From owner-freebsd-bugs@FreeBSD.ORG  Sun Aug  3 16:40:08 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1AE2C106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  3 Aug 2008 16:40:08 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id F2E138FC15
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  3 Aug 2008 16:40:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m73Ge7fu049945
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 3 Aug 2008 16:40:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m73Ge7Q0049942;
	Sun, 3 Aug 2008 16:40:07 GMT (envelope-from gnats)
Date: Sun, 3 Aug 2008 16:40:07 GMT
Message-Id: <200808031640.m73Ge7Q0049942@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: "Antoine Brodin" <antoine@FreeBSD.org>
Cc: 
Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly
	security scripts slightly botched
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Antoine Brodin <antoine@FreeBSD.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Aug 2008 16:40:08 -0000

The following reply was made to PR conf/126060; it has been noted by GNATS.

From: "Antoine Brodin" <antoine@FreeBSD.org>
To: bug-followup@freebsd.org, rfg@tristatelogic.com
Cc:  
Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
Date: Sun, 3 Aug 2008 18:32:07 +0200

 I think that this periodic script has a few problems:
 - it should not check rules without "logamount"
 - it should not use sysctl net.inet.ip.fw.verbose_limit
 - it should not run if sysctl net.inet.ip.fw.verbose is not 1
 
 The logging limit for a rule that doesn't have "logamount" is set to
 the value of net.inet.ip.fw.verbose_limit at the time the rule is set,
 and when this rule is showed later it has a logamount:
 
 %%%
 # ipfw -a list
 65535 0 0 deny ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=0
 net.inet.ip.fw.verbose_limit: 500 -> 0
 # ipfw add 100 allow log ip from any to any
 00100 allow log ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=100
 net.inet.ip.fw.verbose_limit: 0 -> 100
 # ipfw add 200 allow log ip from any to any
 00200 allow log logamount 100 ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=200
 net.inet.ip.fw.verbose_limit: 100 -> 200
 # ipfw add 300 allow log ip from any to any
 00300 allow log logamount 200 ip from any to any
 # sysctl net.inet.ip.fw.verbose_limit=300
 net.inet.ip.fw.verbose_limit: 200 -> 300
 # ipfw add 400 allow log ip from any to any
 00400 allow log logamount 300 ip from any to any
 # ipfw add 500 allow log logamount 0 ip from any to any
 00500 allow log ip from any to any
 # ipfw -a list
 00100 10 1227 allow log ip from any to any
 00200  0    0 allow log logamount 100 ip from any to any
 00300  0    0 allow log logamount 200 ip from any to any
 00400  0    0 allow log logamount 300 ip from any to any
 00500  0    0 allow log ip from any to any
 65535  4  436 deny ip from any to any
 %%%