Date: Wed, 11 Feb 2004 10:17:50 -0500 From: "JJB" <Barbish3@adelphia.net> To: <Friedemann.Becker@web.de>, <freebsd-bugs@freebsd.org> Cc: iedowse@maths.tcd.ie Subject: RE: kern/62598: no logging on ipfw loadable module Message-ID: <MIEPLLIBMLEEABPDBIEGAEJDFKAA.Barbish3@adelphia.net> In-Reply-To: <40297213.70809@web.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Some explanation is in order here. When I boot the system with this in rc.conf and ipfw not compiled into my kernel firewall_enable="YES" firewall_script="/etc/ipfw.rules.test52" firewall_logging="YES" This white highlighted message is displayed on the screen as part of the boot process. IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Since this message never showed up before, I took it to mean it was issued by the ipfw loadable module as it was automatically loaded at boot time. It says as plain as day that logging is disabled. Now I did not test any further as I believed what that message said. I just figured that the loadable module was compiled without logging just like the message says. Why would anybody who read that message believe anything different? Well after your responses I reran the same test again, but this time I only added one rule Ipwf add allow log all from any to any and you are correct logging is functioning. So it would seem that the ipfw loadable module was compiled with logging ability. So I want to modify my problem report to say the message that is issued during the boot process when the ipfw loadable module is being enabled needs to be corrected for it is incorrect and mis-leading. Is this email sufficient enough to modify my PR or what do I have to do to modify it? Thank you for taking the time and making the effort in helping me to clarify the root of this problem. Wish more people who worked the reported problems were like you two. Joe -----Original Message----- From: Friedemann.Becker@web.de [mailto:Friedemann.Becker@web.de] Sent: Tuesday, February 10, 2004 7:07 PM To: joe; freebsd-bugs@freebsd.org Subject: Re: kern/62598: no logging on ipfw loadable module joe wrote: >>Number: 62598 >>Category: kern >[...] > > By original design, it's not suppose to be an mandatory requirement that you enable > IPFW by compiling it's options into your customized FBSD kernel. IPFW > is included in the basic FBSD install as a separate run time loadable module. > For some unknown reason the loadable module was compiled with, logging disabled > This means the loadable IPFW module has absolutely no logging available. This > configuration is non-logical, does not reflect the needs of the majority of > IPFW users, and is pretty much useless. A firewall without logging ability is > just plain unheard of. the precompiled module comes with preset compile time options, but have you tried the the corresponding sysctl variables in net.inet.ip.fw, especially net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit? see the manpage, section "RULE FORMAT", command "log", for details Friedemann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGAEJDFKAA.Barbish3>