IPFW Logging (Was Re: log really is in security)

Drew Tomlinson drew at mykitchentable.net
Mon Nov 3 07:59:58 PST 2003

----- Original Message ----- 
From: "Zoran Kolic" <kolicz at eunet.yu>
Sent: Sunday, November 02, 2003 9:39 PM

>    Dear Drew!
>    You are absolutely right.
> I made another rule:
> allow log tcp from any to any out setup keep-state
> and got 30K log in /var/log/
> security. This file was untou-

You're logging every outbound packet from your machine.  You'll either
need a lot of disk space or have to purge your log files often to keep
from running out of space.  You probably don't want this once you're
finished testing.

> ched from installation, and has
> 600 permission. But, look at:
> 65535 35 1468 deny ip from any to any

This is the default rule unless you compile your kernel with the

> gotten from "ipfw show". What
> is this counting? Maybe nothing
> for logging, but probe dial-up
> during 1 minute gave it. It is
> what I want to look at. It is
> what make me nervous. Probably
> not packets from the net, but
> what they are?

This rule will not log anything as there is no 'log' in the rule.  It is
counting all packets that don't match any rule above it.  It is the
*ONLY* rule until your firewall script is finished loading so it will
always have a count unless you use 'ipfw zero' to clear it.  Then it
will still increment if a packet does not match one of the rules above.

If you want to log all denied packets, just add a rule above it such as
'$fwcmd add 65500 log deny ip from any to any'.

Because I administer my machines remotely, I compiled my kernel with the
DEFAULT_TO_ACCEPT option.  That way when I'm fiddling with my rules, I
don't lock myself out.  As the last rule in my firewall script, I add
the 'deny from any to any' rule I describe above.

>    You said, that verbose limit
> of 3 is a little bit small. I
> had idea, that it means: take
> 3 identical inputs of the same
> sort and stop! Not?

Not quite.  It means "stop logging after 3 matches on the rule".  I
suspect you're thinking that it will log 3 matches from and 3
more matches from on the same rule.  No, 3 matches total no
matter from which IP address.

>    Thanks for help!

You're welcome.


More information about the freebsd-questions mailing list