conf/126060: [ipfw] [patch] IPFW limit checking in nightly
security scripts slightly botched
Antoine Brodin
antoine at FreeBSD.org
Sun Aug 3 16:40:08 UTC 2008
The following reply was made to PR conf/126060; it has been noted by GNATS.
From: "Antoine Brodin" <antoine at FreeBSD.org>
To: bug-followup at freebsd.org, rfg at tristatelogic.com
Cc:
Subject: Re: conf/126060: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
Date: Sun, 3 Aug 2008 18:32:07 +0200
I think that this periodic script has a few problems:
- it should not check rules without "logamount"
- it should not use sysctl net.inet.ip.fw.verbose_limit
- it should not run if sysctl net.inet.ip.fw.verbose is not 1
The logging limit for a rule that doesn't have "logamount" is set to
the value of net.inet.ip.fw.verbose_limit at the time the rule is set,
and when this rule is showed later it has a logamount:
%%%
# ipfw -a list
65535 0 0 deny ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=0
net.inet.ip.fw.verbose_limit: 500 -> 0
# ipfw add 100 allow log ip from any to any
00100 allow log ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=100
net.inet.ip.fw.verbose_limit: 0 -> 100
# ipfw add 200 allow log ip from any to any
00200 allow log logamount 100 ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=200
net.inet.ip.fw.verbose_limit: 100 -> 200
# ipfw add 300 allow log ip from any to any
00300 allow log logamount 200 ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=300
net.inet.ip.fw.verbose_limit: 200 -> 300
# ipfw add 400 allow log ip from any to any
00400 allow log logamount 300 ip from any to any
# ipfw add 500 allow log logamount 0 ip from any to any
00500 allow log ip from any to any
# ipfw -a list
00100 10 1227 allow log ip from any to any
00200 0 0 allow log logamount 100 ip from any to any
00300 0 0 allow log logamount 200 ip from any to any
00400 0 0 allow log logamount 300 ip from any to any
00500 0 0 allow log ip from any to any
65535 4 436 deny ip from any to any
%%%
More information about the freebsd-bugs
mailing list