From owner-freebsd-ipfw Sun Jan 6 23:15:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 703D037B416 for ; Sun, 6 Jan 2002 23:15:22 -0800 (PST) Received: from user-33qtnie.dialup.mindspring.com ([199.174.222.78] helo=gohan.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16NU08-0002nQ-00; Sun, 06 Jan 2002 23:15:21 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id g0771IO03067; Sun, 6 Jan 2002 23:01:18 -0800 (PST) (envelope-from cjc) Date: Sun, 6 Jan 2002 23:01:18 -0800 From: "Crist J. Clark" To: =?iso-8859-1?Q?Ga=EBl_Roualland?= Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Reporting last packet that will get logged Message-ID: <20020106230118.F2029@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3C38FC27.CC1E8AC9@dial.oleane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3C38FC27.CC1E8AC9@dial.oleane.com>; from gael.roualland@dial.oleane.com on Mon, Jan 07, 2002 at 02:38:47AM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 07, 2002 at 02:38:47AM +0100, Gaël Roualland wrote: > Hello, > > ipfw has a nice feature of logging limit to avoid flooding the logs; > However, one needs to reset them regurlarly, and this outputs annoying > logging messages while often the reset wouldn't have been needed... > > To solve this, a while back I did a simple patch to the 4.2 ipfw(8) > command to be able to report the number of the last packet that will be > logged on a rule which has logging enabled, before the logging limit is > reached. This allows to resetlogs only when one rule has reached (or is > close to reach) its limit. > > Maybe this could be a feature to add to the stock ipfw command ? First of all, I really don't see what is so annoying about a single log entry. A script doing some sort of analysis can easily ignore them and a obviously a human reader can easily skip them over. Second, I think this is a rather awkward way to handle this. The "reset" messages are logged at the "notice" level while 'log' rules are logged at "info." This can be used to separate them. Finally, I'm not sure I'm clear on, "the number of the last packet that will be logged," means. I'm thinking adding a field to the 'show' or 'list' commands when a flag is given, say '-l' for "limit," that shows where the counter currently is would be more straightforward. So, # ipfw -l list 1000 01000 456 deny log logamount 1000 ip from any to any We've logged 456 packets since the last reset. We can quickly figure out there are 544 more to be logged before we hit the limit. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message