ipfw question ....

William A. Mahaffey III wam at hiwaay.net
Sat Aug 9 14:33:02 UTC 2014

On 08/09/14 09:15, Mike Tancsa wrote:
> On 8/9/2014 10:15 AM, William A. Mahaffey III wrote:
>> Why is there a limit on the # of logged denials by ipfw ?
> The limit is there to prevent conditions where syslog would be 
> overwhelmed with hits, as in the case for example of a DoS.  You can 
> change it as discussed in the man pages
> If net.inet.ip.fw.verbose is set to 1, packets will be logged to 
> syslogd(8) with a LOG_SECURITY facility up to a maximum of logamount 
> packets.  If no logamount is specified, the limit is taken from the 
> sysctl variable net.inet.ip.fw.verbose_limit.  In both cases, a value 
> of 0 means unlimited logging.
> Once the limit is reached, logging can be re-enabled by clearing the 
> logging counter or the packet counter for that entry, see the resetlog 
> command.
>     ---Mike

Hmmmm .... OK, sounds good. I would like a bit more granularity on 
deciding what to log & what to not log. For example, 99% of the time, I 
would drop denials from my LAN, except when I am trying to figure out 
why I can't get NFS working, for example. I'd like to be able to choose 
that when I (re)start ipfw. I am using the default rc.firewall located 
in /etc, BTW. I might like to specify denial-logging by protocol *and* 
port #, rather than just port # .... Is there a way to implement any of 
this ? Thanks & TIA ....


	William A. Mahaffey III


	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

More information about the freebsd-questions mailing list