Solved IPFW firewall_logging strange behaviour

kr0m

kr0m

I am making some network traffic debug to configure IPFW rules, and i noticed extrange behaviour when i enable firewall_logging option.

I start my system and the configuration option is disabled:
Code: 
odyssey # ~> grep firewal /etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logif="YES"
firewall_logging="NO"
I check it manually:
Code: 
odyssey # ~> sysrc firewall_logging
firewall_logging: NO

My last IPFW(/etc/ipfw.rules) rule is:
Code: 
$cmd 60000 deny log all from any to any
So I don't log any packet to syslog: /var/log/security but I can sniff it using ipfw0 interface.

I change the logging parameter to YES and restart IPFW process:
Code: 
odyssey # ~> sysrc firewall_logging=YES
firewall_logging: NO -> YES
Code: 
odyssey # ~> service ipfw restart
Firewall rules loaded.
ifconfig: interface ipfw0 already exists
Firewall logging pseudo-interface (ipfw0) created.
In that way I log packets to syslog: /var/log/security
Code: 
May 15 12:51:24 odyssey kernel: ipfw: 60000 Deny TCP 192.168.69.4:36681 192.168.69.170:44 in via bge0
But if I disable it and restart IPFW process, it continues logging:
Code: 
odyssey # ~> sysrc firewall_logging=NO
firewall_logging: YES -> NO
Code: 
odyssey # ~> service ipfw restart
Firewall rules loaded.
ifconfig: interface ipfw0 already exists
Firewall logging pseudo-interface (ipfw0) created.
It continues logging packet information:
Code: 
May 15 12:52:45 odyssey kernel: ipfw: 60000 Deny TCP 192.168.69.4:32510 192.168.69.170:44 in via bge0

The only manner to disable is to set parameter to NO and reboot system.
Code: 
odyssey # ~> sysrc firewall_logging=NO
firewall_logging: YES -> NO
Code: 
odyssey # ~> shutdown -r now
Have I misunderstood anything? What am I doing wrong?

Best regards.
 
ipfw(8):
Code: 
 if the sysctl variable
             net.inet.ip.fw.verbose is set to 0 (default), one can use bpf(4)
             attached to the ipfw0 pseudo interface.
Code: 
If net.inet.ip.fw.verbose is set to 1, packets will be logged to
             syslogd(8) with a LOG_SECURITY facility up to a maximum of
             logamount packets.  If no logamount is specified, the limit is
             taken from the sysctl variable net.inet.ip.fw.verbose_limit.  In
             both cases, a value of 0 means unlimited logging.

From /etc/rc.d/ipfw:
Code: 
        if checkyesno firewall_logging; then
                echo 'Firewall logging enabled.'
                ${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
        fi

So, to turn off logging again, sysctl net.inet.ip.fw.verbose=0
 
That almost sounds like an enhancement for the ipfw script; if logging not enabled, explicitly set the sysctl to 0.
 
SirDice said:
From /etc/rc.d/ipfw:
Code: 
        if checkyesno firewall_logging; then
                echo 'Firewall logging enabled.'
                ${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
        fi

So, to turn off logging again, sysctl net.inet.ip.fw.verbose=0
Click to expand...

So that checkyesno test needs an else clause, as in:
Code: 
    # fi
    else
        echo 'Firewall logging disabled.'
        ${SYSCTL} net.inet.ip.fw.verbose=0 >/dev/null
    fi

kr0m's use case clearly not having been anticipated.

Caveats:
a) I'm in a rural hospital with limited mobile phone net access, so in no position to file a bug, and b) changes to any part of ipfw are notoriously difficult to achieve.

Later: this just enacts what mer proposed, that I'd earlier missed.
 
You must log in or register to reply here.
Back
Top