From owner-freebsd-security@FreeBSD.ORG  Wed Nov 17 15:12:44 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 32FC616A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 17 Nov 2004 15:12:44 +0000 (GMT)
Received: from silver.teardrop.org (silver.teardrop.org [66.150.202.126])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E8B6A43D39
	for <freebsd-security@freebsd.org>;
	Wed, 17 Nov 2004 15:12:43 +0000 (GMT)
	(envelope-from snow@teardrop.org)
Received: by silver.teardrop.org (Postfix, from userid 100)
	id 21EBA26C10; Wed, 17 Nov 2004 10:12:43 -0500 (EST)
Date: Wed, 17 Nov 2004 10:12:42 -0500
From: James Snow <snow@teardrop.org>
To: Zoran Kolic <kolicz@EUnet.yu>
Message-ID: <20041117151242.GB36240@teardrop.org>
References: <20041115065524.GA972@faust.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041115065524.GA972@faust.net>
User-Agent: Mutt/1.4.1i
cc: freebsd-security@freebsd.org
Subject: Re: ipfw logging
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2004 15:12:44 -0000

On Mon, Nov 15, 2004 at 07:55:24AM +0100, Zoran Kolic wrote:
> Hi all!
> After installing 5.3 I've noticed
> some change in firewall logging.
> Prior (on 5.2) rules gave me what
> I needed: trimed to 3 of the same
> connection. Every new connection
> on the same rule gave new log line
> up to 3. I have in kernel:
>   FIREWALL
>   FIREWALL_VERBOSE
>   FIREWALL_VERBOSE_LIMIT=3
> Now, all connections on the same
> rule are trimed to 3. Is it possib-
> le on 5.3 to have all connections
> logged, but no more than 3 of the
> same?
> Just a little annoyance... I'd
> rather see what was blocked. New
> is even line:
> "ipfw: limit 3 reached on entry 1500"
> Can I do something to have old way
> of logging back?
> Best regards

This may or may not help you with your situation but I found it to be a
considerable step up from setting these options in the kernel:

As of 5.3 (or perhaps earlier - I first noticed it in 5.3) you can
edit net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit via
sysctl. Perhaps you'll have some luck fiddling with the value of
net.inet.ip.fw.verbose_limit.

Hope that helps.


-Snow