From owner-freebsd-questions@FreeBSD.ORG Mon Jul 7 14:30:31 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4C2637B401 for ; Mon, 7 Jul 2003 14:30:31 -0700 (PDT) Received: from mail.cancercare.net (mail.tsgincorporated.com [67.66.242.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id D541543F3F for ; Mon, 7 Jul 2003 14:30:30 -0700 (PDT) (envelope-from micheal@cancercare.net) Received: (from root@localhost) by mail.cancercare.net (8.12.8/8.12.4) id h67LUTpg006300; Mon, 7 Jul 2003 16:30:29 -0500 (CDT) (envelope-from micheal@cancercare.net) Received: from MICHEAL ([67.66.242.77]) by mail.cancercare.net (8.12.8/8.12.4) with SMTP id h67LUSTM006287; Mon, 7 Jul 2003 16:30:28 -0500 (CDT) (envelope-from micheal@cancercare.net) Message-ID: <064501c344ce$fc4b9770$4df24243@tsgincorporated.com> From: "Micheal Patterson" To: , References: <3F09E48B.3020300@acm.org> Date: Mon, 7 Jul 2003 16:30:22 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS 0.3.12 Subject: Re: Logging packets dropped by IPFW X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2003 21:30:32 -0000 ----- Original Message ----- From: "Tim Kientzle" To: Sent: Monday, July 07, 2003 4:22 PM Subject: Logging packets dropped by IPFW > Is there any way to generate log information > about the packets dropped by IPFW? The 'log' > modifier doesn't seem to do anything on my > system right now , though from what I can tell, > it's supposed to only log the rule that was > triggered, which isn't the same thing at all. > > In particular, I'd like to know the protocol > (TCP/UPD/ICMP) and port number for dropped packets. > > Tim Kientzle Tim, options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity You need the top option compiled in to enable logging of ipfw. The second option would limit the amount of logging that is done until you do an ipfw resetlog command. I personally comment out the limit so that I can keep a running history. This does take up more overhead on the system and disk space, however, the need for the history outweighs this. When you're logging, the dropped packs will show you the date/time, rule that denied / accepted the entry, protocol used, source ip and port, and destination ip and port. (Jul 7 16:26:13 discovery /kernel: ipfw: 65000 Deny TCP 67.66.xxx.xxx:4170 67.xxx.xxx.xxx:80 in via fxp0) -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.