misc/96247: 550.ipfwlimit reports logs even if log size is not
limited.
Tsurutani Naoki
turutani at scphys.kyoto-u.ac.jp
Mon Apr 24 05:10:19 UTC 2006
>Number: 96247
>Category: misc
>Synopsis: 550.ipfwlimit reports logs even if log size is not limited.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 24 05:10:13 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Tsurutani Naoki
>Release: FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD polymer3.scphys.kyoto-u.ac.jp 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #19: Thu Mar 23 12:05:35 JST 2006 turutani at polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386
>Description:
report via periodic daily may contain reports about ipfw.
this report is created by 550.ipfwlimit even if log size is unlimited.
>How-To-Repeat:
% grep daily_status_security_ipfwlimit_enable /etc/defaults/periodic.conf
daily_status_security_ipfwlimit_enable="YES"
% grep daily_status_security_ipfwlimit_enable /etc/periodic.conf
% sysctl -n net.inet.ip.fw.verbose_limit
0
% sh /etc/periodic/security/550.ipfwlimit
ipfw log limit reached:
00510 1 70 deny log ip from any to 10.0.0.0/8 via xl0
00520 27 3937 deny log ip from any to 172.16.0.0/12 via xl0
00600 57 7222 deny log ip from any to 10.0.0.0/8 via sis0
%
>Fix:
"options IPFIREWALL_VERBOSE_LIMIT=0" in kernel configuration file set
sysctl variable "net.inet.ip.fw.verbose_limit" to 0.
this means limit of log file is not set, according to the message printed
in system boot sequence.
if this is true, message "ipfw log limit reached" is curious.
apply next patch to src/etc/periodic/security/550.ipfwlimit:
--- 550.ipfwlimit Mon Apr 24 13:27:57 2006
+++ 550.ipfwlimit.orig Mon Apr 24 13:27:37 2006
@@ -43,7 +43,7 @@
case "$daily_status_security_ipfwlimit_enable" in
[Yy][Ee][Ss])
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
- if [ $? -ne 0 ] || [ "${IPFW_LOG_LIMIT}" -eq 0 ]; then
+ if [ $? -ne 0 ]; then
exit 0
fi
TMP=`mktemp -t security`
this fix is not necessary about ip6fw, and is necessary on 6-STABLE.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list