From owner-freebsd-current@FreeBSD.ORG Tue Dec 15 10:10:07 2009 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F636106566B for ; Tue, 15 Dec 2009 10:10:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 5DA1B8FC12 for ; Tue, 15 Dec 2009 10:10:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9959D41C752; Tue, 15 Dec 2009 11:10:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id ee8-NgdzcA+E; Tue, 15 Dec 2009 11:10:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 360E841C751; Tue, 15 Dec 2009 11:10:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 961504448EC; Tue, 15 Dec 2009 10:09:47 +0000 (UTC) Date: Tue, 15 Dec 2009 10:09:47 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Luigi Rizzo In-Reply-To: <20091214235307.GA5345@onelab2.iet.unipi.it> Message-ID: <20091215095440.U86040@maildrop.int.zabbadoz.net> References: <20091214235307.GA5345@onelab2.iet.unipi.it> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD current mailing list Subject: Re: [PATCH] ipfw logging through tcpdump ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2009 10:10:07 -0000 On Tue, 15 Dec 2009, Luigi Rizzo wrote: Hi, > The following ipfw patch (which i wrote back in 2001/2002) makes > ipfw logging possible through tcpdump -- it works by passing to the > fake device 'ipfw0' all packets matching rules marked 'log' . > The use is very simple -- to test it just do > > ipfw add 100 count log ip from any to any > > and then > > tcpdump -ni ipfw0 > > will show all matching traffic. > > I think this is a quite convenient and flexible option, so if there > are no objections I plan to commit it to head. pf(4) has pflog(4). Ideally calling it the same would be good though I wonder if two of the the three of our firewalls grow that feature, if we could have a common packet logging device rather than re-doing it for each implementation. Frankly, I haven't looked at the details of the implementation but I found getting rul numbers with tcpdump -e etc. was pretty cool to identify where things were blocked or permitted. Also make sure that the per-VIMAGE interface will work correctly and as expected. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.