Date: Tue, 27 Jul 1999 14:02:19 -0500 (CDT) From: Joe Greco <jgreco@ns.sol.net> To: nate@mt.sri.com (Nate Williams) Cc: ap@bnc.net, nate@mt.sri.com, dillon@apollo.backplane.com, green@FreeBSD.ORG, jgreco@ns.sol.net, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: securelevel and ipfw zero Message-ID: <199907271902.OAA09915@aurora.sol.net> In-Reply-To: <199907271735.LAA26067@mt.sri.com> from Nate Williams at "Jul 27, 1999 11:35:20 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > > How do you figure? Currently, the kernel will quit 'logging' denied > > > packets when the counter reaches a specific (compiled-in) number. > > ^^^^^^^^^^^^^ > > Then what is > > > > net.inet.ip.fw.verbose_limit: 0 > > Well I'll be. You learn something new everyday. :) > > > made for and why does it help changing it? 8-) > > Ahh. However, unfortunately, this 'limit' changes *all* of the per-rule > counters, when in fact you may only want to change a single counter. The _problem_ with this (and it is FINE for doing interactive work on the system as far as I am concerned) is that in a production environment with machines with 800 day uptimes and securelevel 3, once you pass the VERBOSE_LIMIT, you _can_ disable VERBOSE_LIMIT by setting this to 0, but you then become vulnerable to the DoS attacks we have all been arguing about. In other words, it simply disables VERBOSE_LIMIT. Useful, as I said, if you have a low VERBOSE_LIMIT and you are getting some attack that you want to monitor firsthand in more detail... ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907271902.OAA09915>