Date: Tue, 27 Jul 1999 13:15:11 -0600 From: Nate Williams <nate@mt.sri.com> To: Joe Greco <jgreco@ns.sol.net> Cc: nate@mt.sri.com (Nate Williams), hackers@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: securelevel and ipfw zero Message-ID: <199907271915.NAA26782@mt.sri.com> In-Reply-To: <199907271856.NAA09504@aurora.sol.net> References: <199907271652.KAA25747@mt.sri.com> <199907271856.NAA09504@aurora.sol.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > One could argue that accounting numbers in a firewall shouldn't be > > > > trusted, but I won't argue that point since the firewall is often the > > > > most 'natural' place to stick network accounting software. > > > > > > If you can't trust something in the kernel, then you just can't trust > > > anything at all. > > > > It isn't the kernel that's zero'ing the counters. :) > > Accounting numbers in a kernel firewall _should_ be trustable, and on that > basis, one can clearly make an argument for separating the logging count > from the accounting count - which should never be zero'ed, at least in > securemode. One could argue that 'logging counters' in a firewall _should_ be trustable as well. You've argued against it, but I'm not convinced that your opinion (or mine) is enough to consider it a 'bug'. > I'm not saying your desire for per-rule counters is invalid, I'm just not > of that same mindset. But it does seem clear that it would be useful to > have a mechanism to restart the logging after an IPFW_VERBOSE_LIMIT > throttle. It would be useful. But, is it's usefulness more important than being able to rely on 'logging counters' being valid? (You argue no, but I'm not convinced...) Again, it's not a fix, it's a feature. Not being able to mess with counters (logging or otherwise) is a feature. It may be a feature that you can do without, but that decision is not to be made lightly. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907271915.NAA26782>