> :Instead of zeroing it, how about raising the logging limit to (current + > :whatever the limit was) > : > : Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___ > : gr...@freebsd.org _ __ ___ | _ ) __| \ > > The way I see it either some piece of software is monitor the counters, > in which case the sysad does not need to clear them and does not need to > look at log messages, or the sysad is monitoring the stuff manually and > using the log messages. In the one case the counters don't need to be > cleared (and, indeed, should not be), in the other case the sysad may > want to clear them due to the manual monitoring.
How do you figure? Currently, the kernel will quit 'logging' denied packets when the counter reaches a specific (compiled-in) number. Once that number is hit, you get 'hits', but no details as to what the signature of the hits are. The current 'signature' includes all of the IP information and such, which is invaluable (necessary?) for determing who's doing bad things (or not). This is in the kernel, and currently there is no way of modifying the counters in high securelevels. It doesn't matter if it's a human or a computer monitoring them, once the limit is reached alot of useful information is lost since the kernel no longer produces this information. # ipfw add 110 deny log tcp from any to any 110 via ed0 in Once the compiled in limit is reached, the kernel only says that we've got a hit, but it doesn't tell me who/when this happened. Nate To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message
