similar to: Fw-up: Re: periodic/security/550.ipfwlimit - diff for RELENG-5]

550.ipfwlimit check in /etc/periodic/security takes into account only global/default verbosity limit and does not account for a specific logging limit set for a particular rule e.g.: $ ipfw -a l | fgrep log 65000 *521* 41764 deny log logamount *1000* ip from any to any $ sysctl -n net.inet.ip.fw.verbose_limit *100* >From security run output: ipfw log limit reached: 65000 519

>Date: Sun, 23 Dec 2007 06:04:02 -0800 (PST) >From: Nash Nipples <trashy_bumper@yahoo.com> >To: freebsd-security@freebsd.org >Subject: Re: IPFW: Blocking me out. How to debug? > >Dear W.D. > >oh come on. i have the same problem. Which problem are we talking about? cut and paste problem. >cut and paste logic: > >#!/bin/sh >#1. count packets >#2.

heya i've been using freebsd's ipfw for quite a while and recently on a new server i've got this issue with ipfw that i can't understand ... something is wrong ... 01000 8042 1947866 allow ip from any to any via fxp0 01010 0 0 allow ip from any to any via lo0 01014 9886 4170269 divert 8668 ip from any to any in via vr0 01015 0 0 check-state 01130 14679 5695969 skipto 1800 ip from

I've just realized that I see in releng/7 something that I did not see in releng/6 - even if I use a file with custom rules in firewall_type I still get default loopback rules installed. I think that this is not correct, I am using custom rules exactly because I want to control *everything* (e.g. all deny rules come with log logamount xxx). -- Andriy Gapon

Hello security, This output I've received from conventional cron daily job: [...] gw.nbh.ru kernel log messages: > Limiting closed port RST response from 201 to 200 packets per second [...] where fxp0 is an external interface. What could involve such a messages? In /var/log/messages the above strings was prepended by string: Feb 10 13:24:29 gw /kernel: ipfw: limit 100 reached on entry

If someone has some free time, can you go over my ipfw config. See if I have any problems, or things i should add. Im not an ipfw expert or anything. Here is the config. add 100 allow all from any to any via lo0 add 110 deny log all from any to 127.0.0.0/8 add 120 deny log ip from 127.0.0.0/8 to any add 00200 check-state add 00250 deny all from any to any frag in via bge0 add 00260 deny

I have a FreeBSD box acting as a firewall and NAT gateway I would like to set it up to transparently pass IPSec packets -- I have an IPSec VPN client running on another machine, connecting to a remote network. Is there a way to do this? I can't find any hints in the man pages.

Dear W.D. Do you understand that by adding the rules into kernel space numbered from zero to sixty five thousand five hundred thirty four you may alter the behavior of the rule number sixty five thousand five hundred thirty five can you please define and list the goals you are trying to achieve by altering default rule in the terms you can both explain and understand. ----- Original Message

As many of you probably already know, a "SNAP" release is built once per day on the RELENG_2_2 branch (where 2.2.1 came from and from where future 2.2.x releases will be derived) and put up for anonymous FTP at: ftp://releng22.freebsd.org/pub/FreeBSD Since this site isn't always the easiest to get to or mirror, I will also periodically copy "known good" release snapshots

http://bugzilla.mindrot.org/show_bug.cgi?id=914 Bug 914 depends on bug 712, which changed state. Bug 712 Summary: ssh does not properly utilize OS specified authentication methods on AIX http://bugzilla.mindrot.org/show_bug.cgi?id=712 What |Old Value |New Value ----------------------------------------------------------------------------

http://bugzilla.mindrot.org/show_bug.cgi?id=994 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn|396, 859 | Status|NEW |ASSIGNED Summary|[RELENG] Bugs planned to be |[RELENG] Bugs planned to be

http://bugzilla.mindrot.org/show_bug.cgi?id=1047 Summary: [RELENG] Bugs planned to be fixed for the release after 4.1 Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo:

http://bugzilla.mindrot.org/show_bug.cgi?id=822 Bug 822 depends on bug 463, which changed state. Bug 463 Summary: PrintLastLog doesn't work in privsep mode http://bugzilla.mindrot.org/show_bug.cgi?id=463 What |Old Value |New Value ---------------------------------------------------------------------------- Resolution|FIXED |

Got a few servers still on 4.5. /etc/make.conf contains NOPROFILE= true # Avoid compiling profiled libraries make buildworld runs fine, but buildkernel gives cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I/usr/src/sys -I/usr/src/sys/../include

Hi peeps, After compiling ipfw into the new 6.2 kernel, and typing "ipfw list", all I get is: "65535 deny ip from any to any" From reading the docs, this might indicate that this is the default rule. (I am certainly protected this way--but can't be very productive ;^) ) By the way, when I run "man ipfw" I get nothing. Using this instead:

http://bugzilla.mindrot.org/show_bug.cgi?id=914 Summary: [RELENG] Bugs planned to be fixed *after* 3.9 Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=914 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |971 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=822 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |884 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=822 Summary: [RELENG] Bugs planned to be fixed for 3.9 Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-bugs at mindrot.org ReportedBy:

Collaborative Fusion has a number of positions we're hoping to fill in the near future. Specifically, there is an opening in the systems group. My understanding is that we're looking for an entry-level sysadmin who would help manage our growing network of FreeBSD servers. Locality to Pittsburgh, PA is a plus, but I've a feeling we could make allowances for the right person (can't