Date: 12 Sep 1999 19:16:39 +0200 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Will Andrews <andrews@TECHNOLOGIST.COM> Cc: (Anil Jangity) <aj@entic.net>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw question Message-ID: <xzpemg4124o.fsf@flood.ping.uio.no> In-Reply-To: Will Andrews's message of "Sun, 12 Sep 1999 10:10:25 -0400 (EDT)" References: <XFMail.990912101025.andrews@TECHNOLOGIST.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Will Andrews <andrews@TECHNOLOGIST.COM> writes:
> [...] The drawback to these features is that the limit doesn't
> behave the way I think it should (although as a result, I don't use
> VERBOSITY_LIMIT) - instead of just counting repeating packets, it kills the
> rule the packets are matched against after the rule reaches the limit specified.
It would be more accurate (and less misleading) to say "silence"
instead of "kill". It does not remove nor disable the rule, it just
stops logging packets that match that particular rule until you reset
the counters. In 4.0, you can reset the log counters independently of
the match counters ('ipfw resetlog' instead of 'ipfw zero'), which
allows you to restart logging even when running at high securelevels
(all ipfw commands except resetlog are disabled at securelevel >= 3).
DES
--
Dag-Erling Smorgrav - des@flood.ping.uio.no
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpemg4124o.fsf>