periodic/security/550.ipfwlimit
Bill Moran
wmoran at potentialtech.com
Tue Feb 22 08:02:30 PST 2005
This is great.
However, because of the size of the FreeBSD project, it's likely that this
will get lost. To ensure that it doesn't, please submit it as a PR
(problem report).
You can use the send-pr command on your FreeBSD system, or this web
interface:
http://www.freebsd.org/send-pr.html
Peter Lavee <pbl at tsua.net> wrote:
> On Tue, Feb 22, 2005 at 10:36:43AM +0200, Andriy Gapon wrote:
>
> Quickfixed version, may apply to 4-STABLE, 4-10 & 4.11
> ---------------------------->8-------------------------------------------------------------------------
> #!/bin/sh -
> #
> # Copyright (c) 2001 The FreeBSD Project
> # All rights reserved.
> #
> # Redistribution and use in source and binary forms, with or without
> # modification, are permitted provided that the following conditions
> # are met:
> # 1. Redistributions of source code must retain the above copyright
> # notice, this list of conditions and the following disclaimer.
> # 2. Redistributions in binary form must reproduce the above copyright
> # notice, this list of conditions and the following disclaimer in the
> # documentation and/or other materials provided with the distribution.
> #
> # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> # SUCH DAMAGE.
> #
> # $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.2.2.3 2002/08/28 05:13:53 cjc Exp $
> #
>
> # Show ipfw rules which have reached the log limit
> #
>
> # If there is a global system configuration file, suck it in.
> #
> if [ -r /etc/defaults/periodic.conf ]
> then
> . /etc/defaults/periodic.conf
> source_periodic_confs
> fi
>
> rc=0
>
> case "$daily_status_security_ipfwlimit_enable" in
> [Yy][Ee][Ss])
> TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
> IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
> if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
> ipfw -a l | grep " log " | grep -v " logamount " | perl -n -e \
> '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
> ipfw -a l | grep " log " | grep " logamount " | perl -n -e \
> '/^\d+\s+(\d+).+?logamount\s+(\d+)/; print if ($1 >= $2)' >> ${TMP}
> if [ -s "${TMP}" ]; then
> rc=1
> echo ""
> echo 'ipfw log limit reached:'
> cat ${TMP}
> fi
> fi
> rm -f ${TMP};;
> *) rc=0;;
> esac
>
> exit $rc
> ---------------------------->8-------------------------------------------------------------------------
> >
> > 550.ipfwlimit check in /etc/periodic/security takes into account only
> > global/default verbosity limit and does not account for a specific
> > logging limit set for a particular rule e.g.:
> >
> > $ ipfw -a l | fgrep log
> > 65000 *521* 41764 deny log logamount *1000* ip from any to any
> >
> > $ sysctl -n net.inet.ip.fw.verbose_limit
> > *100*
> >
> > >From security run output:
> >
> > ipfw log limit reached:
> > 65000 519 41672 deny log logamount 1000 ip from any to any
>
> --
> WBR,
> Peter Lavee
> Hostmaster
> Technological Systems
> CJVC
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
More information about the freebsd-security
mailing list