misc/96247: 550.ipfwlimit reports logs even if log size is not limited.

Tsurutani Naoki turutani at scphys.kyoto-u.ac.jp
Mon Apr 24 05:10:19 UTC 2006 

>Number:         96247
>Category:       misc
>Synopsis:       550.ipfwlimit reports logs even if log size is not limited.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 24 05:10:13 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD polymer3.scphys.kyoto-u.ac.jp 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #19: Thu Mar 23 12:05:35 JST 2006 turutani at polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	report via periodic daily may contain reports about ipfw.
	this report is created by 550.ipfwlimit even if log size is unlimited.
	
>How-To-Repeat:
	% grep daily_status_security_ipfwlimit_enable /etc/defaults/periodic.conf
	daily_status_security_ipfwlimit_enable="YES"
	% grep daily_status_security_ipfwlimit_enable /etc/periodic.conf
	% sysctl -n net.inet.ip.fw.verbose_limit
	0
	% sh /etc/periodic/security/550.ipfwlimit
	
	ipfw log limit reached:
	00510       1          70 deny log ip from any to 10.0.0.0/8 via xl0
	00520      27        3937 deny log ip from any to 172.16.0.0/12 via xl0
	00600      57        7222 deny log ip from any to 10.0.0.0/8 via sis0
	%
	
>Fix:
	"options IPFIREWALL_VERBOSE_LIMIT=0" in kernel configuration file set
	sysctl variable "net.inet.ip.fw.verbose_limit" to 0.
	this means limit of log file is not set, according to the message printed
	in system boot sequence.
	if this is true, message "ipfw log limit reached" is curious.
	apply next patch to src/etc/periodic/security/550.ipfwlimit:

	--- 550.ipfwlimit	Mon Apr 24 13:27:57 2006
	+++ 550.ipfwlimit.orig	Mon Apr 24 13:27:37 2006
	@@ -43,7 +43,7 @@
	 case "$daily_status_security_ipfwlimit_enable" in
	     [Yy][Ee][Ss])
	 	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
	-	if [ $? -ne 0 ] || [ "${IPFW_LOG_LIMIT}" -eq 0 ]; then
	+	if [ $? -ne 0 ]; then
	 		exit 0
	 	fi
	 	TMP=`mktemp -t security`

	this fix is not necessary about ip6fw, and is necessary on 6-STABLE.
	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list