From owner-freebsd-security Fri Jun 18 17:26: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (Postfix) with ESMTP id E9BE715129 for ; Fri, 18 Jun 1999 17:26:02 -0700 (PDT) (envelope-from avalon@cheops.anu.edu.au) Received: (from avalon@localhost) by cheops.anu.edu.au (8.9.1/8.9.1) id KAA26533; Sat, 19 Jun 1999 10:26:03 +1000 (EST) From: Darren Reed Message-Id: <199906190026.KAA26533@cheops.anu.edu.au> Subject: Re: ipf howto, tada To: synk@swcp.com (Brendan Conoboy) Date: Sat, 19 Jun 1999 10:26:03 +1000 (EST) Cc: jwyatt@RWSystems.net, freebsd-security@FreeBSD.ORg In-Reply-To: <199906181828.MAA04041@kitsune.swcp.com> from "Brendan Conoboy" at Jun 18, 99 12:28:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Brendan Conoboy, sie said: > > > > FWIW, you might like to mention the "log-or-block" option where it will > > > block a packet to be pass'd and logged if it cannot log it due to the > > > log buffer being too full. > > > > > > i.e. > > > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > > > > > Here we say only log the first packet for this connection as recorded by > > > "keep state", but if it can't be logged, then block it. > > > > Neat trick! Could this easily be used for DOS? I like, this idea, but want > > to understand it. If you filled the syslogs with dummy attempts, would it > > block access, preventing you from cycling syslog files? > > I suspect the idea is to thwart the attack method where the attacker > first fills the log drive, then proceeds with the attack, knowing their > actions won't be logged. That's what I'm putting in the howto, anyway :-) Exactly. Actually, the real `problem' is that IP Filter runs at the network level and can generate log entries *very fast*, faster than ipmon can read and handle them. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message