Date: Wed, 11 Apr 2007 15:28:51 +0100 From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk> To: Ian FREISLICH <ianf@clue.co.za> Cc: FreeBSD Current <freebsd-current@freebsd.org> Subject: Re: [patch] move ipfw logging to after syslogd Message-ID: <1176301731.22464.7.camel@buffy.york.ac.uk> In-Reply-To: <E1HbdCx-0000Lz-RN@clue.co.za> References: <E1HbdCx-0000Lz-RN@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2007-04-11 at 15:49 +0200, Ian FREISLICH wrote:
> Hi
>
> We have a problem that on our busy firewalls, a boot and shutdown
> can be delayed by up to 20 minutes by the kernel printing log
> messages for denied packets to the console. The problem is that
> most kernel activity appears to be suspended by outputting ipfw
> logged messages via the serial console (but not even the video
> console keeps up). The kernel doesn't even respond to a serial
> break.
I wonder if a better fix is to ensure syslogd is started before bringing
up the network? That way, you won't need this, as before IP addresses
are configured, you shouldn't get hit by anything. Of course, this
would be an issue for when syslog is set to log remotely, unless that
laready has some "caching" mechanism to prevent messages being thrown
away.
> if [ -r "${firewall_script}" ]; then
> if [ -f /etc/rc.d/natd ] ; then
> /etc/rc.d/natd start
> fi
> - /bin/sh "${firewall_script}"
> + . "${firewall_script}"
> echo 'Firewall rules loaded.'
> elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
> echo 'Warning: kernel has firewall functionality, but' \
> @@ -34,13 +40,6 @@
> echo ' All ip services are disabled.'
> fi
>
Be careful, it looks like this unintentionally backs out the 1.15
change.
Gavin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1176301731.22464.7.camel>