Date: Sun, 3 Aug 2008 16:40:07 GMT From: "Antoine Brodin" <antoine@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched Message-ID: <200808031640.m73Ge7Q0049942@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/126060; it has been noted by GNATS. From: "Antoine Brodin" <antoine@FreeBSD.org> To: bug-followup@freebsd.org, rfg@tristatelogic.com Cc: Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched Date: Sun, 3 Aug 2008 18:32:07 +0200 I think that this periodic script has a few problems: - it should not check rules without "logamount" - it should not use sysctl net.inet.ip.fw.verbose_limit - it should not run if sysctl net.inet.ip.fw.verbose is not 1 The logging limit for a rule that doesn't have "logamount" is set to the value of net.inet.ip.fw.verbose_limit at the time the rule is set, and when this rule is showed later it has a logamount: %%% # ipfw -a list 65535 0 0 deny ip from any to any # sysctl net.inet.ip.fw.verbose_limit=0 net.inet.ip.fw.verbose_limit: 500 -> 0 # ipfw add 100 allow log ip from any to any 00100 allow log ip from any to any # sysctl net.inet.ip.fw.verbose_limit=100 net.inet.ip.fw.verbose_limit: 0 -> 100 # ipfw add 200 allow log ip from any to any 00200 allow log logamount 100 ip from any to any # sysctl net.inet.ip.fw.verbose_limit=200 net.inet.ip.fw.verbose_limit: 100 -> 200 # ipfw add 300 allow log ip from any to any 00300 allow log logamount 200 ip from any to any # sysctl net.inet.ip.fw.verbose_limit=300 net.inet.ip.fw.verbose_limit: 200 -> 300 # ipfw add 400 allow log ip from any to any 00400 allow log logamount 300 ip from any to any # ipfw add 500 allow log logamount 0 ip from any to any 00500 allow log ip from any to any # ipfw -a list 00100 10 1227 allow log ip from any to any 00200 0 0 allow log logamount 100 ip from any to any 00300 0 0 allow log logamount 200 ip from any to any 00400 0 0 allow log logamount 300 ip from any to any 00500 0 0 allow log ip from any to any 65535 4 436 deny ip from any to any %%%
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808031640.m73Ge7Q0049942>