> On Mon, 26 Jul 1999, Matthew Dillon wrote:
> > :Instead of zeroing it, how about raising the logging limit to (current +
> > :whatever the limit was)
> > :
> > : Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
> > : [EMAIL PROTECTED]                   _ __ ___ | _ ) __|   \ 
> > 
> >     The way I see it either some piece of software is monitor the counters,
> >     in which case the sysad does not need to clear them and does not need to
> >     look at log messages, or the sysad is monitoring the stuff manually and
> >     using the log messages.  In the one case the counters don't need to be
> >     cleared (and, indeed, should not be), in the other case the sysad may 
> >     want to clear them due to the manual monitoring.
> > 
> >     What we are really discussing here is the use of ipfw's counters in an
> >     unsophisticated setup.  The sophisticated setup is already handled.
> 
> That doesn't mean we shouldn't allow people to have an unsophisticated setup,
> just because a sophisticated one is available. It would be useful to have
> a per-firewall-rule counter, decrement it on each match if logging and
> set, and be able to reset to something higher.

This doesn't work the way you say.

If there was a single global VERBOSE_LIMIT counter, yes, it'd be trivial to
monitor for it to max out and then raise the limit.  However, with the
current design, what will happen is ... let's say you have ten log rules.
Your intruder spends a few days puttering and in the meantime gets your
auto monitoring system to raise the limit to 100,000 in 100-increment steps,
by beating on Rule #1.

Now, all of a sudden, Rule #2's counter is still at 0 and the limit is at
100,000...  do you see the potential for damage, or need I point out #3-9?

What you describe would be fine if there was a single global VERBOSE_LIMIT,
but in that event I'm not sure what difference there would be between doing
this limit-raise thing and just resetting the counter.

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator                             [EMAIL PROTECTED]
Solaria Public Access UNIX - Milwaukee, WI                         414/342-4847


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to