On Wed, 28 Jul 1999, Brian F. Feldman wrote: > > > If it will get ALL of you to give it a rest, how about: > > > per-rule logging limits > > > logging limit raising > > > logging limit resetting > > > Which would all NOT affect the statistics?
Separate statistics/logging counters is fine, but i don't need per-rule limits, a global limit is ok --> sysctl -w for raising and ipfw zerolog (or reset) for resetting. And then ... securelevel == 3 I think it is better NOT to permit 'sysctl -w', 'ipfw *' AND a logging limmit, just process the logfile faster to avoid DoS > > > > We need more input from people who use the code, to make sure they don't > > depend on the current 'features', or can live with changes to them. If you can keep the foot print small i can live with it. > > > > Implementing it is the easy part, making sure it's the right thing to do > > is the hard part. Right! > > Well, the easy part is done, except for raising limits. Look: > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: limit 2 reached on rule #1 > ipfw: Entry 1 logging count reset. > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: 1 Deny ICMP:8.0 127.0.0.1 127.0.0.1 out via lo0 > ipfw: limit 2 reached on rule #1 > > I think this feature should DEFINITELY go in. I'm going to clean it up some > (ip_fw.c itself), and then make a set of diffs for this feature. > Nice? :) Nice? Depends on the diffs AND the man page ;-) Henk. To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message
