Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Jul 1999 11:12:25 -0600
From:      Nate Williams <nate@mt.sri.com>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        "Brian F. Feldman" <green@FreeBSD.ORG>, Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: securelevel and ipfw zero
Message-ID:  <199907271712.LAA25861@mt.sri.com>
In-Reply-To: <199907270307.UAA49737@apollo.backplane.com>
References:  <Pine.BSF.4.10.9907262255510.35843-100000@janus.syracuse.net> <199907270307.UAA49737@apollo.backplane.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> :Instead of zeroing it, how about raising the logging limit to (current +
> :whatever the limit was)
> :
> : Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
> : green@FreeBSD.org                   _ __ ___ | _ ) __|   \ 
> 
>     The way I see it either some piece of software is monitor the counters,
>     in which case the sysad does not need to clear them and does not need to
>     look at log messages, or the sysad is monitoring the stuff manually and
>     using the log messages.  In the one case the counters don't need to be
>     cleared (and, indeed, should not be), in the other case the sysad may 
>     want to clear them due to the manual monitoring.

How do you figure?  Currently, the kernel will quit 'logging' denied
packets when the counter reaches a specific (compiled-in) number.  Once
that number is hit, you get 'hits', but no details as to what the
signature of the hits are.  The current 'signature' includes all of the
IP information and such, which is invaluable (necessary?) for determing
who's doing bad things (or not).

This is in the kernel, and currently there is no way of modifying the
counters in high securelevels.  It doesn't matter if it's a human or a
computer monitoring them, once the limit is reached alot of useful
information is lost since the kernel no longer produces this
information.

# ipfw add 110 deny log tcp from any to any 110 via ed0 in

Once the compiled in limit is reached, the kernel only says that we've
got a hit, but it doesn't tell me who/when this happened.


Nate





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199907271712.LAA25861>