From owner-freebsd-security  Fri Sep  1 12: 5:31 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2F22137B422; Fri,  1 Sep 2000 12:05:29 -0700 (PDT)
Received: from nomad.yogotech.com (yogotech.nokia.com [4.22.66.156])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA02818;
	Fri, 1 Sep 2000 12:55:24 -0600 (MDT)
	(envelope-from nate@nomad.yogotech.com)
Received: (from nate@localhost)
	by nomad.yogotech.com (8.8.8/8.8.8) id KAA03810;
	Fri, 1 Sep 2000 10:30:18 -0600 (MDT)
	(envelope-from nate)
Date: Fri, 1 Sep 2000 10:30:18 -0600 (MDT)
Message-Id: <200009011630.KAA03810@nomad.yogotech.com>
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Brian Fundakowski Feldman <green@FreeBSD.ORG>
Cc: James Wyatt <jwyatt@rwsystems.net>,
	Will Andrews <will@physics.purdue.edu>,
	"R.Sharma" <rsharma@apsara.barc.ernet.in>,
	freebsd-security@FreeBSD.ORG
Subject: Re: How to clear IPFW counters
In-Reply-To: <Pine.BSF.4.21.0009010716290.27710-100000@green.dyndns.org>
References: <Pine.BSF.4.10.10009010115090.39906-100000@bsdie.rwsystems.net>
	<Pine.BSF.4.21.0009010716290.27710-100000@green.dyndns.org>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> There are several kinds of counters.  One is the "packet matching"
> counter, and another is the "bytes matching" counter.  The one I added
> recently was the "virtual logging counter", which has the sole purpose
> of controlling the output of log messages for matched packets.
> 
> I made the decision that it wouldn't be any kind of loss of security
> to allow this counter to be reset (it can only be used to turn back
> on logging which was disabled by having matched "logamount" number of
> times).

FWIW, I agree with this decision.  The only kind of Attack that could be
done with this is to constantly reset the counters such that the logs
would eventually fill up your partition where the logfiles are stored,
which would require the box to be root compromised.  However, if root is
compromised, there are much easier ways to fill up the partition, or
for that matter generate syslog messages.


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message