Solved IPFW Logging

I am sort of back at basics just trying to keep the server semi safe. I would like to see how well a rule is working or not working through the log My rule is

Code:
$IPF 85 deny ip from "table(22)" to any keep-state log

I am not sure of my format.
 
Ok I worked out that is bad. now using
Code:
$IPF 90 deny log ip from "table(22)" to any keep-state
. but still no log activity
 
Keeping state makes no sense if you're going to deny the traffic.

but still no log activity
Did you actually enable logging?
To enable logging through syslogd(8), include this line:

# sysrc firewall_logging="YES"

Another possibility is that the traffic is hitting an earlier rule and never reaches your rule 90 (thus never triggering it). The table might be empty too or doesn't include the address you're testing with.
 
I have engaged logging and my catchall seems to be doing most of the work, Thank you for the tip on keeping state. Still not completely comfortable with that


I thought about another rule based on "first rule wins". but my previous rules don't seem to be involved

Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 15 allow tcp from any to any 9000 in setup keep-state
$IPF 10 allow tcp from any to any 9000 out setup keep-state
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
$IPF 85 deny log ip from "table(22)" to any keep-state
$IPF 90 deny log ip from "table(10)" to any keep-state

I am staring at number 70 but If catchall is working
Code:
ipfw: 500 Deny UDP 209.61.240.2:1985 224.0.0.102:1985 in via em0

then 70 wouldn't appear to be interfering
 
Ok tweaked order and the like. and got the following to work


Code:
$IPF 10 allow all from any to any via lo0
$IPF 11 deny log ip from "table(10)" to any
$IPF 15 allow  ip from "table(1)" to any
$IPF 16 allow tcp from any to any 9000 in setup keep-state
$IPF 17 allow tcp from any to any 9000 out setup keep-state
$IPF 18 deny log  ip  from "table(22)" to any keep-state

$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any

Logging working fine for this rule
 
Back
Top