From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 3 16:51:52 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D1C29106564A for ; Wed, 3 Oct 2012 16:51:52 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5128C8FC0C for ; Wed, 3 Oct 2012 16:51:52 +0000 (UTC) Received: by lbdb5 with SMTP id b5so7903159lbd.13 for ; Wed, 03 Oct 2012 09:51:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=MO+TEaUKe4chnMHheKXm+CGB6MyOydMlO15OAMR9mYE=; b=FN8jjimmrBo6UemOXzPngHJRbpdakLxgOFpt0cMFS4+gcjM1Vfz5xvrxsZAb0YAkoY Ra8qr3spxzCbH59w3EOedt6jqI+JSsaxIAtbEDGuMF781XrhJ75K4DsYl2xJMaFre/Ay AGRAqU4Dv/rm5TtW/th3w+tMUDO01hoV1DL+2Odl84x8RVKsTbQu9eTv08Kw2XN1uLL5 vNH3Vih3reQsOco3n/PPxa6ayCBDT8f9T0da35ibqGbSQxmR4LjZ2bTUnWS+7n5Gyblx lH3dToJ/VzAYMYIJeRIIKrO0eNJRa5BUFxq5WAinS7GWGhX+8kayPw3U2Kc1sQTdEcAR 37kg== MIME-Version: 1.0 Received: by 10.112.37.7 with SMTP id u7mr1939055lbj.30.1349283111052; Wed, 03 Oct 2012 09:51:51 -0700 (PDT) Received: by 10.112.42.40 with HTTP; Wed, 3 Oct 2012 09:51:50 -0700 (PDT) Date: Wed, 3 Oct 2012 09:51:50 -0700 Message-ID: From: Michael Sierchio To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlK0G1sZWhP8ArHCAQmvUKqoNJOCiQB85nGkohEA3tblhW5ISo8Bjo2PczNO2qMwZTg0JdB Subject: logging tablearg ?? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2012 16:51:52 -0000 Julian Elischer (and possibly others) - on 8.3-RELEASE-p4... I have a table with ca. 84,000 networks, and the table arg is a classifier based on criteria the firewall ruleset doesn't care about - but I really would like to log the data. I've discovered that logging the lookup command doesn't log the table arg, just the src-ip ipfw add 500 skipto 65000 log logamount 0 lookup src-ip 1 log entry looks like: Oct 3 16:41:49 fedallah kernel: ipfw: 500 SkipTo 65000 TCP 69.109.215.188:53297 10.160.78.12:3222 in via xn0 Of course I don't have any reason to expect this to work, since it's an aspirational use of the mechanism. But I think it might be powerful and useful for folks who actually use firewall logs in support of IDS/IPS etc. - M