From owner-freebsd-bugs@FreeBSD.ORG  Mon Apr 24 05:10:19 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2A45416A437
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 24 Apr 2006 05:10:19 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C870643D67
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 24 Apr 2006 05:10:14 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3O5AEXc011027
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 24 Apr 2006 05:10:14 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3O5AEqm011022;
	Mon, 24 Apr 2006 05:10:14 GMT (envelope-from gnats)
Resent-Date: Mon, 24 Apr 2006 05:10:14 GMT
Resent-Message-Id: <200604240510.k3O5AEqm011022@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3E19D16A406
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 24 Apr 2006 05:00:35 +0000 (UTC)
	(envelope-from turutani@polymer3.scphys.kyoto-u.ac.jp)
Received: from polymer3.scphys.kyoto-u.ac.jp (polymer3.scphys.kyoto-u.ac.jp
	[130.54.55.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9000343D46
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 24 Apr 2006 05:00:34 +0000 (GMT)
	(envelope-from turutani@polymer3.scphys.kyoto-u.ac.jp)
Received: from polymer3.scphys.kyoto-u.ac.jp (localhost [127.0.0.1])
	by polymer3.scphys.kyoto-u.ac.jp (8.13.4/8.13.4/20060227-1) with ESMTP
	id k3O50Rea081787; Mon, 24 Apr 2006 14:00:27 +0900 (JST)
	(envelope-from turutani@polymer3.scphys.kyoto-u.ac.jp)
Received: (from turutani@localhost)
	by polymer3.scphys.kyoto-u.ac.jp (8.13.4/8.13.4/Submit) id
	k3O50QOJ081786; Mon, 24 Apr 2006 14:00:26 +0900 (JST)
	(envelope-from turutani)
Message-Id: <200604240500.k3O50QOJ081786@polymer3.scphys.kyoto-u.ac.jp>
Date: Mon, 24 Apr 2006 14:00:26 +0900 (JST)
From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: misc/96247: 550.ipfwlimit reports logs even if log size is not
	limited.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2006 05:10:19 -0000


>Number:         96247
>Category:       misc
>Synopsis:       550.ipfwlimit reports logs even if log size is not limited.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 24 05:10:13 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD polymer3.scphys.kyoto-u.ac.jp 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #19: Thu Mar 23 12:05:35 JST 2006 turutani@polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	report via periodic daily may contain reports about ipfw.
	this report is created by 550.ipfwlimit even if log size is unlimited.
	
>How-To-Repeat:
	% grep daily_status_security_ipfwlimit_enable /etc/defaults/periodic.conf
	daily_status_security_ipfwlimit_enable="YES"
	% grep daily_status_security_ipfwlimit_enable /etc/periodic.conf
	% sysctl -n net.inet.ip.fw.verbose_limit
	0
	% sh /etc/periodic/security/550.ipfwlimit
	
	ipfw log limit reached:
	00510       1          70 deny log ip from any to 10.0.0.0/8 via xl0
	00520      27        3937 deny log ip from any to 172.16.0.0/12 via xl0
	00600      57        7222 deny log ip from any to 10.0.0.0/8 via sis0
	%
	
>Fix:
	"options IPFIREWALL_VERBOSE_LIMIT=0" in kernel configuration file set
	sysctl variable "net.inet.ip.fw.verbose_limit" to 0.
	this means limit of log file is not set, according to the message printed
	in system boot sequence.
	if this is true, message "ipfw log limit reached" is curious.
	apply next patch to src/etc/periodic/security/550.ipfwlimit:

	--- 550.ipfwlimit	Mon Apr 24 13:27:57 2006
	+++ 550.ipfwlimit.orig	Mon Apr 24 13:27:37 2006
	@@ -43,7 +43,7 @@
	 case "$daily_status_security_ipfwlimit_enable" in
	     [Yy][Ee][Ss])
	 	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
	-	if [ $? -ne 0 ] || [ "${IPFW_LOG_LIMIT}" -eq 0 ]; then
	+	if [ $? -ne 0 ]; then
	 		exit 0
	 	fi
	 	TMP=`mktemp -t security`

	this fix is not necessary about ip6fw, and is necessary on 6-STABLE.
	


>Release-Note:
>Audit-Trail:
>Unformatted: