[PATCH] ipfw logging through tcpdump ?
oberman at es.net
Wed Dec 16 19:57:01 UTC 2009
> Date: Tue, 15 Dec 2009 09:06:04 -0800
> From: Julian Elischer <julian at elischer.org>
> Sender: owner-freebsd-current at freebsd.org
> Luigi Rizzo wrote:
> > On Tue, Dec 15, 2009 at 10:09:47AM +0000, Bjoern A. Zeeb wrote:
> >> On Tue, 15 Dec 2009, Luigi Rizzo wrote:
> >> Hi,
> >>> The following ipfw patch (which i wrote back in 2001/2002) makes
> >>> ipfw logging possible through tcpdump -- it works by passing to the
> >>> fake device 'ipfw0' all packets matching rules marked 'log' .
> >>> The use is very simple -- to test it just do
> >>> ipfw add 100 count log ip from any to any
> >>> and then
> >>> tcpdump -ni ipfw0
> >>> will show all matching traffic.
> >>> I think this is a quite convenient and flexible option, so if there
> >>> are no objections I plan to commit it to head.
> >> pf(4) has pflog(4). Ideally calling it the same would be good though
> >> I wonder if two of the the three of our firewalls grow that feature,
> >> if we could have a common packet logging device rather than re-doing
> >> it for each implementation.
> >> Frankly, I haven't looked at the details of the implementation but I
> >> found getting rul numbers with tcpdump -e etc. was pretty cool to
> >> identify where things were blocked or permitted.
> > this is something trivial which i have planned already -- stuff
> > 10-12 bytes in the MAC header with rule numbers and actions
> > is surely trivial.
> > Thanks for the pointer to pflog, i'll look at that.
> >> Also make sure that the per-VIMAGE interface will work correctly and
> >> as expected.
> > On this i would like more feedback -- is there anything special
> > that I am supposed to do to create per-vimage interfaces ?
> > Could you look at the code i sent ?
> > "ipfw0" uses the same attach/detach code used by if_tap.
> I'm not sure we should do everything just because we can.
> it gives us nothing that we can't already get. you can filter using
> ipfw netgraph -> netgraph bpf -> ng_socket
> you can efficiently capture packets with divert (or tee)
> you can write to pcap files using phk's program.
While I agree with the sentiment, the proposal is so simple and elegant
and so easy to use that I think it would be crazy to not do it. It's
just much easier to use on an impromptu basis than doing the netgraph
stuff (except for those who do lots of netgraph).
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
More information about the freebsd-current