Date: Sat, 19 Jun 1999 10:26:03 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: synk@swcp.com (Brendan Conoboy) Cc: jwyatt@RWSystems.net, freebsd-security@FreeBSD.ORg Subject: Re: ipf howto, tada Message-ID: <199906190026.KAA26533@cheops.anu.edu.au> In-Reply-To: <199906181828.MAA04041@kitsune.swcp.com> from "Brendan Conoboy" at Jun 18, 99 12:28:02 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Brendan Conoboy, sie said: > > > > FWIW, you might like to mention the "log-or-block" option where it will > > > block a packet to be pass'd and logged if it cannot log it due to the > > > log buffer being too full. > > > > > > i.e. > > > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > > > > > Here we say only log the first packet for this connection as recorded by > > > "keep state", but if it can't be logged, then block it. > > > > Neat trick! Could this easily be used for DOS? I like, this idea, but want > > to understand it. If you filled the syslogs with dummy attempts, would it > > block access, preventing you from cycling syslog files? > > I suspect the idea is to thwart the attack method where the attacker > first fills the log drive, then proceeds with the attack, knowing their > actions won't be logged. That's what I'm putting in the howto, anyway :-) Exactly. Actually, the real `problem' is that IP Filter runs at the network level and can generate log entries *very fast*, faster than ipmon can read and handle them. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906190026.KAA26533>