From owner-freebsd-questions@FreeBSD.ORG Tue Sep 9 05:43:45 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46A0216A4BF for ; Tue, 9 Sep 2003 05:43:45 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20C6A43FEA for ; Tue, 9 Sep 2003 05:43:43 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h89CghSk022249 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Sep 2003 13:43:38 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h89CghQx022248; Tue, 9 Sep 2003 13:42:43 +0100 (BST) (envelope-from matthew) Date: Tue, 9 Sep 2003 13:42:43 +0100 From: Matthew Seaman To: Wayne Pascoe Message-ID: <20030909124243.GC20373@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Wayne Pascoe , freebsd-questions@freebsd.org References: <20030909113447.GB17219@marvin.penguinpowered.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DSayHWYpDlRfCAAQ" Content-Disposition: inline In-Reply-To: <20030909113447.GB17219@marvin.penguinpowered.org> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-11.4 required=5.0 tests=AWL,BAYES_00,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-questions@freebsd.org Subject: Re: Logging and IPFW X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 12:43:45 -0000 --DSayHWYpDlRfCAAQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 09, 2003 at 12:34:47PM +0100, Wayne Pascoe wrote: > I'm trying to setup logging with IPFW. I've not compiled IPFW into my > kernel, but am instead using the ipfw.ko module.=20 >=20 > I have the following sysctl variables set: > net.inet.ip.fw.verbose=3D1 > net.inet.tcp.log_in_vain=3D1 > net.inet.udp.log_in_vain=3D1 >=20 > However, I am still not seeing anything in /var/log/messages when I > portscan the machine. The firewall appears to be working, as we receive > nothing back on the portscanning machine, but I would like logging > enabled.=20 Try /var/log/security or /var/log/all.log if you've enabled the all.log by following the instructions in /etc/syslog.conf. Remember too that ipfw(8) will only log a certain number of hits against a particular rule, which is a sensible measure designed to prevent a DoS against your machine by filling up the disk space logging a great flood of similar packets. That's controlled by the IPFIREWALL_VERBOSE_LIMIT option in your kernel config, or by the net.inet.ip.fw.verbose_limit sysctl. I tend to think that the example limit of 128 is too low, and bump that up to 1024. Remember to run 'ipfw resetlog' at regular intervals to re-enable logging on any rule that has hit the limit. Just slap together a /etc/daily.local script that needn't be any more complicated than this: #!/bin/sh =20 PATH=3D/usr/bin:/bin:/sbin ; export PATH =20 ipfw resetlog =20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --DSayHWYpDlRfCAAQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/XcrDdtESqEQa7a0RAoD/AKCPXenP0Pn6+Jtst9Az+5RFxOHYywCfViaS aa7S7DJ+rannSU4L5eLZ4jY= =tqgr -----END PGP SIGNATURE----- --DSayHWYpDlRfCAAQ--