Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Jul 1999 17:11:36 +0200 (cest)
From:      Henk van Oers <hvoers@anp.nl>
To:        "Brian F. Feldman" <green@FreeBSD.ORG>
Cc:        Nate Williams <nate@mt.sri.com>, Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: securelevel and ipfw zero
Message-ID:  <Pine.QNX4.4.02.9907281643190.13890-100000@ns.anp.nl>
In-Reply-To: <Pine.BSF.4.10.9907280217180.71863-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 28 Jul 1999, Brian F. Feldman wrote:

> > > If it will get ALL of you to give it a rest, how about:
> > > 	per-rule logging limits
> > > 	logging limit raising
> > > 	logging limit resetting
> > > Which would all NOT affect the statistics?

Separate statistics/logging counters is fine, but i don't need
per-rule limits, a global limit is ok --> sysctl -w for raising
and ipfw zerolog (or reset) for resetting.

And then ... securelevel == 3
I think it is better NOT to permit 'sysctl -w', 'ipfw *' AND
a logging limmit, just process the logfile faster to avoid DoS

> > 
> > We need more input from people who use the code, to make sure they don't
> > depend on the current 'features', or can live with changes to them.

If you can keep the foot print small i can live with it.

> > 
> > Implementing it is the easy part, making sure it's the right thing to do
> > is the hard part.

Right!

> 
> Well, the easy part is done, except for raising limits. Look:
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: limit 2 reached on rule #1
> ipfw: Entry 1 logging count reset.
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: limit 2 reached on rule #1
> 
> I think this feature should DEFINITELY go in. I'm going to clean it up some
> (ip_fw.c itself), and then make a set of diffs for this feature.
> Nice? :)

Nice? Depends on the diffs AND the man page ;-)

Henk.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.QNX4.4.02.9907281643190.13890-100000>