From owner-freebsd-doc@freebsd.org Tue Mar 22 01:52:25 2016 Return-Path: Delivered-To: freebsd-doc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E00D1AD877C for ; Tue, 22 Mar 2016 01:52:25 +0000 (UTC) (envelope-from wout@canodus.be) Received: from mail1.canodus2.canodus.be (mail1.canodus2.canodus.be [83.149.89.38]) by mx1.freebsd.org (Postfix) with ESMTP id A9980304 for ; Tue, 22 Mar 2016 01:52:24 +0000 (UTC) (envelope-from wout@canodus.be) Received: by mail1.canodus2.canodus.be (Postfix, from userid 65534) id 74106336480; Tue, 22 Mar 2016 02:52:22 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail1.canodus2.canodus.be X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from t440s (94-224-208-153.access.telenet.be [94.224.208.153]) by mail1.canodus2.canodus.be (Postfix) with ESMTPSA id F2791336440; Tue, 22 Mar 2016 02:52:21 +0100 (CET) Message-ID: <1458611541.3549.9.camel@canodus.be> Subject: Re: Handbook section 29.4.1 Enabling IPFW From: Wout =?ISO-8859-1?Q?Decr=E9?= To: Chris Jordan Cc: freebsd-doc@freebsd.org Date: Tue, 22 Mar 2016 02:52:21 +0100 In-Reply-To: References: <1458577873.3661.20.camel@canodus.be> Organization: Canodus Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.9-1+b1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2016 01:52:26 -0000 On Mon, 2016-03-21 at 17:39 -0400, Chris Jordan wrote: > On Mon, Mar 21, 2016 at 12:31 PM, Wout Decré wrote: > > > On Mon, 2016-03-21 at 11:38 -0400, Chris Jordan wrote: > > > I'm coming back to FreeBSD after many years away and I am setting up a > > new > > > system with 10-2-release. > > > > > > I was reading through Handbook section 29.4.1 "Enabling IPFW" and it > > says: > > > "To enable logging, include this line in > > > /etc/rc.conf: firewall_logging="YES"". That didn't seem to work for me, > > so > > > I went looking through /etc/rc.firewall, and found it's looking for a > > line > > > like "firewall_logdeny="YES" instead, but it's only checking for that for > > > the case where firewall_type="workstation". > > > > IPFW logging is enabled in /etc/rc.d/ipfw: > > > > if checkyesno firewall_logging; then > > echo 'Firewall logging enabled.' > > sysctl net.inet.ip.fw.verbose=1 >/dev/null > > fi > > > > Should work putting firewall_logging="YES" in rc.conf. By default, logs > > are written to /var/log/security. > > > > > Ah, I see, thanks. The difference is that when I set > "firewall_logdeny="YES"" in rc.conf, then /etc/rc.firewall both sets > net.inet,ip.fw.verbose=1 and sets a firewall rule for "65500 deny log > logamount 500 ip from any to any", while if I set "firewall_logging="YES"" > then the firewall rule is "65500 deny ip from any to any" so nothing gets > logged. I suppose it's not a problem if you're modifying /etc/rc.firewall > to set your own rules anyway, but in the simple case it's a bit unclear. > I've only tried it where "firewall_type="workstation"", the other > firewall_types appear to have different default logging behavior. Yes, firewall_logdeny is used by the "workstation" type. See /etc/defaults/rc.conf for other options as well. I would suggest to make use of these options instead of modifying /etc/rc.firewall. Or, make use of a custom script instead of the firewall types: firewall_script="/etc/ipfw.rules" You need to add the "log" keyword for IPFW to log an entry. An example using a script is available in the Handbook. Good luck Wout > > Chris Jordan > _______________________________________________ > freebsd-doc@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-doc > To unsubscribe, send any mail to "freebsd-doc-unsubscribe@freebsd.org"