Date: Mon, 5 Jul 1999 08:37:24 GMT From: Florian Uhl <ankh@byron.fachschaften.uni-muenchen.de> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/12517: ipfw should not log to console Message-ID: <199907050837.IAA99970@byron.fachschaften.uni-muenchen.de>
next in thread | raw e-mail | index | archive | help
>Number: 12517 >Category: kern >Synopsis: ipfw should not log to console when using the 'log' keyword but does (sort of documented) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Jul 4 23:40:01 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Florian Uhl >Release: FreeBSD 3.2-STABLE i386 >Organization: Department of Computer Sciences at University Munich/Germany >Environment: FreeBSD byron 3.2-STABLE FreeBSD 3.2-STABLE #0: Sun Jun 27 17:40:55 GMT 1999 >Description: When using the 'log' keyword for ipfw rules, ipfw logs not only via syslog (using !ipfw notation) but to the console as well (this is the documented behaviour). On a medium to high traffic machine this generates _a lot_ of totally unnecessary messages on the console. None of them is really critical or something like that. Anyway, applications should not log to the console at all but to syslog alone. If I want some application to log to the console, I will tell syslogd to do so. From the 'ipfw' man page: | If the kernel was compiled with IPFIREWALL_VERBOSE, then when a packet | matches a rule with the log keyword a message will be printed on the con- | sole. From my kernel configuration: | [byron: /usr/src/sys/i386/conf] grep FIREWALL BYRON | options IPFIREWALL | options IPFIREWALL_DEFAULT_TO_ACCEPT Nothing about VERBOSE. Next paragraph from 'man ipfw': | Console logging and the log limit are adjustable dynamically through the | sysctl(8) interface. This means console logging is the only logging method!? From sysctl: | [byron: /usr/src/sys/i386/conf] sysctl -a | egrep -v ^ipfw | egrep fw\. | net.inet.ip.fw.debug: 0 | net.inet.ip.fw.one_pass: 1 | net.inet.ip.fw.verbose: 1 | net.inet.ip.fw.verbose_limit: 0 There is nothing about console at all. If I set net.inet.ip.fw.verbose to 0, it doesn't log anything. Not what I want, either. >How-To-Repeat: ipfw add allow log tcp from any to any >Fix: Add sysctl net.inet.ip.fw.logconsole. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907050837.IAA99970>