Re: bin/116458: [ipfw]: Logging problems with syslog and ipfw an 6.2.REL-p5
Dear FreeBSD friends, On Wed, Sep 19, 2007 at 02:39:59PM +0400, Sergey Matveychuk wrote: > Andrey V. Elsukov ?: > >Remko Lodder wrote: > > > > bge0 is running in promisc mode because of dsc which is running. > > > > > > > > sample content of /var/log/messages > > > > Sep 14 12:00:00 ns2 newsyslog[94585]: logfile turned over due to > >size>100K > > > > Sep 14 12:00:02 ns2 kernel: 5 > > > > Sep 14 12:00:05 ns2 kernel: > > > > Sep 14 12:00:05 ns2 kernel: 7 > > > > Sep 14 12:00:08 ns2 kernel: > > > > Sep 14 12:00:08 ns2 kernel: 9 > > > > Sep 14 12:00:11 ns2 kernel: 8 > > > > Sep 14 12:00:14 ns2 kernel: > > > > Sep 14 12:00:14 ns2 kernel: e0 > > > > Sep 14 12:00:15 ns2 kernel: a bge0 > > > > Sep 14 12:00:15 ns2 kernel: e0 > > > > Sep 14 12:00:15 ns2 kernel: < > > > >This problem is not related to the ipfw. But you can try this patch: > >http://people.yandex-team.ru/~sem/FreeBSD/kernel/log_mutex.diff > > > >Please, report back if it will help you. > > > > The same patch is in kern/116310. > I have the same problem as well. I have noted it for at least 6 -- 12 months now, but I was too lazy to mention it. I will try the patch as well. Lets see what will happen. Sep 11 23:37:46 rose kernel: <11C>ipfw: 600 Accept TCP 10.X.X.2:445 10.X.X.54:1032 out via tap0 Sep 11 23:37:47 rose kernel: 1032 out via tap0 Sep 11 23:37:48 rose kernel: t via tap0 Sep 11 23:37:48 rose kernel: in via tap0 Sep 11 23:37:49 rose kernel: via tap0 Sep 11 23:37:49 rose kernel: v Sep 11 23:37:49 rose kernel: via tap0 Sep 11 23:37:49 rose kernel: 00 Accept TCP 10.X.X.2:445 10.X.X.54:1032 out via tap0 Sep 11 23:37:49 rose kernel: t via tap0 Sep 11 23:37:50 rose last message repeated 2 times Sep 11 23:37:50 rose kernel: n via tap0 Sep 11 23:37:51 rose kernel: via tap0 Sep 11 23:37:51 rose kernel: t via tap0 Sep 11 23:37:52 rose last message repeated 7 times Sep 11 23:37:52 rose kernel: TCP 10.X.X.2:445 10.X.X.54:1032 out via tap0 Sep 11 23:37:52 rose kernel: ipfw: limit 10 reached on entry 600 -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Willy * W.K. Offermans Home: +31 45 544 49 44 Mobile: +31 653 27 16 23 e-mail: [EMAIL PROTECTED] Powered by (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Why ipfw didn't filter neither log DHCP packets ?
Hello Olivier and FreeBSD friends,
On Mon, Jan 05, 2015 at 11:33:18AM +0100, Olivier Cochard-Labbé wrote:
> I'm using a pretty simple configuration:
>
> My rc.conf:
> ifconfig_sis0="DHCP"
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_script="/etc/ipfw.rules"
>
> My /etc/ipfw.rules:
> #!/bin/sh
> fwcmd="/sbin/ipfw -q".
