ipfw error in last stable version freebsd 8
Ian Smith
smithi at nimnet.asn.au
Thu Apr 1 07:25:28 UTC 2010
On Thu, 1 Apr 2010, Luigi Rizzo wrote:
> On Wed, Mar 31, 2010 at 03:47:49PM -0300, Ass.Tec. Matik wrote:
> >
> >
> > > it means that you are probably using a new kernel and an old /sbin/ipfw.
> > > The new ipfw/dummynet has a different kernel/userland API to accommodate
> > > some new features, and the kernel has a compatibility layer to translate
> > > requests back and forth between the two APIs.
> > >
> >
> >
> > where this is coming from:
> >
> > ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
>
> sys/netinet/ipfw/ip_fw_log.c
>
> Revision 200654 - (view) (annotate) - [select for diffs]
> Modified Thu Dec 17 23:11:16 2009 UTC (3 months, 1 week ago) by luigi
>
> Add some experimental code to log traffic with tcpdump,
> similar to pflog(4).
> To use the feature, just put the 'log' options on rules
> you are interested in, e.g.
>
> ipfw add 5000 count log ....
>
> and run
> tcpdump -ni ipfw0 ...
>
> net.inet.ip.fw.verbose=0 enables logging to ipfw0,
> net.inet.ip.fw.verbose=1 sends logging to syslog as before.
Which is now default? Previously net.inet.ip.fw.verbose was conditioned
by IPFIREWALL_VERBOSE in kernel options - has this changed? I gather
it's either ipfw0 or syslog, both (or neither?) not being possible?
Does 'ipfw {en,dis}able verbose' now toggle between these two?
Thanks for this heads up, I'm soon to update my 8.0 to -stable and use
log a lot, tailing /var/log/security for keeping an eye on some things.
While I'm at it :) have you given any more thought to disambiguating the
overloading of net.inet.ip.fw.one_pass for both dummynet and ipfw nat?
cheers, Ian
More information about the freebsd-ipfw
mailing list