that is. So > when I do 'dmesg', I don't see last lines of ipfw logging. No matter how big you make it, sooner or later you're going to run into the limit. What I do is to monitor it (which you should anyway) on a regular basis, and then 'flush' the ipfw stats, thus allowing you to log another X messages/rule. > Actually, the above can also be considered security problem since > people can't see if they were attacked two days or weeks ago. Too much > stuff gets logged in and gets pushed from the dmesg buffer. The stuff also gets logged in /var/log/syslog as well, but is still has some limits. W/out any limits a hacker can fill up *all* of your kernel logging memory and thus cause your computer to quit working, causing a wonder Denial of Service attack. Also, if you don't monitor your system more often than every two weeks, IPFW isn't doing you any good since it's not giving you any 'advance' warning that something is going on, but telling you that something may have already happened. Monitor often and you can prevent things from occurring. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712081520.IAA11375>