ipfw2 logging
Crist J. Clark
cristjc at comcast.net
Wed Nov 5 22:50:07 PST 2003
On Wed, Nov 05, 2003 at 01:14:21PM -0500, Matthew George wrote:
> On Tue, 4 Nov 2003, Crist J. Clark wrote:
>
> > On Sun, Nov 02, 2003 at 07:11:54AM +0100, Zoran Kolic wrote:
> > [snip]
> > > Well! Firewall works, I have data
> > > with "ipfw show", but there is no
> > > log. My intentioned rule is
> > >
> > > add 65535 deny log all from any to any
> > >
> > > It should work, but is does not.
> > > What I am doing wrong?
> >
> > You cannot change rule 65535. Perhaps try 65534.
> >
>
> from the 4.9 relnotes:
>
> ipfw(8) can now modify ipfw(4) rules in set 31, which was read-only and
> used for the default rules. They can be deleted by ipfw delete set 31
> command but are not deleted by the ipfw flush command. This implements a
> flexible form of ``persistent rules''. More details can be found in
> ipfw(8).
>
>
> I haven't actually done it yet for myself, but it would seem that 65535
> can be changed now. (?)
Still cannot. If you delete set 31, all of the rules in 31 are deleted
except for 65535.
If there is a bug here, it is this,
# ipfw add 65535 pass ip from any to any
65535 allow ip from any to any
# echo $?
0
# ipfw sh 65535
65535 0 0 deny ip from any to any
That the first ipfw(8) command appears to succeed.
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-stable
mailing list