From owner-freebsd-jail@FreeBSD.ORG Thu May 2 10:09:18 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1128051D for ; Thu, 2 May 2013 10:09:18 +0000 (UTC) (envelope-from anders.hagman@netplex.se) Received: from smtp-out11.han.skanova.net (smtp-out11.han.skanova.net [195.67.226.200]) by mx1.freebsd.org (Postfix) with ESMTP id A63A7128D for ; Thu, 2 May 2013 10:09:17 +0000 (UTC) Received: from macen.halleforshunden.org (31.210.252.116) by smtp-out11.han.skanova.net (8.5.133) (authenticated as u48002568) id 516D088C006B7E16 for freebsd-jail@freebsd.org; Thu, 2 May 2013 12:09:09 +0200 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) Subject: Re: vnet jail with ipfw having logging problem From: Anders Hagman In-Reply-To: <20130502142443.V30818@sola.nimnet.asn.au> Date: Thu, 2 May 2013 12:09:08 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <44AC45947DA14449AEDFB13B9F6C5F7DAF3E1FA5@ltcfiswmsgmb25> <517A7BCB.8060604@a1poweruser.com> <13CA24D6AB415D428143D44749F57D7201F22068@ltcfiswmsgmb21> <517D3426.1090703@a1poweruser.com> <51805EFB.6050806@a1poweruser.com> <20130502021830.O30818@sola.nimnet.asn.au> <51818C67.7070708@a1poweruser.com> <20130502142443.V30818@sola.nimnet.asn.au> To: freebsd-jail X-Mailer: Apple Mail (2.1503) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 10:09:18 -0000 Hi 2 maj 2013 kl. 07:42 skrev Ian Smith : > On Wed, 1 May 2013 17:43:03 -0400, Joe wrote: >>>> I have ipfw running inside of a vnet jail on a 9.1-RELEASE host = using >>> the >>>> jail(8) definition statements for starting and stopping the vnet = jail. >>> As a >>>> side note non-vnet jails are working as expected. >>>>> The host is running a custom kernel with modules and with >>>> options VIMAGE >>>> nooptions SCTP >>>> options IPFIREWALL >>>> options IPFIREWALL_VERBOSE >>>> options IPFIREWALL_VERBOSE_LIMIT=3D10 >=20 > Please maintain attributions for the archives. I wrote: >=20 >>> What steps have you taken during testing to override this = ridiculously low >>> limit on logging? Otherwise, after e.g. just 5 pings and 5 ping = responses >>> are logged, all logging ceases until issuing 'ipfw resetlog'. >>=20 >> /usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the = number of >> times a matching entry can be logged. Says nothing about this limit = being the >> maximum number of log records allowed after which the log file is = closed for >> business. Are you saying the /usr/src/sys/conf/NOTES info is no = longer true? >=20 > You showed one (1) 'log' rule for each of the host's and jail's = ruleset.=20 > Once that one rule has been logged 'logamount' times (default as per=20= > NOTES is 100, but in your case is 10) then logging for THAT rule = stops,=20 > therefore with only one 'log' rule, ALL logging stops. Understand? >=20 > If you take the time to properly study the correct reference, ipfw(8),=20= > all of this will become clear. See especially section SYSCTL = VARIABLES,=20 > and read thoroughly 'log [logamount number]', at the very least. = Ignore=20 > the Handbook section on ipfw, it's full of errors and = misunderstandings. >=20 >> Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does = the logged >> packets get written to? /var/log/security >=20 > See above. Both of these options merely set defaults for the sysctls. >=20 >> I have not used ipfw since it's ipfw2 rewrite so my knowledge is = dated. >=20 > Indeed it is; that's a very long time ago. >=20 >>>> options IPFIREWALL_DEFAULT_TO_ACCEPT >>>> options IPFIREWALL_IPDIVERT >>>=20 >>> You'd likely do better using in-kernel NAT; natd doesn't get much = love. >>>=20 >>=20 >> I kept getting kernel compile errors using "options IPFIREWALL_NAT". = I >> thought the error was caused by vimage. Now I know "options LIBALIAS" = is >> required. Could not find info on internet search for IPFIREWALL_NAT = with >> vimage kernel. >=20 > Apart from FIREWALL_FORWARD (not even that in 10.x), none of that = needs=20 > to be in the kernel, it's all loadable as modules; see /etc/rc.d/ipfw. >=20 > If you're doing NAT in the vimage jail, you must have at least two=20 > interfaces assigned to the jail. Care to show your config for that? >=20 >> Do you have first hand experience getting "ipfw kernel nat" to work = in a >> vimage jail or having logging work on the host and within the vnet = jail? >=20 > No, but I have just on 15 years experience managing ipfw firewalls :) When you are new at things you do mistakes, remember. To try to answer Joes question: You don't need to compile anything into the kernel regarding ipfw. Just load the ipfw module in the host system with: kldload ipfw By default a deny all rule is added, so add a allow rule to the host = system. ipfw add 10 allow ip from any to any To log things you change the sysctl value net.inet.ip.fw.verbose to 1 sysctl net.inet.ip.fw.verbose=3D1 If you keep net.inet.ip.fw.verbose_limit=3D0 you don't have a log limit, = and for tests thats fine. log in to the jail system. Change the sysctl value = net.inet.ip.fw.verbose to 1 sysctl net.inet.ip.fw.verbose=3D1 Add a logging firewall rule ipfw add 10 allow log ip from any to any Do a ping to an external system. Look inside /var/log/security in the jail system and its empty. Go to the main host and look at the /var/log/security file and you will = find log entries. I can confirm Joes bug. I don't have a log rule in the main host but = still get log messages. All log messages are from the log rule in the jail system. System used: 9.1-RELEASE-p2 BR /Anders=