Date: Fri, 18 Jun 1999 12:28:02 -0600 (MDT) From: Brendan Conoboy <synk@swcp.com> To: avalon@coombs.anu.edu.au, jwyatt@RWSystems.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf howto, tada Message-ID: <199906181828.MAA04041@kitsune.swcp.com>
next in thread | raw e-mail | index | archive | help
> > FWIW, you might like to mention the "log-or-block" option where it will > > block a packet to be pass'd and logged if it cannot log it due to the > > log buffer being too full. > > > > i.e. > > pass in log first or-block on vx0 proto tcp from any to any port = 80 flags S/SA keep state > > > > Here we say only log the first packet for this connection as recorded by > > "keep state", but if it can't be logged, then block it. > > Neat trick! Could this easily be used for DOS? I like, this idea, but want > to understand it. If you filled the syslogs with dummy attempts, would it > block access, preventing you from cycling syslog files? I suspect the idea is to thwart the attack method where the attacker first fills the log drive, then proceeds with the attack, knowing their actions won't be logged. That's what I'm putting in the howto, anyway :-) I'll add the obvious caveat (network can be shutdown by causing log failure), too. -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906181828.MAA04041>