Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 3 Aug 2008 16:40:07 GMT
From:      "Antoine Brodin" <antoine@FreeBSD.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
Message-ID:  <200808031640.m73Ge7Q0049942@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR conf/126060; it has been noted by GNATS.

From: "Antoine Brodin" <antoine@FreeBSD.org>
To: bug-followup@freebsd.org, rfg@tristatelogic.com
Cc:  
Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
Date: Sun, 3 Aug 2008 18:32:07 +0200

 I think that this periodic script has a few problems:
 - it should not check rules without "logamount"
 - it should not use sysctl net.inet.ip.fw.verbose_limit
 - it should not run if sysctl net.inet.ip.fw.verbose is not 1
 
 The logging limit for a rule that doesn't have "logamount" is set to
 the value of net.inet.ip.fw.verbose_limit at the time the rule is set,
 and when this rule is showed later it has a logamount:
 
 %%%
 # ipfw -a list
 65535 0 0 deny ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=0
 net.inet.ip.fw.verbose_limit: 500 -> 0
 # ipfw add 100 allow log ip from any to any
 00100 allow log ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=100
 net.inet.ip.fw.verbose_limit: 0 -> 100
 # ipfw add 200 allow log ip from any to any
 00200 allow log logamount 100 ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=200
 net.inet.ip.fw.verbose_limit: 100 -> 200
 # ipfw add 300 allow log ip from any to any
 00300 allow log logamount 200 ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=300
 net.inet.ip.fw.verbose_limit: 200 -> 300
 # ipfw add 400 allow log ip from any to any
 00400 allow log logamount 300 ip from any to any
 # ipfw add 500 allow log logamount 0 ip from any to any
 00500 allow log ip from any to any
 # ipfw -a list
 00100 10 1227 allow log ip from any to any
 00200  0    0 allow log logamount 100 ip from any to any
 00300  0    0 allow log logamount 200 ip from any to any
 00400  0    0 allow log logamount 300 ip from any to any
 00500  0    0 allow log ip from any to any
 65535  4  436 deny ip from any to any
 %%%

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808031640.m73Ge7Q0049942>