Date: Mon, 11 Feb 2019 23:24:17 -0800 From: "Rudy (bulk address)" <crapsh@monkeybrains.net> To: freebsd-ipfw@freebsd.org Subject: Patch to have ipfw0 work properly in jails Message-ID: <ebd26c5a84b465183de8f8066f884136.squirrel@mail.monkeybrains.net> In-Reply-To: <mailman.47.1549886401.19526.freebsd-current@freebsd.org> References: <mailman.47.1549886401.19526.freebsd-current@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Never submitted a patch... is this good enough? Problem: ipfw logs in a way that is confusing in jails (it logs to the host syslogd) Solution: use ipfw0 and make sure to fix up syslog and launch tcpdump if firewall_logif is set in rc.conf Thanks, Rudy --- /etc/rc.d/ipfw.orig 2019-02-11 23:19:09.074313000 -0800 +++ /etc/rc.d/ipfw 2019-02-11 23:17:37.675032000 -0800 @@ -65,8 +65,23 @@ ${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null fi if checkyesno firewall_logif; then - ifconfig ipfw0 create - echo 'Firewall logging pseudo-interface (ipfw0) created.' + if ! ifconfig ipfw0 > /dev/null 2> /dev/null; then + ifconfig ipfw0 create + echo 'Firewall logging pseudo-interface (ipfw0) created.' + # have tcpdump listen to ipfw and send info to logger + /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www -p security.info & + echo "ipfw0 redirecting to syslog" + elif ! killall -0 tcpdump 2> /dev/null; then + # no tcpdump running... launch it! + /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www -p security.info & + echo "ipfw0 redirecting to syslog" + fi + fwverbose=`sysctl -n net.inet.ip.fw.verbose` + if [ $fwverbose == 1 ]; then + # turn down for what ... I mean, turn off verbose so ipfw0 is used. + sysctl net.inet.ip.fw.verbose=0 > /dev/null + echo "verbose logging off and redirecting to ipfw0" + fi fi }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ebd26c5a84b465183de8f8066f884136.squirrel>