Date: Fri, 18 Jul 2025 12:50:38 -0700 From: Lee Brown <leeb@ratnaling.org> To: "Patrick M. Hausen" <hausen@punkt.de> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: net.inet.ip.fw.verbose in jails Message-ID: <CAFPNf5_%2BdQjxGc1VVmZ_YVv_UC5JG0wBaowu=3oaQKNS2S09kg@mail.gmail.com> In-Reply-To: <C963E6A0-CF3B-4052-A954-46CC28134FA9@punkt.de> References: <C963E6A0-CF3B-4052-A954-46CC28134FA9@punkt.de>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I've had that happen if the jails don't have syslogd running inside them. On Fri, Jul 18, 2025 at 6:25 AM Patrick M. Hausen <hausen@punkt.de> wrote: > Hi all, > > one customer started to make more use of IPFW inside > their vnet jails in our hosting environment. > > When they > > - create a firewall rule with "log" set, like: > ipfw add 65532 allow log ip from me to any out > - set: > sysctl net.inet.ip.fw.verbose=1 > > all *inside* a jail, the firewall rules work as expected, yet > the log entries end up in /var/log/security on the host. > > All the time net.inet.ip.fw.verbose on the host is set to 0. > > Is this intentional? Or fundamental, because there is only > a shared host kernel with jails? > > Or is it a bug? > > I checked multiple times, the sysctl variables can be set for > each jail and the host independently just like each can have > its own set of firewall rules. > > Kind regards, > Patrick > -- > punkt.de GmbH > Patrick M. Hausen > .infrastructure > > Sophienstr. 187 > 76185 Karlsruhe > > Tel. +49 721 9109500 > > https://infrastructure.punkt.de > info@punkt.de > > AG Mannheim 108285 > Geschäftsführer: Daniel Lienert, Fabian Stein > > [-- Attachment #2 --] <div dir="ltr">I've had that happen if the jails don't have syslogd running inside them.</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, Jul 18, 2025 at 6:25 AM Patrick M. Hausen <<a href="mailto:hausen@punkt.de">hausen@punkt.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br> <br> one customer started to make more use of IPFW inside<br> their vnet jails in our hosting environment.<br> <br> When they<br> <br> - create a firewall rule with "log" set, like:<br> ipfw add 65532 allow log ip from me to any out<br> - set:<br> sysctl net.inet.ip.fw.verbose=1<br> <br> all *inside* a jail, the firewall rules work as expected, yet<br> the log entries end up in /var/log/security on the host.<br> <br> All the time net.inet.ip.fw.verbose on the host is set to 0.<br> <br> Is this intentional? Or fundamental, because there is only<br> a shared host kernel with jails?<br> <br> Or is it a bug?<br> <br> I checked multiple times, the sysctl variables can be set for<br> each jail and the host independently just like each can have<br> its own set of firewall rules.<br> <br> Kind regards,<br> Patrick<br> -- <br> <a href="http://punkt.de" rel="noreferrer" target="_blank">punkt.de</a> GmbH<br> Patrick M. Hausen<br> .infrastructure<br> <br> Sophienstr. 187<br> 76185 Karlsruhe<br> <br> Tel. +49 721 9109500<br> <br> <a href="https://infrastructure.punkt.de" rel="noreferrer" target="_blank">https://infrastructure.punkt.de</a><br>; <a href="mailto:info@punkt.de" target="_blank">info@punkt.de</a><br> <br> AG Mannheim 108285<br> Geschäftsführer: Daniel Lienert, Fabian Stein<br> <br> </blockquote></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFPNf5_%2BdQjxGc1VVmZ_YVv_UC5JG0wBaowu=3oaQKNS2S09kg>