From owner-freebsd-hackers  Wed Jul 28  8:14:28 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from ns.anp.nl (ns.anp.nl [195.81.24.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0F53E14D85; Wed, 28 Jul 1999 08:14:21 -0700 (PDT)
	(envelope-from hvoers@anp.nl)
Received: from ns.anp.nl (ns.anp.nl [195.81.24.2])
	by ns.anp.nl (8.9.1/8.9.1) with SMTP id RAA16166;
	Wed, 28 Jul 1999 17:11:36 +0200
Date: Wed, 28 Jul 1999 17:11:36 +0200 (cest)
From: Henk van Oers <hvoers@anp.nl>
To: "Brian F. Feldman" <green@FreeBSD.ORG>
Cc: Nate Williams <nate@mt.sri.com>, Joe Greco <jgreco@ns.sol.net>,
	hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject: Re: securelevel and ipfw zero
In-Reply-To: <Pine.BSF.4.10.9907280217180.71863-100000@janus.syracuse.net>
Message-ID: <Pine.QNX4.4.02.9907281643190.13890-100000@ns.anp.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 28 Jul 1999, Brian F. Feldman wrote:

> > > If it will get ALL of you to give it a rest, how about:
> > > 	per-rule logging limits
> > > 	logging limit raising
> > > 	logging limit resetting
> > > Which would all NOT affect the statistics?

Separate statistics/logging counters is fine, but i don't need
per-rule limits, a global limit is ok --> sysctl -w for raising
and ipfw zerolog (or reset) for resetting.

And then ... securelevel == 3
I think it is better NOT to permit 'sysctl -w', 'ipfw *' AND
a logging limmit, just process the logfile faster to avoid DoS

> > 
> > We need more input from people who use the code, to make sure they don't
> > depend on the current 'features', or can live with changes to them.

If you can keep the foot print small i can live with it.

> > 
> > Implementing it is the easy part, making sure it's the right thing to do
> > is the hard part.

Right!

> 
> Well, the easy part is done, except for raising limits. Look:
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: limit 2 reached on rule #1
> ipfw: Entry 1 logging count reset.
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0
> ipfw: limit 2 reached on rule #1
> 
> I think this feature should DEFINITELY go in. I'm going to clean it up some
> (ip_fw.c itself), and then make a set of diffs for this feature.
> Nice? :)

Nice? Depends on the diffs AND the man page ;-)

Henk.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message