> > > How do you figure? Currently, the kernel will quit 'logging' denied
> > > packets when the counter reaches a specific (compiled-in) number.
> > ^^^^^^^^^^^^^
> > Then what is
> >
> > net.inet.ip.fw.verbose_limit: 0
>
> Well I'll be. You learn something new everyday. :)
>
> > made for and why does it help changing it? 8-)
>
> Ahh. However, unfortunately, this 'limit' changes *all* of the per-rule
> counters, when in fact you may only want to change a single counter.
The _problem_ with this (and it is FINE for doing interactive work on the
system as far as I am concerned) is that in a production environment with
machines with 800 day uptimes and securelevel 3, once you pass the
VERBOSE_LIMIT, you _can_ disable VERBOSE_LIMIT by setting this to 0, but
you then become vulnerable to the DoS attacks we have all been arguing
about. In other words, it simply disables VERBOSE_LIMIT.
Useful, as I said, if you have a low VERBOSE_LIMIT and you are getting
some attack that you want to monitor firsthand in more detail...
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator [EMAIL PROTECTED]
Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
