Date: Sun, 6 Jan 2002 23:01:18 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: =?iso-8859-1?Q?Ga=EBl_Roualland?= <gael.roualland@dial.oleane.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Reporting last packet that will get logged Message-ID: <20020106230118.F2029@gohan.cjclark.org> In-Reply-To: <3C38FC27.CC1E8AC9@dial.oleane.com>; from gael.roualland@dial.oleane.com on Mon, Jan 07, 2002 at 02:38:47AM %2B0100 References: <3C38FC27.CC1E8AC9@dial.oleane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 07, 2002 at 02:38:47AM +0100, Gaël Roualland wrote:
> Hello,
>
> ipfw has a nice feature of logging limit to avoid flooding the logs;
> However, one needs to reset them regurlarly, and this outputs annoying
> logging messages while often the reset wouldn't have been needed...
>
> To solve this, a while back I did a simple patch to the 4.2 ipfw(8)
> command to be able to report the number of the last packet that will be
> logged on a rule which has logging enabled, before the logging limit is
> reached. This allows to resetlogs only when one rule has reached (or is
> close to reach) its limit.
>
> Maybe this could be a feature to add to the stock ipfw command ?
First of all, I really don't see what is so annoying about a single
log entry. A script doing some sort of analysis can easily ignore them
and a obviously a human reader can easily skip them over.
Second, I think this is a rather awkward way to handle this. The
"reset" messages are logged at the "notice" level while 'log' rules
are logged at "info." This can be used to separate them.
Finally, I'm not sure I'm clear on, "the number of the last packet
that will be logged," means. I'm thinking adding a field to the 'show'
or 'list' commands when a flag is given, say '-l' for "limit," that
shows where the counter currently is would be more
straightforward. So,
# ipfw -l list 1000
01000 456 deny log logamount 1000 ip from any to any
We've logged 456 packets since the last reset. We can quickly figure
out there are 544 more to be logged before we hit the limit.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020106230118.F2029>