Date: Thu, 1 Apr 2010 18:25:23 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@freebsd.org, "Ass.Tec. Matik" <asstec@matik.com.br> Subject: Re: ipfw error in last stable version freebsd 8 Message-ID: <20100401180631.K37370@sola.nimnet.asn.au> In-Reply-To: <20100401002014.GA57424@onelab2.iet.unipi.it> References: <4BB24C86.3030709@hardonline.com.br> <20100331020943.GA47928@onelab2.iet.unipi.it> <20100331164302.GA55699@korolev-net.ru> <20100331170221.GB55010@onelab2.iet.unipi.it> <cd82fc45e95950cb83326ef7c1f28323.squirrel@wm.matik.com.br> <20100401002014.GA57424@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Apr 2010, Luigi Rizzo wrote:
> On Wed, Mar 31, 2010 at 03:47:49PM -0300, Ass.Tec. Matik wrote:
> >
> >
> > > it means that you are probably using a new kernel and an old /sbin/ipfw.
> > > The new ipfw/dummynet has a different kernel/userland API to accommodate
> > > some new features, and the kernel has a compatibility layer to translate
> > > requests back and forth between the two APIs.
> > >
> >
> >
> > where this is coming from:
> >
> > ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
>
> sys/netinet/ipfw/ip_fw_log.c
>
> Revision 200654 - (view) (annotate) - [select for diffs]
> Modified Thu Dec 17 23:11:16 2009 UTC (3 months, 1 week ago) by luigi
>
> Add some experimental code to log traffic with tcpdump,
> similar to pflog(4).
> To use the feature, just put the 'log' options on rules
> you are interested in, e.g.
>
> ipfw add 5000 count log ....
>
> and run
> tcpdump -ni ipfw0 ...
>
> net.inet.ip.fw.verbose=0 enables logging to ipfw0,
> net.inet.ip.fw.verbose=1 sends logging to syslog as before.
Which is now default? Previously net.inet.ip.fw.verbose was conditioned
by IPFIREWALL_VERBOSE in kernel options - has this changed? I gather
it's either ipfw0 or syslog, both (or neither?) not being possible?
Does 'ipfw {en,dis}able verbose' now toggle between these two?
Thanks for this heads up, I'm soon to update my 8.0 to -stable and use
log a lot, tailing /var/log/security for keeping an eye on some things.
While I'm at it :) have you given any more thought to disambiguating the
overloading of net.inet.ip.fw.one_pass for both dummynet and ipfw nat?
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100401180631.K37370>