Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Jul 1999 14:07:10 -0500 (CDT)
From:      Joe Greco <jgreco@ns.sol.net>
To:        dillon@apollo.backplane.com (Matthew Dillon)
Cc:        hackers@freebsd.org, freebsd-ipfw@freebsd.org
Subject:   Re: securelevel and ipfw zero
Message-ID:  <199907261907.OAA08989@aurora.sol.net>
In-Reply-To: <199907261847.LAA48202@apollo.backplane.com> from Matthew Dillon at "Jul 26, 1999 11:47:20 am"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> :Hello,
> :
> :So, I've a box that I have an ipfw ruleset on.  The firewall should not be
> :changeable during runtime, and the box runs at securelevel=3.
> :
> :In order to prevent DoS disk-fill attacks, I also have specified
> :IPFW_VERBOSE_LIMIT.
> :
> :Now, the problem is, in securelevel 3, you cannot zero a rule's counter,
> :so basically once you are up and running, you get to log IPFW_VERBOSE_LIMIT
> :events and then you lose logging (ideally I'd zero nonzero rules once every
> :N minutes).
> :
> :Comments?
> 
>     Playing devil's advocate, someone might be using those counters for
>     accounting purposes.  That's about as worse a scenario as I can think
>     of, and I can't imagine this sort of situation would be prevalient.
> 
>     I'd say that the counters should be clearable at high secure level.

Then there should be a separate counter for logging purposes...?  I do not
care if the accounting counters do not clear (ever), since things like MRTG
are designed to deal with that situation.  However, it seems bad that you
would not be able to clear your counter for logging purposes, just in case
you actually _did_ mean that you want bad packets to be logged.

I will also note that it would be acceptable, to me at least, to maintain a
global (rather than per-rule) limit for the verbose limit.  In general, I
would think that someone who uses the limit facility is trying to avoid a
DoS style disk-space attack.  Having a per-rule limit means that you
actually have a "IPFW_VERBOSE_LIMIT * number_of_rules_specifying_log" limit
(assuming an attacker exploits multiple rules) rather than a limit of 
"IPFW_VERBOSE_LIMIT".  It also makes it more difficult to code in a bunch
of "log" rules, since your periodic "zero" script has to know the number of
each one, and if you just do an "ipfw zero rule1 rule2 rule3...." then you
get a bunch of

/kernel: ipfw: Entry rule1 cleared.
/kernel: ipfw: Entry rule2 cleared.
/kernel: ipfw: Entry rule3 cleared.

each time you do this.

I would rather see something like

/kernel: ipfw: logging limit reached, suspending.
# /sbin/ipfw zerolog
/kernel: ipfw: logging limit reset, resuming.

I can deal with it (in code) if there is a per-rule log counter as well,
but what you are telling me makes it sound more attractive to have a global
logging counter.

Comments?

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199907261907.OAA08989>