From owner-freebsd-bugs@FreeBSD.ORG Wed Feb 11 07:17:51 2004 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8EE116A4CE for ; Wed, 11 Feb 2004 07:17:51 -0800 (PST) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97E8043D2F for ; Wed, 11 Feb 2004 07:17:51 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.119]) by mta9.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040211151747.ETHM22188.mta9.adelphia.net@barbish>; Wed, 11 Feb 2004 10:17:47 -0500 From: "JJB" To: , Date: Wed, 11 Feb 2004 10:17:50 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <40297213.70809@web.de> Importance: Normal cc: iedowse@maths.tcd.ie Subject: RE: kern/62598: no logging on ipfw loadable module X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2004 15:17:52 -0000 Some explanation is in order here. When I boot the system with this in rc.conf and ipfw not compiled into my kernel firewall_enable="YES" firewall_script="/etc/ipfw.rules.test52" firewall_logging="YES" This white highlighted message is displayed on the screen as part of the boot process. IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled Since this message never showed up before, I took it to mean it was issued by the ipfw loadable module as it was automatically loaded at boot time. It says as plain as day that logging is disabled. Now I did not test any further as I believed what that message said. I just figured that the loadable module was compiled without logging just like the message says. Why would anybody who read that message believe anything different? Well after your responses I reran the same test again, but this time I only added one rule Ipwf add allow log all from any to any and you are correct logging is functioning. So it would seem that the ipfw loadable module was compiled with logging ability. So I want to modify my problem report to say the message that is issued during the boot process when the ipfw loadable module is being enabled needs to be corrected for it is incorrect and mis-leading. Is this email sufficient enough to modify my PR or what do I have to do to modify it? Thank you for taking the time and making the effort in helping me to clarify the root of this problem. Wish more people who worked the reported problems were like you two. Joe -----Original Message----- From: Friedemann.Becker@web.de [mailto:Friedemann.Becker@web.de] Sent: Tuesday, February 10, 2004 7:07 PM To: joe; freebsd-bugs@freebsd.org Subject: Re: kern/62598: no logging on ipfw loadable module joe wrote: >>Number: 62598 >>Category: kern >[...] > > By original design, it's not suppose to be an mandatory requirement that you enable > IPFW by compiling it's options into your customized FBSD kernel. IPFW > is included in the basic FBSD install as a separate run time loadable module. > For some unknown reason the loadable module was compiled with, logging disabled > This means the loadable IPFW module has absolutely no logging available. This > configuration is non-logical, does not reflect the needs of the majority of > IPFW users, and is pretty much useless. A firewall without logging ability is > just plain unheard of. the precompiled module comes with preset compile time options, but have you tried the the corresponding sysctl variables in net.inet.ip.fw, especially net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit? see the manpage, section "RULE FORMAT", command "log", for details Friedemann