Re: net.inet.ip.fw.verbose in jails
- In reply to: Patrick M. Hausen: "net.inet.ip.fw.verbose in jails"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 18 Jul 2025 19:50:38 UTC
I've had that happen if the jails don't have syslogd running inside them. On Fri, Jul 18, 2025 at 6:25 AM Patrick M. Hausen <hausen@punkt.de> wrote: > Hi all, > > one customer started to make more use of IPFW inside > their vnet jails in our hosting environment. > > When they > > - create a firewall rule with "log" set, like: > ipfw add 65532 allow log ip from me to any out > - set: > sysctl net.inet.ip.fw.verbose=1 > > all *inside* a jail, the firewall rules work as expected, yet > the log entries end up in /var/log/security on the host. > > All the time net.inet.ip.fw.verbose on the host is set to 0. > > Is this intentional? Or fundamental, because there is only > a shared host kernel with jails? > > Or is it a bug? > > I checked multiple times, the sysctl variables can be set for > each jail and the host independently just like each can have > its own set of firewall rules. > > Kind regards, > Patrick > -- > punkt.de GmbH > Patrick M. Hausen > .infrastructure > > Sophienstr. 187 > 76185 Karlsruhe > > Tel. +49 721 9109500 > > https://infrastructure.punkt.de > info@punkt.de > > AG Mannheim 108285 > Geschäftsführer: Daniel Lienert, Fabian Stein > >