Dear list! I have a little problem, trying to enable logging of deny rule. I have enabled it via kernel: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3 It is ipfw2. After that, my inten- tion was to use syslogd and !ipfw *.* /var/log/ipfw.log and newsyslog with /var/log/ipfw.log 600 3 100 * J In rc.conf I have firewall_enable="YES" firewall_logging="YES" Well! Firewall works, I have data with "ipfw show", but there is no log. My intentioned rule is add 65535 deny log all from any to any It should work, but is does not. What I am doing wrong? With no syslogd and newsyslog, log would be in "messages" file in /var/log directory? ZK _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: drew@mykitchentable.net ("Drew Tomlinson"), 看板: FB_stable 標 題: Re: ipfw2 logging 發信站: NCTU CSIE FreeBSD Server (Thu Nov 6 08:49:13 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail ----- Original Message ----- From: "Zoran Kolic" <kolicz@eunet.yu> To: <freebsd-stable@freebsd.org> Sent: Saturday, November 01, 2003 10:11 PM Subject: ipfw2 logging > > Dear list! > I have a little problem, trying > to enable logging of deny rule. > I have enabled it via kernel: > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=3 This seems to be a very small limit. Do you really intend to end logging of a rule after three matches? > It is ipfw2. After that, my inten- > tion was to use syslogd and > > !ipfw > *.* /var/log/ipfw.log > > and newsyslog with > > /var/log/ipfw.log 600 3 100 * J On my system, none of this was necessary. By default, firewall messages are logged to /var/log/security. If you don't have this file, try using 'touch' to create it and then see if you get firewall messages. > In rc.conf I have > > firewall_enable="YES" > firewall_logging="YES" > > Well! Firewall works, I have data > with "ipfw show", but there is no > log. My intentioned rule is > > add 65535 deny log all from any to any This rule will log all denied packets until the limit (in your case, 3 packets) is reached. Then logging will stop until counters are cleared with either 'zero' or 'resetlog'. > It should work, but is does not. > What I am doing wrong? > With no syslogd and newsyslog, log > would be in "messages" file in > /var/log directory? As I mention above, look for messages in /var/log/security. Cheers, Drew _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: cristjc@comcast.net ("Crist J. Clark"), 看板: FB_stable 標 題: Re: ipfw2 logging 發信站: NCTU CSIE FreeBSD Server (Thu Nov 6 08:49:13 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail On Sun, Nov 02, 2003 at 07:11:54AM +0100, Zoran Kolic wrote: [snip] > Well! Firewall works, I have data > with "ipfw show", but there is no > log. My intentioned rule is > > add 65535 deny log all from any to any > > It should work, but is does not. > What I am doing wrong? You cannot change rule 65535. Perhaps try 65534. > With no syslogd and newsyslog, log > would be in "messages" file in > /var/log directory? Without syslogd(8), they wouldn't go anywhere. But if you mean where they would go with the default syslog.conf(5), they actually end up in /var/log/security. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: mdg@secureworks.net (Matthew George), 看板: FB_stable 標 題: Re: ipfw2 logging 發信站: NCTU CSIE FreeBSD Server (Thu Nov 6 08:49:13 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail On Tue, 4 Nov 2003, Crist J. Clark wrote: > On Sun, Nov 02, 2003 at 07:11:54AM +0100, Zoran Kolic wrote: > [snip] > > Well! Firewall works, I have data > > with "ipfw show", but there is no > > log. My intentioned rule is > > > > add 65535 deny log all from any to any > > > > It should work, but is does not. > > What I am doing wrong? > > You cannot change rule 65535. Perhaps try 65534. > from the 4.9 relnotes: ipfw(8) can now modify ipfw(4) rules in set 31, which was read-only and used for the default rules. They can be deleted by ipfw delete set 31 command but are not deleted by the ipfw flush command. This implements a flexible form of ``persistent rules''. More details can be found in ipfw(8). I haven't actually done it yet for myself, but it would seem that 65535 can be changed now. (?) -- Matthew George SecureWorks Technical Operations _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: cristjc@comcast.net ("Crist J. Clark"), 看板: FB_stable 標 題: Re: ipfw2 logging 發信站: NCTU CSIE FreeBSD Server (Thu Nov 6 14:44:09 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail On Wed, Nov 05, 2003 at 01:14:21PM -0500, Matthew George wrote: > On Tue, 4 Nov 2003, Crist J. Clark wrote: > > > On Sun, Nov 02, 2003 at 07:11:54AM +0100, Zoran Kolic wrote: > > [snip] > > > Well! Firewall works, I have data > > > with "ipfw show", but there is no > > > log. My intentioned rule is > > > > > > add 65535 deny log all from any to any > > > > > > It should work, but is does not. > > > What I am doing wrong? > > > > You cannot change rule 65535. Perhaps try 65534. > > > > from the 4.9 relnotes: > > ipfw(8) can now modify ipfw(4) rules in set 31, which was read-only and > used for the default rules. They can be deleted by ipfw delete set 31 > command but are not deleted by the ipfw flush command. This implements a > flexible form of ``persistent rules''. More details can be found in > ipfw(8). > > > I haven't actually done it yet for myself, but it would seem that 65535 > can be changed now. (?) Still cannot. If you delete set 31, all of the rules in 31 are deleted except for 65535. If there is a bug here, it is this, # ipfw add 65535 pass ip from any to any 65535 allow ip from any to any # echo $? 0 # ipfw sh 65535 65535 0 0 deny ip from any to any That the first ipfw(8) command appears to succeed. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"