Logging packets dropped by IPFW
Micheal Patterson
micheal at cancercare.net
Mon Jul 7 14:30:32 PDT 2003
----- Original Message -----
From: "Tim Kientzle" <kientzle at acm.org>
To: <freebsd-questions at freebsd.org>
Sent: Monday, July 07, 2003 4:22 PM
Subject: Logging packets dropped by IPFW
> Is there any way to generate log information
> about the packets dropped by IPFW? The 'log'
> modifier doesn't seem to do anything on my
> system right now <sigh>, though from what I can tell,
> it's supposed to only log the rule that was
> triggered, which isn't the same thing at all.
>
> In particular, I'd like to know the protocol
> (TCP/UPD/ICMP) and port number for dropped packets.
>
> Tim Kientzle
Tim,
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
You need the top option compiled in to enable logging of ipfw. The second
option would limit the amount of logging that is done until you do an ipfw
resetlog command. I personally comment out the limit so that I can keep a
running history. This does take up more overhead on the system and disk
space, however, the need for the history outweighs this. When you're
logging, the dropped packs will show you the date/time, rule that denied /
accepted the entry, protocol used, source ip and port, and destination ip
and port.
(Jul 7 16:26:13 discovery /kernel: ipfw: 65000 Deny TCP 67.66.xxx.xxx:4170
67.xxx.xxx.xxx:80 in via fxp0)
--
Micheal Patterson
TSG Network Administration
405-917-0600
Confidentiality Notice: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
More information about the freebsd-questions
mailing list