Date: Tue, 27 Jul 1999 06:51:58 -0500 (CDT) From: Mike Pritchard <mpp@mpp.pro-ns.net> To: dillon@apollo.backplane.com (Matthew Dillon) Cc: green@FreeBSD.org (Brian F. Feldman), jgreco@ns.sol.net (Joe Greco), hackers@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: securelevel and ipfw zero Message-ID: <199907271151.GAA02583@mpp.pro-ns.net> In-Reply-To: <199907270348.UAA49943@apollo.backplane.com> from Matthew Dillon at "Jul 26, 1999 08:48:28 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> :> There may be some confusion here. I am advocating that we *allow* the > :> zeroing of counters at secure level 3. > : > :Which is what I am advocating against. > > Let me put it a different way: > > ipfw allows you to clear counters. It is a feature that already exists. > > However, it does not allow you to do it if you are sitting at secure > level 3. > > Why not? I can't think of any good reason why clearing the counters > should be disallowed when sitting at a higher secure level. The counters > are nothing more then statistics. Clearing statistics is not a security > threat. But it might be hiding a real security threat/attack or a real breakin. Say I've spent all night trying to hack into your machine and finally get in. If I can reset all of ipfw's counters back to zero, and this is something your security checking scripts are checking, you might not think that anyone has even been trying to break into your machine, much less made it into the machine. If I have some inside information, I could probably even get the counters back into the range where you might expect them to be at. Hopefully if this were to happen, you might see some other console/syslog messages or something else that catches your eye, but then again, maybe not. Just to help out people running at higher security levels, you could always implement something that lets you reset the values to some higher value that is easy to do computations from. E.g. ipfw --increment_counters=20000 Which would bump all of the counters up to the value of "20000", assuming they are all still less than that value. That way if you are trying to do some testing/debugging/counting after setting the counters, at least you have a nice round number to subtract from the current values. -- Mike Pritchard mpp@FreeBSD.ORG or mpp@mpp.pro-ns.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907271151.GAA02583>