2206 [Solved] ipfw logging gives error during startup [Archive] - The FreeBSD Forums
PDA

View Full Version : [Solved] ipfw logging gives error during startup

sdad
January 2nd, 2011, 21:16
Chapter of manual 30.6 says to add to /etc/sysctl.conf

net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5


During boot I get a message:

/etc/rc/d/sysctl Warning: net.inet.ip.fw.verbose doesn't exist
/etc/rc/d/sysctl Warning: net.inet.ip.fw.verbose_limit doesn't exist

How do I go about resolving this issue?

I do not have NAT enabled in rc.conf.
Besides rem'ing out the NAT section, I turned if off in ppp as well.

Boot also indicates that

Firewall logging enabled

but catch this:

in /var/log/messages

is this:

ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rules based forwarding disabled, default to deny, logging disabled

What did I do wrong?
phoenix
January 4th, 2011, 03:48
GENERIC or custom kernel?

If custom, which IPFIREWALL_* options did you include?
sdad
January 4th, 2011, 04:26
GENERIC or custom kernel?

If custom, which IPFIREWALL_* options did you include?

Sorry..., I have 8.1-release, iso. Installed as minimal, elected no ports at all, didn't even set up networking during install. Still awed at have fast Free went in!
The guide says that ipfw will work as a module, no need to compile unless I want NAT, which I don't, so I didn't elect to do the kernel recompile. I really need to do that soon, however.

I just sat down from the ipfw project, having succeeded in getting logging to happen. I ended up doing several things that were not referred to in the guide book or in how-tos that are out there. ( Revisions are a great way to make written material not necessarily spot on.)

I have notes on what I did and if anyone would find these of ("dubious") value, I'll share. Keep in mind my entry level stature.

Being new I guess that I can't indicate this post is solved, but it is.
phoenix
January 4th, 2011, 23:54
I've marked it as solved.

Posting what you did to enable logging will add the info to the archives, so that future users with the same issue can search for it ... and find the answer. :)
sdad
January 5th, 2011, 00:58
Here's some notes I have from install:

IBM Netfinity 4000
2 500 MHZ PIII, 1 GB Ram, 2 9GB SCSI as 2 volumes,1 volume program partitions, 1 volume /var/log partition
FreeBSD 8, Minimal
IPFW Stateless Filter
SSH Remove and do local admin only admin port for remote logging

Using PPP over Ethernet (PPPoE)
WAN = PPPoE
LAN = 192.168.0.1
Admin = 192.168.23.1
Hostname = fw1.grand_ledge.us


At command prompt:
mkdir /var/log/ipfw
touch /var/log/ipfw/ipfw.log
chmod 600 /var/log/ipfw
chmod 600 /var/log/ipfw/ipfw.log
mv /etc/rc.firewall /etc/rc.firewall_orig #did this to see how ipfw handles rules files


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/sysctl.conf. By adding these statements, logging will be enabled on future reboots:

net.inet.ip.fw.enable=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/ppp/ppp.conf:

default:
set log +debug Phase tun command # remove +debug and clear /var/log/ppp.log when running correctly
enable dns

frontier:
set device PPPoE:fxp0
set ifaddr 10.0.0.1/0 10.0.0.2/0
set authname admin
set authkey password
set dial
add default HISADDR
set speed sync
set mru 1492
set mtu 1492
set ctsrts off
enable lqr


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/rc.conf file:


hostname=fw1.grand_ledge.us
gateway_enable="YES"

## Firewall ipfw
firewall_enable="YES"
#firewall_type="open"

## * open -- pass all traffic.

## * client -- will protect only this machine.

## * simple -- protect the whole network.

## * closed -- entirely disables IP traffic except for the loopback interface.

## * UNKNOWN -- disables the loading of firewall rules.

## * filename -- absolute path of file containing firewall rules.
## If firewall_type is set to either client or simple, the default rules found in /etc/rc.firewall

firewall_script="/etc/ipfw.rules"
## IPFW sample ruleset (found in /etc/rc.firewall)
## To get started cp /etc/rc.firewall /etc/ipfw.rules
## Do modification to ipfw.rules, not rc.firewall

firewall_logging="YES"
## log file: /var/log/ipfw/ipfw.log must set each rule for log to happen

## NAT No nat on this box--further downstream
#natd_enable="YES"
#natd_interface="fxp1"
#natd_flags=""

## Admin interface
ifconfig_dc0="inet 192.168.23.1 netmask 255.255.255.0"

## LAN interface
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.0"

## WAN interface (PPPoE)
ppp_enable="YES"
ppp_mode="ddial"
#ppp_nat="YES"
ppp_profile="frontier"

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/ppp/ppp.linkup:

MYADDR:
delete all
add 0 0 HISADDR

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/syslog.conf

At bootom add:

!ipfw
*.* /var/log/ipfw/ipfw.log

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/newsyslog.conf

At bottom add:

/var/log/ipfw/ipfw.log 600 10 100 * JC
0