Date: Tue, 9 Sep 2003 13:42:43 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Wayne Pascoe <freebsd-questions@penguinpowered.org> Cc: freebsd-questions@freebsd.org Subject: Re: Logging and IPFW Message-ID: <20030909124243.GC20373@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20030909113447.GB17219@marvin.penguinpowered.org> References: <20030909113447.GB17219@marvin.penguinpowered.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--DSayHWYpDlRfCAAQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 09, 2003 at 12:34:47PM +0100, Wayne Pascoe wrote:
> I'm trying to setup logging with IPFW. I've not compiled IPFW into my
> kernel, but am instead using the ipfw.ko module.=20
>=20
> I have the following sysctl variables set:
> net.inet.ip.fw.verbose=3D1
> net.inet.tcp.log_in_vain=3D1
> net.inet.udp.log_in_vain=3D1
>=20
> However, I am still not seeing anything in /var/log/messages when I
> portscan the machine. The firewall appears to be working, as we receive
> nothing back on the portscanning machine, but I would like logging
> enabled.=20
Try /var/log/security or /var/log/all.log if you've enabled the
all.log by following the instructions in /etc/syslog.conf.
Remember too that ipfw(8) will only log a certain number of hits
against a particular rule, which is a sensible measure designed to
prevent a DoS against your machine by filling up the disk space
logging a great flood of similar packets. That's controlled by the
IPFIREWALL_VERBOSE_LIMIT option in your kernel config, or by the
net.inet.ip.fw.verbose_limit sysctl. I tend to think that the example
limit of 128 is too low, and bump that up to 1024. Remember to run
'ipfw resetlog' at regular intervals to re-enable logging on any rule
that has hit the limit. Just slap together a /etc/daily.local script
that needn't be any more complicated than this:
#!/bin/sh
=20
PATH=3D/usr/bin:/bin:/sbin ; export PATH
=20
ipfw resetlog
=20
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--DSayHWYpDlRfCAAQ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/XcrDdtESqEQa7a0RAoD/AKCPXenP0Pn6+Jtst9Az+5RFxOHYywCfViaS
aa7S7DJ+rannSU4L5eLZ4jY=
=tqgr
-----END PGP SIGNATURE-----
--DSayHWYpDlRfCAAQ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030909124243.GC20373>