Re: [leaf-user] Re: re sh-httpd perm Bug
Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. This depends on what you log and in what environment you are. On some of my internal boxes 251 would be a whole lot :) You can change the settings for your individual system in 3) Packages configuration Weblet 2) LRP web page configuration # Warning/Error thresholds for the weblet utility # Disable checking of any value by setting it to -1 # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 WRN_FW is the number of logged packets after which the color changes to yellow ERR_FW is the number of logged packets to change to red Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ Eric Wolzak member of the bering Crew --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Hi Dan At 00:07 30/07/02 -0700, Dan Harkless wrote: Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. It's possible to adjust this behaviour by changing the weblet's OK/warning/error thresholds. I see you've got some advice on that already. There's also the possibility that the bulk of those packets are from one or two harmless sources that you don't really need to worry about - it's common for cable/ADSL systems to spew forth all sorts of stuff of this type. If this is the case it might be helpful to fiddle with your firewall rules so these things don't get logged in the first place. I'd be inclined to do the latter, mainly because I only really want stuff that I have to think about in my logs and I find a lot of extra rows of harmless activity often make more important entries difficult to spot, but it's your firewall - you should do whichever you want. cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Eric Wolzak [EMAIL PROTECTED] writes: Of course weblet is still doing something I consider wrong -- it's saying the firewall is in red light / ERROR mode just because it has 251 denied or rejected packets. Isn't this the whole point of a firewall, to deny and reject those packets? How is this an ERROR? At worst, it should be at yellow alert. This depends on what you log and in what environment you are. On some of my internal boxes 251 would be a whole lot :) Right, but I'm sure the vast majority of LEAF installations are exposed to the Internet, not sequestered on some internal network. You can change the settings for your individual system in 3) Packages configuration Weblet 2) LRP web page configuration # Warning/Error thresholds for the weblet utility # Disable checking of any value by setting it to -1 # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 WRN_FW is the number of logged packets after which the color changes to yellow ERR_FW is the number of logged packets to change to red Thanks, I hadn't noticed those parameters. The default values do seem unreasonably low, if most people are using LEAF on the Internet. But I guess I don't really agree with the design philosophy in general. How many packets on an Internet-facing firewall is the right number to be considered an ERROR? To me, going to red-light mode just because there are a lot (however you define a lot) of denied and rejected packets means that you're crying wolf, and conditions people not to click on the red light to find out what's wrong. I think the ERROR case should be saved for when things are seriously wrong, like the firewall is failing to process packets, or all rules have been cleared, or things of that nature. Again, I'm perfectly happy with the use of the yellow light to indicate a high number of denied/rejected packets, just not with the use of the red light to indicate even more of them. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Re: re sh-httpd perm Bug
Julian Church [EMAIL PROTECTED] writes: There's also the possibility that the bulk of those packets are from one or two harmless sources that you don't really need to worry about - it's common for cable/ADSL systems to spew forth all sorts of stuff of this type. If this is the case it might be helpful to fiddle with your firewall rules so these things don't get logged in the first place. I believe my ADSL provider is quite clean as far as unnecessary packet spewage goes (and I know my ISP is), but I'll check again. I'd be inclined to do the latter, mainly because I only really want stuff that I have to think about in my logs and I find a lot of extra rows of harmless activity often make more important entries difficult to spot, but it's your firewall - you should do whichever you want. I don't think this applies in my case, but it's a good point to bring up -- thanks. -- Dan Harkless [EMAIL PROTECTED] http://harkless.org/dan/ --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html