> > > How do you figure? Currently, the kernel will quit 'logging' denied > > > packets when the counter reaches a specific (compiled-in) number. > > ^^^^^^^^^^^^^ > > Then what is > > > > net.inet.ip.fw.verbose_limit: 0 > > Well I'll be. You learn something new everyday. :) > > > made for and why does it help changing it? 8-) > > Ahh. However, unfortunately, this 'limit' changes *all* of the per-rule > counters, when in fact you may only want to change a single counter.
The _problem_ with this (and it is FINE for doing interactive work on the system as far as I am concerned) is that in a production environment with machines with 800 day uptimes and securelevel 3, once you pass the VERBOSE_LIMIT, you _can_ disable VERBOSE_LIMIT by setting this to 0, but you then become vulnerable to the DoS attacks we have all been arguing about. In other words, it simply disables VERBOSE_LIMIT. Useful, as I said, if you have a low VERBOSE_LIMIT and you are getting some attack that you want to monitor firsthand in more detail... ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgr...@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message