Re: ipfw Logging Verbosity
- In reply to: Tim Daneliuk : "ipfw Logging Verbosity"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 29 Sep 2025 23:54:40 UTC
Logging what you're blocking is of very little value – you already have
them in your block list. But if you insist, write separate rules for
different types of traffic. Specify the protocol in the rule. Log only
RECV not VIA.
log tcp from table\(10\) to me in recv $WAN setup
log udp from table\(10\) to me in recv $WAN
log icmp from table\(10\) to me in recv $WAN
etc.
Consider sane numbers for logamount.
I have a rule that does this
pipe 4 log ip from table\(tarpit\) to any in recv $WAN
where the pipe is very, very small – 1000bit/s – you can make it even
smaller. That's before a rule which drops it.
On Sun, Sep 21, 2025 at 9:08 PM Tim Daneliuk <thronobulax@gmail.com> wrote:
> Is there some middle ground between ipfw 'log' options between
> silent and garden house.
>
> I have a rule that looks like this:
>
> deny ip from table(10) to any via ${INTERFACE}
>
> Table 10 is biiiig - lots and lots of entries in it.
>
>
> This results in nothing whatsoever being written to /var/log/security
> when a table entry is rejected.
>
> But, if I add the verb "log" to the above command, it writes a
> continuous stream of rejected connection attempts matching one
> of the table rules - presumably because these many entries are
> still trying (which I why I blacklisted them in the first place).
>
> Is there a way to get a more summarized view of the rejections
> so that the logging isn't so noisy, but still capture a sense of
> what is being stopped?
>
> TIA
>
>
>
>