net.inet.ip.fw.verbose in jails

Reply: Lee Brown : "Re: net.inet.ip.fw.verbose in jails"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Fri, 18 Jul 2025 13:24:47 UTC

Hi all,

one customer started to make more use of IPFW inside
their vnet jails in our hosting environment.

When they

-	create a firewall rule with "log" set, like:
	ipfw add 65532 allow log ip from me to any out
-	set:
	sysctl net.inet.ip.fw.verbose=1

all *inside* a jail, the firewall rules work as expected, yet
the log entries end up in /var/log/security on the host.

All the time net.inet.ip.fw.verbose on the host is set to 0.

Is this intentional? Or fundamental, because there is only
a shared host kernel with jails?

Or is it a bug?

I checked multiple times, the sysctl variables can be set for
each jail and the host independently just like each can have
its own set of firewall rules.

Kind regards,
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Sophienstr. 187
76185 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info@punkt.de

AG Mannheim 108285
Geschäftsführer: Daniel Lienert, Fabian Stein