From owner-freebsd-security  Sat Sep 11 21: 9:17 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id D8FE814D8B
	for <freebsd-security@FreeBSD.ORG>; Sat, 11 Sep 1999 21:09:12 -0700 (PDT)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id VAA30134;
	Sat, 11 Sep 1999 21:07:50 -0700 (PDT)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <199909120407.VAA30134@gndrsh.dnsmgr.net>
Subject: Re: ipfw question
In-Reply-To: <Pine.BSF.4.10.9909112040550.8937-100000@shell.entic.net> from Anil Jangity at "Sep 11, 1999 08:43:11 pm"
To: aj@entic.net (Anil Jangity)
Date: Sat, 11 Sep 1999 21:07:50 -0700 (PDT)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I am using FreeBSD2.2.8 Stable with IPFW enalbed with logging.
> 
> ipfw: 2600 Deny P:54 204.210.42.217 209.157.122.88 in via ep0
> 
> What does the "P:54" mean? Just wondering.

Protocol 54, I would say see /etc/protocols, but it depends on how
new your code is, anyway here is what IANA says about it:
    54     NARP        NBMA Address Resolution Protocol  [RFC1735]

> 
> --
> 
> Also does anyone know if IP Filters (or ipfw) let you limit logging
> depending on the rate at which the rule is applied?

Not that I am aware of, now would someone please code this up
so I can be wrong :-)

> 
> If I don't have a limit, my server panicked before because of an overload
> of denied packets (while logging was enabled) so I now have a limit of 150
> packets that get logged. I want to be able to log at the same time also
> not over log (not get it to run out of buffer and panic). 
> 
> I need to stop logging if and only if the rate at which they rules are
> getting applied passes a certain point and then continue again once the
> rate drecreases.
> 
> Is this doable? Do I make sense any bit? Is this stupid? Thanks.

Yes.  Yes.  No.  Your welcome for the little help I could be.

-- 
Rod Grimes - KD7CAX - (RWG25)                    rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message