From owner-freebsd-hackers  Tue Jul 27 12: 4:44 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from aurora.sol.net (aurora.sol.net [206.55.65.76])
	by hub.freebsd.org (Postfix) with ESMTP
	id 83A771535E; Tue, 27 Jul 1999 12:04:27 -0700 (PDT)
	(envelope-from jgreco@aurora.sol.net)
Received: (from jgreco@localhost)
	by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id OAA09915;
	Tue, 27 Jul 1999 14:02:19 -0500 (CDT)
From: Joe Greco <jgreco@ns.sol.net>
Message-Id: <199907271902.OAA09915@aurora.sol.net>
Subject: Re: securelevel and ipfw zero
In-Reply-To: <199907271735.LAA26067@mt.sri.com> from Nate Williams at "Jul 27, 1999 11:35:20 am"
To: nate@mt.sri.com (Nate Williams)
Date: Tue, 27 Jul 1999 14:02:19 -0500 (CDT)
Cc: ap@bnc.net, nate@mt.sri.com, dillon@apollo.backplane.com,
	green@FreeBSD.ORG, jgreco@ns.sol.net, hackers@FreeBSD.ORG,
	freebsd-ipfw@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> > > How do you figure?  Currently, the kernel will quit 'logging' denied
> > > packets when the counter reaches a specific (compiled-in) number.
> >                                               ^^^^^^^^^^^^^
> > Then what is
> > 
> > net.inet.ip.fw.verbose_limit: 0
> 
> Well I'll be.  You learn something new everyday. :)
> 
> > made for and why does it help changing it? 8-)
> 
> Ahh.  However, unfortunately, this 'limit' changes *all* of the per-rule
> counters, when in fact you may only want to change a single counter.

The _problem_ with this (and it is FINE for doing interactive work on the
system as far as I am concerned) is that in a production environment with
machines with 800 day uptimes and securelevel 3, once you pass the
VERBOSE_LIMIT, you _can_ disable VERBOSE_LIMIT by setting this to 0, but
you then become vulnerable to the DoS attacks we have all been arguing
about.  In other words, it simply disables VERBOSE_LIMIT.

Useful, as I said, if you have a low VERBOSE_LIMIT and you are getting
some attack that you want to monitor firsthand in more detail...

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message