From owner-freebsd-hackers Mon Jul 26 12: 8:44 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id C000414CC2; Mon, 26 Jul 1999 12:08:40 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id OAA08989; Mon, 26 Jul 1999 14:07:11 -0500 (CDT) From: Joe Greco Message-Id: <199907261907.OAA08989@aurora.sol.net> Subject: Re: securelevel and ipfw zero In-Reply-To: <199907261847.LAA48202@apollo.backplane.com> from Matthew Dillon at "Jul 26, 1999 11:47:20 am" To: dillon@apollo.backplane.com (Matthew Dillon) Date: Mon, 26 Jul 1999 14:07:10 -0500 (CDT) Cc: hackers@freebsd.org, freebsd-ipfw@freebsd.org X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > :Hello, > : > :So, I've a box that I have an ipfw ruleset on. The firewall should not be > :changeable during runtime, and the box runs at securelevel=3. > : > :In order to prevent DoS disk-fill attacks, I also have specified > :IPFW_VERBOSE_LIMIT. > : > :Now, the problem is, in securelevel 3, you cannot zero a rule's counter, > :so basically once you are up and running, you get to log IPFW_VERBOSE_LIMIT > :events and then you lose logging (ideally I'd zero nonzero rules once every > :N minutes). > : > :Comments? > > Playing devil's advocate, someone might be using those counters for > accounting purposes. That's about as worse a scenario as I can think > of, and I can't imagine this sort of situation would be prevalient. > > I'd say that the counters should be clearable at high secure level. Then there should be a separate counter for logging purposes...? I do not care if the accounting counters do not clear (ever), since things like MRTG are designed to deal with that situation. However, it seems bad that you would not be able to clear your counter for logging purposes, just in case you actually _did_ mean that you want bad packets to be logged. I will also note that it would be acceptable, to me at least, to maintain a global (rather than per-rule) limit for the verbose limit. In general, I would think that someone who uses the limit facility is trying to avoid a DoS style disk-space attack. Having a per-rule limit means that you actually have a "IPFW_VERBOSE_LIMIT * number_of_rules_specifying_log" limit (assuming an attacker exploits multiple rules) rather than a limit of "IPFW_VERBOSE_LIMIT". It also makes it more difficult to code in a bunch of "log" rules, since your periodic "zero" script has to know the number of each one, and if you just do an "ipfw zero rule1 rule2 rule3...." then you get a bunch of /kernel: ipfw: Entry rule1 cleared. /kernel: ipfw: Entry rule2 cleared. /kernel: ipfw: Entry rule3 cleared. each time you do this. I would rather see something like /kernel: ipfw: logging limit reached, suspending. # /sbin/ipfw zerolog /kernel: ipfw: logging limit reset, resuming. I can deal with it (in code) if there is a per-rule log counter as well, but what you are telling me makes it sound more attractive to have a global logging counter. Comments? ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message