vnet jail with ipfw having logging problem

Ian Smith smithi at nimnet.asn.au
Thu May 2 05:42:06 UTC 2013 

On Wed, 1 May 2013 17:43:03 -0400, Joe wrote:
 > >  > I have ipfw running inside of a vnet jail on a 9.1-RELEASE host using
 > > the
 > >  > jail(8) definition statements for starting and stopping the vnet jail.
 > > As a
 > >  > side note non-vnet jails are working as expected.
 > >  >  > The host is running a custom kernel with modules and with
 > >  > options VIMAGE
 > >  > nooptions SCTP
 > >  > options IPFIREWALL
 > >  > options IPFIREWALL_VERBOSE
 > >  > options IPFIREWALL_VERBOSE_LIMIT=10

Please maintain attributions for the archives.  I wrote:

 > > What steps have you taken during testing to override this ridiculously low
 > > limit on logging?  Otherwise, after e.g. just 5 pings and 5 ping responses
 > > are logged, all logging ceases until issuing 'ipfw resetlog'.
 > 
 > /usr/src/sys/conf/NOTES says IPFIREWALL_VERBOSE_LIMIT; limits the number of
 > times a matching entry can be logged. Says nothing about this limit being the
 > maximum number of log records allowed after which the log file is closed for
 > business. Are you saying the /usr/src/sys/conf/NOTES info is no longer true?

You showed one (1) 'log' rule for each of the host's and jail's ruleset. 
Once that one rule has been logged 'logamount' times (default as per 
NOTES is 100, but in your case is 10) then logging for THAT rule stops, 
therefore with only one 'log' rule, ALL logging stops.  Understand?
 
If you take the time to properly study the correct reference, ipfw(8), 
all of this will become clear.  See especially section SYSCTL VARIABLES, 
and read thoroughly 'log [logamount number]', at the very least.  Ignore 
the Handbook section on ipfw, it's full of errors and misunderstandings.

 > Without IPFIREWALL_VERBOSE and IPFIREWALL_VERBOSE_LIMIT where does the logged
 > packets get written to? /var/log/security

See above.  Both of these options merely set defaults for the sysctls.

 > I have not used ipfw since it's ipfw2 rewrite so my knowledge is dated.

Indeed it is; that's a very long time ago.

 > >  > options IPFIREWALL_DEFAULT_TO_ACCEPT
 > >  > options IPFIREWALL_IPDIVERT
 > > 
 > > You'd likely do better using in-kernel NAT; natd doesn't get much love.
 > > 
 > 
 > I kept getting kernel compile errors using "options IPFIREWALL_NAT". I
 > thought the error was caused by vimage. Now I know "options LIBALIAS" is
 > required. Could not find info on internet search for IPFIREWALL_NAT with
 > vimage kernel.

Apart from FIREWALL_FORWARD (not even that in 10.x), none of that needs 
to be in the kernel, it's all loadable as modules; see /etc/rc.d/ipfw.
 
If you're doing NAT in the vimage jail, you must have at least two 
interfaces assigned to the jail.  Care to show your config for that?

 > Do you have first hand experience getting "ipfw kernel nat" to work in a
 > vimage jail or having logging work on the host and within the vnet jail?

No, but I have just on 15 years experience managing ipfw firewalls :)

Ian

More information about the freebsd-jail mailing list