kern/62598: no logging on ipfw loadable module

JJB Barbish3 at adelphia.net
Wed Feb 11 07:17:52 PST 2004 

Some explanation is in order here.

When I boot the system with this in rc.conf and ipfw not compiled
into my kernel

firewall_enable="YES"
firewall_script="/etc/ipfw.rules.test52"
firewall_logging="YES"

This white highlighted message is displayed on the screen as part of
the boot process.

IP packet filtering initialized, divert disabled, rule-based
forwarding enabled,
 default to deny, logging disabled

Since this message never showed up before, I took it to mean it was
issued by the ipfw loadable module as it was automatically loaded at
boot time. It says as plain as day that logging is disabled. Now I
did not test any further as I believed what that message said. I
just figured that the loadable module was compiled without logging
just like the message says. Why would anybody who read that message
believe anything different?

Well after your responses I reran the same test again, but this time
I only added one rule
Ipwf add allow log all from any to any  and you are correct logging
is functioning.

So it would seem that the ipfw loadable module was compiled with
logging ability.

So I want to modify my problem report to say the message that is
issued during the boot process when the ipfw loadable module is
being enabled needs to be corrected for it is incorrect and
mis-leading.

Is this email sufficient enough to modify my PR or what do I have to
do to modify it?

Thank you for taking the time and making the effort in helping me to
clarify the root of this problem. Wish more people who worked the
reported problems were like you two.

Joe




-----Original Message-----
From: Friedemann.Becker at web.de [mailto:Friedemann.Becker at web.de]
Sent: Tuesday, February 10, 2004 7:07 PM
To: joe; freebsd-bugs at freebsd.org
Subject: Re: kern/62598: no logging on ipfw loadable module

joe wrote:
>>Number:         62598
>>Category:       kern
 >[...]
>
>    By original design, it's not suppose to be an mandatory
requirement that you enable
 > IPFW by compiling it's options into your customized FBSD kernel.
IPFW
 > is included in the basic FBSD install as a separate run time
loadable
module.
 > For some unknown reason the loadable module was compiled with,
logging disabled
 > This means the loadable IPFW module has absolutely no logging
available. This
 > configuration is non-logical, does not reflect the needs of the
majority of
 > IPFW users, and is pretty much useless. A firewall without
logging
ability is
 > just plain unheard of.

the precompiled module comes with preset compile time options, but
have
you tried the the corresponding sysctl variables in net.inet.ip.fw,
especially net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit?

see the manpage, section "RULE FORMAT", command "log", for details


Friedemann

More information about the freebsd-bugs mailing list