On Tue, Sep 09, 2003 at 12:34:47PM +0100, Wayne Pascoe wrote: > I'm trying to setup logging with IPFW. I've not compiled IPFW into my > kernel, but am instead using the ipfw.ko module. > > I have the following sysctl variables set: > net.inet.ip.fw.verbose=1 > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 > > However, I am still not seeing anything in /var/log/messages when I > portscan the machine. The firewall appears to be working, as we receive > nothing back on the portscanning machine, but I would like logging > enabled.
Try /var/log/security or /var/log/all.log if you've enabled the
all.log by following the instructions in /etc/syslog.conf.
Remember too that ipfw(8) will only log a certain number of hits
against a particular rule, which is a sensible measure designed to
prevent a DoS against your machine by filling up the disk space
logging a great flood of similar packets. That's controlled by the
IPFIREWALL_VERBOSE_LIMIT option in your kernel config, or by the
net.inet.ip.fw.verbose_limit sysctl. I tend to think that the example
limit of 128 is too low, and bump that up to 1024. Remember to run
'ipfw resetlog' at regular intervals to re-enable logging on any rule
that has hit the limit. Just slap together a /etc/daily.local script
that needn't be any more complicated than this:
#!/bin/sh
PATH=/usr/bin:/bin:/sbin ; export PATH
ipfw resetlog
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp00000.pgp
Description: PGP signature
