Re: periodic/security/550.ipfwlimit

From: Bill Moran (wmoran_at_potentialtech.com)
Date: 02/22/05

  • Next message: Jacques Vidrine: "VuXML.org improvements" 
    Date: Tue, 22 Feb 2005 11:02:27 -0500
To: Peter Lavee <pbl@tsua.net>

    This is great.

    However, because of the size of the FreeBSD project, it's likely that this
    will get lost. To ensure that it doesn't, please submit it as a PR
    (problem report).

    You can use the send-pr command on your FreeBSD system, or this web
    interface:
    http://www.freebsd.org/send-pr.html

    Peter Lavee <pbl@tsua.net> wrote:
    > On Tue, Feb 22, 2005 at 10:36:43AM +0200, Andriy Gapon wrote:
    >
    > Quickfixed version, may apply to 4-STABLE, 4-10 & 4.11
    > ---------------------------->8-------------------------------------------------------------------------
    > #!/bin/sh -
    > #
    > # Copyright (c) 2001 The FreeBSD Project
    > # All rights reserved.
    > #
    > # Redistribution and use in source and binary forms, with or without
    > # modification, are permitted provided that the following conditions
    > # are met:
    > # 1. Redistributions of source code must retain the above copyright
    > # notice, this list of conditions and the following disclaimer.
    > # 2. Redistributions in binary form must reproduce the above copyright
    > # notice, this list of conditions and the following disclaimer in the
    > # documentation and/or other materials provided with the distribution.
    > #
    > # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
    > # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    > # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    > # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    > # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    > # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    > # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    > # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    > # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    > # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    > # SUCH DAMAGE.
    > #
    > # $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.2.2.3 2002/08/28 05:13:53 cjc Exp $
    > #
    >
    > # Show ipfw rules which have reached the log limit
    > #
    >
    > # If there is a global system configuration file, suck it in.
    > #
    > if [ -r /etc/defaults/periodic.conf ]
    > then
    > . /etc/defaults/periodic.conf
    > source_periodic_confs
    > fi
    >
    > rc=0
    >
    > case "$daily_status_security_ipfwlimit_enable" in
    > [Yy][Ee][Ss])
    > TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
    > IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
    > if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
    > ipfw -a l | grep " log " | grep -v " logamount " | perl -n -e \
    > '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
    > ipfw -a l | grep " log " | grep " logamount " | perl -n -e \
    > '/^\d+\s+(\d+).+?logamount\s+(\d+)/; print if ($1 >= $2)' >> ${TMP}
    > if [ -s "${TMP}" ]; then
    > rc=1
    > echo ""
    > echo 'ipfw log limit reached:'
    > cat ${TMP}
    > fi
    > fi
    > rm -f ${TMP};;
    > *) rc=0;;
    > esac
    >
    > exit $rc
    > ---------------------------->8-------------------------------------------------------------------------
    > >
    > > 550.ipfwlimit check in /etc/periodic/security takes into account only
    > > global/default verbosity limit and does not account for a specific
    > > logging limit set for a particular rule e.g.:
    > >
    > > $ ipfw -a l | fgrep log
    > > 65000 *521* 41764 deny log logamount *1000* ip from any to any
    > >
    > > $ sysctl -n net.inet.ip.fw.verbose_limit
    > > *100*
    > >
    > > >From security run output:
    > >
    > > ipfw log limit reached:
    > > 65000 519 41672 deny log logamount 1000 ip from any to any
    >
    > --
    > WBR,
    > Peter Lavee
    > Hostmaster
    > Technological Systems
    > CJVC
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" 

    -- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Jacques Vidrine: "VuXML.org improvements"