From nobody@FreeBSD.org  Tue Feb 22 16:51:25 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 97ECA16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Feb 2005 16:51:25 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6BD3343D49
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Feb 2005 16:51:25 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j1MGpPKu088805
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Feb 2005 16:51:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j1MGpODG088804;
	Tue, 22 Feb 2005 16:51:25 GMT
	(envelope-from nobody)
Message-Id: <200502221651.j1MGpODG088804@www.freebsd.org>
Date: Tue, 22 Feb 2005 16:51:25 GMT
From: Peter Lavee <pbl@tsua.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: periodic/security/550.ipfwlimit ignores logamount
X-Send-Pr-Version: www-2.3

>Number:         77929
>Category:       conf
>Synopsis:       [patch] periodic/security/550.ipfwlimit ignores logamount
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 22 17:00:33 GMT 2005
>Closed-Date:    Fri Sep 02 14:21:50 GMT 2005
>Last-Modified:  Fri Sep 02 14:21:50 GMT 2005
>Originator:     Peter Lavee
>Release:        FreeBSD 4.11-RELEASE
>Organization:
Technological Systems CJVC
>Environment:
FreeBSD ns.hau.org.ua 4.11-RELEASE FreeBSD 4.11-RELEASE #1: Thu Jan 27 20:26:44 EET 2005     root@ns.hau.org.ua:/var/uobj/usr/src/sys/NSAPM  i386
>Description:
      550.ipfwlimit check in /etc/periodic/security takes into account only
 global/default verbosity limit and does not account for a specific
 logging limit set for a particular rule e.g.:

 $ ipfw -a l | fgrep log
 65000     *521*      41764 deny log logamount *1000* ip from any to any

$ sysctl -n net.inet.ip.fw.verbose_limit
*100*

From security run output:

ipfw log limit reached:
65000     519      41672 deny log logamount 1000 ip from any to any

>How-To-Repeat:
      just use logamount value bigger than net.inet.ip.fw.verbose_limit
>Fix:
cat >/etc/periodic/security/550.ipfwlimit
#!/bin/sh -
#
# Copyright (c) 2001  The FreeBSD Project
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.2.2.3 2002/08/28 05:13:53 cjc Exp $
#

# Show ipfw rules which have reached the log limit
#

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

rc=0

case "$daily_status_security_ipfwlimit_enable" in
    [Yy][Ee][Ss])
        TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
        IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
        if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
            ipfw -a l | grep " log " | grep -v " logamount " | perl -n -e \
                '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
            ipfw -a l | grep " log " | grep " logamount " | perl -n -e \
                '/^\d+\s+(\d+).+?logamount\s+(\d+)/; print if ($1 >= $2)' >> ${TMP}
            if [ -s "${TMP}" ]; then
                rc=1
                echo ""
                echo 'ipfw log limit reached:'
                cat ${TMP}
            fi
        fi
        rm -f ${TMP};;
    *)  rc=0;;
esac

exit $rc

>Release-Note:
>Audit-Trail:

From: Andriy Gapon <avg@icyb.net.ua>
To: freebsd-gnats-submit@FreeBSD.org, pbl@tsua.net
Cc:  
Subject: Re: conf/77929: periodic/security/550.ipfwlimit ignores logamount
Date: Mon, 14 Mar 2005 11:41:39 +0200

 This is a multi-part message in MIME format.
 --------------020905030404010501000907
 Content-Type: text/plain; charset=KOI8-U
 Content-Transfer-Encoding: 7bit
 
 
 Attached is the patch based on idea in
 http://lists.freebsd.org/pipermail/freebsd-security/2005-February/002703.html
 but unlike the patch there, this patch in known to work (at least on
 FreeBSD 5.2.1).
 
 -- 
 Andriy Gapon
 
 --------------020905030404010501000907
 Content-Type: text/plain;
  name="periodic-ipfw.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="periodic-ipfw.patch"
 
 --- 550.ipfwlimit	Wed Feb 23 18:54:35 2005
 +++ 550.ipfwlimit	Wed Feb 23 19:19:19 2005
 @@ -45,10 +45,10 @@
  	TMP=`mktemp -t security`
  	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
  	if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
  	    ipfw -a l | grep " log " | \
  	    grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
  	    awk -v limit="$IPFW_LOG_LIMIT" \
 -		'{if ($2 > limit) {print $0}}' > ${TMP}
 +		'{if ($6 == "logamount") {if ($2 > $7) {print $0}} else {if ($2 > limit) {print $0}}}' > ${TMP}
  	    if [ -s "${TMP}" ]; then
  		rc=1
  		echo ""
 
 --------------020905030404010501000907--

From: Matteo Riondato <rionda@gufi.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: conf/77929: periodic/security/550.ipfwlimit ignores logamount
Date: Tue, 29 Mar 2005 14:36:14 +0200

 --HVCoas+krw6dou6l
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 The patch can be cleanly applied and it serves its purposes,
 enhancing script's usefullness.
 Perhaps it should be committed.
 Best Regards
 
 --=20
 Rionda aka Matteo Riondato
 Disinformato per default
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)
 
 --HVCoas+krw6dou6l
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.0 (FreeBSD)
 
 iD8DBQFCSUu+2Mp4pR7Fa+wRAnwpAJ9ocbewx33zFVz5FHpZ5ivjOo0cBACbBqLp
 wYFP7TNr5pHzdoijzhzP3ls=
 =n1OL
 -----END PGP SIGNATURE-----
 
 --HVCoas+krw6dou6l--
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Sat Aug 20 09:42:05 GMT 2005 
State-Changed-Why:  
Committed, thanks! 


Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Sat Aug 20 09:42:05 GMT 2005 
Responsible-Changed-Why:  
MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77929 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Fri Sep 2 14:21:31 GMT 2005 
State-Changed-Why:  
Merged to RELENG_5 and RELENG_6. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77929 
>Unformatted:
