Date: Tue, 16 Jul 2002 12:40:59 -0700 From: Luigi Rizzo <rizzo@icir.org> To: ipfw@freebsd.org Subject: Ouch! ipfw log and DoS Message-ID: <20020716124059.A2635@iguana.icir.org>
next in thread | raw e-mail | index | archive | help
it just occurred to me that if you have
ipfw add accept log <match pattern>
and you log to a remote host and your syslog messages match your
pattern, then you have created a loop.
There are endless variations of the above.
Bottom line is that (i believe) log messages generated by ipfw should
be rate-limited to some not-too-large value (maybe controlled by
a sysctl variable).
Any objections if i implement that (which probably amounts to
the following lines of code at the beginnning of ipfw_log():
----------------
static last_log, log_left;
if (last_log != time_second) {
last_log = time_second;
log_left = ipfw_log_rate;
}
if (log_left == 0)
return;
log_left--;
----------------
cheers
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020716124059.A2635>