> ${fwcmd} -f flush
> ${fwcmd} add pass ip from any to any via lo0
> ${fwcmd} add deny log ip from any to any
>
> But after a reboot this machine is still able to get an IP address by DHCP
> and nothing (related to DHCP) is logged on the firewall:
>
> [root@wrap]~# ifconfig sis0
> sis0: flags=8843 metric 0 mtu 1500
> options=83808
> ether 00:0d:b9:02:76:58
> inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255
> media: Ethernet autoselect (100baseTX )
> status: active
>
> [root@wrap]~# ipfw show
> 00100 00 allow ip from any to any via lo0
> 00200 4 1631 deny log ip from any to any
> 65535 00 deny ip from any to any
>
> [root@wrap]~# cat /var/log/security
> Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
> Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> 192.168.100.255:138 in via sis0
>
> I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
>
> Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> ___
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
I guess that dhcp daemon is started before firewall is started or, better,
firewall rules are applied.
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,
Wiel
*
W.K. Offermans
Home: +31 45 544 49 44
Mobile: +31 681 15 87 68
Mobile: +49 1575 414 60 55
e-mail: wi...@offermans.rompen.nl
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: Why ipfw didn't filter neither log DHCP packets ?
Hello Luigi and FreeBSD friends,
I do top posting.
So there might be a chance that someting slips through the firewall
between the start of the firewall and after the bpf traffic of dhclient.
Once the NIC is configured, traffic is possible in principle.
Would it be better to start the bpf traffic of dhclient after the firewall
runs. In the latter case, all will or can work as expected. If yes, how
should this be set? Should one set
REQUIRE: firewall
in /etc/rc.d/dhclient? But there seems no firewall daemon to be present. So
I'm not sure how this should work.
On Mon, Jan 05, 2015 at 01:04:58PM +0100, Luigi Rizzo wrote:
> dhclient uses bpf to send and receive traffic,
> and that acts before the firewall has a chance
> to see the packets.
>
> There is a chance that incoming packets are
> also passed to the network stack, but they
> are probably discarded before the firewall
> because the interface does not have an address yet.
>
> cheers
> luigi
>
>
> On Mon, Jan 5, 2015 at 11:33 AM, Olivier Cochard-Labbé
> wrote:
>
> > I'm using a pretty simple configuration:
> >
> > My rc.conf:
> > ifconfig_sis0="DHCP"
> > firewall_enable="YES"
> > firewall_logging="YES"
> > firewall_script="/etc/ipfw.rules"
> >
> > My /etc/ipfw.rules:
> > #!/bin/sh
> > fwcmd="/sbin/ipfw -q".
> > ${fwcmd} -f flush
> > ${fwcmd} add pass ip from any to any via lo0
> > ${fwcmd} add deny log ip from any to any
> >
> > But after a reboot this machine is still able to get an IP address by DHCP
> > and nothing (related to DHCP) is logged on the firewall:
> >
> > [root@wrap]~# ifconfig sis0
> > sis0: flags=8843 metric 0 mtu 1500
> > options=83808
> > ether 00:0d:b9:02:76:58
> > inet 192.168.100.68 netmask 0xff00 broadcast 192.168.100.255
> > media: Ethernet autoselect (100baseTX )
> > status: active
> >
> > [root@wrap]~# ipfw show
> > 00100 00 allow ip from any to any via lo0
> > 00200 4 1631 deny log ip from any to any
> > 65535 00 deny ip from any to any
> >
> > [root@wrap]~# cat /var/log/security
> > Jan 1 01:16:45 wrap newsyslog[923]: logfile first created
> > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> > 192.168.100.255:138 in via sis0
> > Jan 1 01:17:18 wrap kernel: ipfw: 200 Deny UDP 192.168.100.254:138
> > 192.168.100.255:138 in via sis0
> >
> > I've got the same behavior on FreeBSD 8.2 and 11.0-CURRENT r275821.
> >
> > Are DHCP packets exluded from the filtering/logging engine of ipfw ?
> > ___
> > freebsd-ipfw@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
> >
>
>
>
> --
> -+---
> Prof. Luigi RIZZO, ri...@iet.unipi.it . Dip. di Ing. dell'Informazione
> http://www.iet.unipi.it/~luigi/. Universita` di Pisa
> TEL +39-050-2211611 . via Diotisalvi 2
> Mobile +39-338-6809875 . 56122 PISA (Italy)
> -+---
> ___
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,
Wiel
*
W.K. Offermans
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
